Professional Documents
Culture Documents
SECURITY IN WIRELESS
MOBILE AD HOC AND SENSOR NETWORKS
Availability
ABSTRACT the capability to operate under node failures and
attacks. On the other hand, security encompass-
In this article, we present a study of the es the aspects of confidentiality, authentication,
Authentication Integrity
design of secure and survivable wireless sensor and integrity of the application information.
networks (WSN) that has yet to be addressed in Obviously, security and survivability in a WSN
the literature. Our goal is to develop a frame- face many common challenges ranging from
work that provides the security and survivability the wireless nature of communications, resource
features that are crucial to applications in a limitations on sensor nodes, very large and dense
Security and survivability mechanisms and techniques
WSN, because WSNs are vulnerable to physical networks, and unknown network topology prior
and network-based security attacks, accidents, to deployment to the high risk of physical
Detection and response: and failures. To achieve such a goal, we first attacks on unattended sensors. More important-
Using signal processing and examine the security and survivability require- ly, these two factors may couple with each other.
pattern recognition schemes
ments. We then propose a security and surviv- With the popularity of the WSN as an emerging
ability architecture in a WSN with wireless technology, there is a need to study the
heterogeneous sensor nodes. To understand the coupling between survivability and security and a
interactions between survivability and security, need to create design strategies consistent with
The authors present we also design and analyze a key management
scheme. The results of the experiment show that
both sets of requirements for a WSN.
In this article, we present a comprehensive
a study of the design a good design can improve both security and study of security and survivability for WSN. Our
survivability of a WSN; however, in some situa- goal is to develop a framework for a WSN that
of secure and tions, there is a trade off between security and provides security and survivability measures that
survivability. are available for critical services in spite of phys-
survivable wireless ical and network-based security attacks, acci-
sensor networks INTRODUCTION dents, or failures. To achieve this goal, we first
study the requirements of both security and sur-
(WSN) that has yet A wireless sensor network (WSN) consists of
battery-operated sensor devices with computing,
vivability. We then present a general architec-
ture for a WSN with heterogeneous sensor
to be addressed in data processing, and communicating compo- nodes. With the architecture, we identify metrics
nents. In a WSN, the sensor nodes can be that quantify the performance of a WSN. We
the literature. Their deployed in controlled environments, such as also address the issues of the interaction between
factories, homes, or hospitals. They also can be security and survivability for a WSN. For
goal is to develop a deployed in uncontrolled environments, such as instance, node failures or coordinated
disaster or hostile areas or in a particular battle- physical/cyber attacks on sensor nodes result in
framework that field, where monitoring and surveillance is cru- security breaches and impact the WSN perfor-
provides the security cial. Clearly, security in a WSN is extremely
important for both controlled environments
mance simultaneously. Similarly, a security
attack compromising network components (e.g.,
and survivability (e.g., health-care, automation in transportation, sensor node or cluster head) could affect the
etc.) and uncontrolled and hostile environments network survivability techniques. On the other
features that are (e.g., environmental monitoring, military com- hand, a survivability strategy for restoring the
mand and control, battlefield monitoring, etc.). performance very likely could be inconsistent
crucial to Moreover, the majority of the WSN applications with the security requirements. As a case study,
should be run continuously and reliably without we investigate a distributed key management
applications interruption. Hence, survivability also should be scheme for a WSN with heterogeneous sensor
in a WSN taken into account in developing a WSN.
In the design of secure and survivable WSNs,
nodes.
The remainder of this article is organized as
survivability implies that networks should have follows. We first discuss the requirements of
applications require
Confidentiality Authentication Integrity Secure management
the WSN to be
operating in un
controlled environ- Security and survivability mechanisms and techniques
Class I the most powerful nodes, in terms of A KEY MANAGEMENT STUDY During the key
communication range, node processing capabili-
ty, and energy level. Particularly, in terms of Key management is one of the most important distribution
communication range, we assume a bidirectional prevention and protection schemes for security
link between any two nodes. Let r i denote the mechanisms of a WSN. To provide secure com- procedure, a number
communication range of Class i nodes; we always munications for the WSN, all the messages
have r m < r n if m < n. Therefore, if a Class m should be encrypted and authenticated. Conse- of factors must be
node is within the range of a direct communica- quently, security solutions for such applications
tion link of a Class n node, the Class m node depend on the existence of strong and efficient considered, including
might require multiple links to reach the Class n
node if m < n. The heterogeneity of the sensor
key distribution mechanisms for uncontrolled
environments of the WSN. We illustrate how to
the probability that
nodes are distributed in the WSN, with p i the design an effective key management framework adjacent nodes can
percentage of the Class i nodes, and p1 + p2 + under the general heterogeneous WSN architec-
+ p I = 1. Here it is important to notice ture. It also is important to address the reliabili- share a common
the fundamental difference between the hetero- ty issue in the design of a key management
geneous WSN assumed in this article and the scheme. Energy conservation is a critical issue in key, the resilience of
hierarchical WSN in [6, 7]. In the hierarchical a WSN because batteries are the only limited-
WSN, the base stations (or cluster supervisors) life energy source to power the sensor nodes. the network when it
are centralized nodes, and more importantly,
they are acting like key distribution centers. By
The key management schemes designed for
WSNs should be energy aware and efficient.
is under attack, and
contrast, in the heterogeneous WSN, except that Obviously, using a single shared key in the importantly, the
the higher class nodes are more powerful in whole WSN is not a good idea because an adver-
terms communication range, node capability, sary can easily obtain the key. Therefore, as a nature of the
and energy level, the communications between fundamental security service, pairwise key estab-
all different classes of nodes are still peer-to- lishment is used, which can enable the sensor heterogeneity.
peer and distributed. nodes to communicate securely with each other
using cryptographic techniques. However, due to
THE SECURITY AND SURVIVABILITY METRICS resource constraints on sensor nodes, it is not
The security requirements and services can be feasible for sensors to use traditional pairwise,
described by the following metrics: scalability, key establishment techniques, such as public key
efficiency, resilience, and reliability. Scalability cryptography and key distribution centers [3, 8].
is the ability to support a large number of wire- Instead, sensor nodes can use pre-distributed
less sensor nodes in the network. The security keys directly or use keying materials to dynami-
mechanisms must support a large network and cally generate pairwise keys. In such a case, the
must be flexible against a substantial increase main challenge is to find an efficient way of dis-
in the size of the network even after deploy- tributing keys and keying materials to sensor
ment. Efficiency is the consideration of storage, nodes prior to deployment.
processing, and communication limitations on The key generation in heterogeneous dis-
sensor nodes. Resilience is about the resistance tributed WSNs here is based on our previous
against node capture. Compromise of security work [3, 4]. It is similar to the key-pool based
credentials, which are stored on a sensor node random key distribution [9] and the polynomial-
or exchanged over radio links, should not based key pre-distribution protocol [10] and is
reveal information about security of any other inspired by the approaches of [11]. We consider
links in the WSN. Higher resilience means a that there are three steps in the framework to
lower number of compromised links. Reliability establish pairwise keys between the sensor nodes:
is the capability to keep the functionality of the initialization, direct key set up, and path key set
WSN even if some of the sensor nodes fail. up. The initialization step is performed to initial-
The survivability concerns can be provided with ize the sensors by distributing polynomial shares
the design goals of scalability, efficiency, key to them, with the consideration of the hetero-
connectivity, resilience, and reliability. Key con- geneity of the sensor nodes. The direct key set-
nectivity is the probability that two or more up step is for any two nodes trying to establish a
sensor nodes store the same key or keying pairwise key, in which they always first attempt
material. Sufficient key connectivity must be to do so through direct key establishment. If the
provided for a WSN to perform its intended second step is successful, there is no need to
functionality. start the third step. Otherwise, these sensor
nodes may start the path key set-up step, trying
TOWARD SECURE AND SURVIVABLE WSN to establish a pairwise key with the help of other
sensors. During the key distribution procedure, a
To understand the interaction between surviv- number of factors must be considered, including
ability and security of our WSN architecture the probability that adjacent nodes can share a
with heterogeneous sensor nodes, we conduct a common key, the resilience of the network when
case study for the key management scheme. Our it is under attack, and importantly, the nature of
study shows that the WSN can achieve higher the heterogeneity.
key connectivity and higher resilience with our
proposed key management scheme, with a small UNDERSTANDING THE INTERACTION BETWEEN
percentage of heterogeneous nodes that have
reasonable storage, processing, and communica- SURVIVABILITY AND SECURITY
tion capabilities. We also can show the trade off Based on the discussion in the previous section,
between the reliability and the security in some we can see that our new key generation scheme
examples. is essentially different from most existing
connectivity must be
schemes in that the heterogeneity features now node X, K 2 with node Y, and K 1 and K 3 with
provided for a WSN can be taken into account. To illustrate the node Z, respectively. In this example, node A is
to perform its advantages of the new scheme, we consider a
typical heterogeneous WSN that is established to
connected to the network through three differ-
ent keys: K1, K2, and K3. In such a case, if node
intended collect data in a distributed scenario. In this sce- A wants to submit new information to the sink
nario, a sensor node submits its observation to a node, first it can randomly select a key from K1
functionality. sink node (or sink nodes, depending on the con- to K 3 ; then it can randomly select a neighbor
figuration of the network) through the sensor node that shares the same key with it. For exam-
network in a hop-by-hop manner, as shown in ple, in Fig. 2b, if K1 is chosen as the key, nodes
Fig. 2a, in which there are two classes of sensor X and Z can be randomly selected. In this man-
nodes, in addition to the sink node. ner, we can see that the communication is more
Since the high-class nodes have a larger trans- resilient, while the connectivity also can be
mission range, it is natural that a low-class node maintained.
tends to utilize the link between itself and a To understand the behavior of the previous
high-class node to submit the observations. For key management scheme, we conducted an
example, in Fig. 2a, Class-One, node A tends to extensive quantitative study to evaluate its per-
use the path, A-X-Sink, to submit its report, formance, in terms of key connectivity, reliabili-
instead of passing the message by all Class-One ty, and resilience. In our experiments, we
nodes, A-B-C-Sink. Clearly, a high-class node is consider a small area of the WSN that consists
more likely be chosen as the next-hop neighbor of 100 C 1 nodes and a number of C 2 nodes,
of nearby low-class nodes to forward data. Con- denoted as N2. We also assume that the size of
sequently, in this heterogeneous sensor network, the key pool is 20,000, and the number of keys
the connectivity between a low-class node and a in any C2 node is fixed at 1000.
high-class node is more important than the con-
nectivity between two low-class nodes. Reliability of the New Schemes: Key Connectivity of the
We now design a special key management New Schemes in Normal Conditions According to
scheme within the new framework for the previ- the definition, key connectivity is the probability
ous scenario. Specifically, we consider that there that two or more sensor nodes store the same
are two classes of the heterogeneous sensor key. Obviously, enough key connectivity must be
nodes (i.e., I = 2). To simplify the discussion, we provided for a WSN to perform its intended
also assume that there is only one group, denot- functionality. Figure 3a shows the connectivity of
ed as group 0, in the network. the proposed scheme versus the number of keys
The special key management scheme is a key- in a C 1 node with a different number of C 2
pool based key distribution scheme. In this nodes. First, we can observe that the connectivi-
scheme, we denote C 1 as the class of the less ty can increase with the increase of the number
powerful sensor nodes and denote C 2 as the of keys. For a fixed number of keys in each C 1
class of the more powerful sensor nodes. We node, we can see that a small increase of the
consider that a C2 node X is in the neighborhood number of C 2 nodes can significantly increase
of a C1 node A if A can directly receive the mes- the connectivity, especially when the number of
sage from X. Because the transmission range of keys in a C 1 node is small to medium. From
A is less than the transmission range of X, A another perspective, we can see that to achieve a
might be required to send messages to B through specific connectivity, the number of keys that
a multihop path. We define that a C 1 node is must be stored in each C1 node can be decreased
connected to the network if it shares at least one with the increase of N2. For instance, if the con-
key with C 2 nodes in its neighborhood. We then nectivity is 0.99, about 90 keys are required for
define the key connectivity as the probability N2 = 1, about 45 keys are required for N2 = 2,
that a C1 node is connected to the network. For and about 30 keys are needed for N2 = 3.
simplicity, we consider only the direct key set up To highlight the impact of the number of C2
between a C1 and adjacent C2 nodes. nodes, we demonstrate in Fig. 3b the probability
An example of this scheme is illustrated in distribution of the number of shared keys with
Fig. 2b, where node A is a C1 node and node X, different N 2 . In this example, we assume the
Y, and Z are C 2 nodes. In this example, nodes number of keys in each C 1 node is 50. We can
X, Y, and Z are the only C 2 neighbor nodes of observe that with the increase of N2, the shape
node A. In addition, node A shares key K1 with of the distribution tends to shift to the right,
1 0.3
0.9 0.25
0.8 0.2
Connectivity
Probability
0.7 0.15
0.6 0.1
0.5 0.05
N2 = 1 N2 = 1
N2 = 2 N2 = 2
N2 = 3 N2 = 3
0.4 0
0 20 40 60 80 100 120 140 160 180 200 0 5 10 15 20 25 30
Number of keys in each class-one node Number of shared keys
(a) (b)
Figure 3. Connectivity of the key-pool based scheme in normal conditions: a) impact of number of keyes in a C1 node; b) distribution
of shared keys (50 keys per C1 node).
1 1
0.99 0.99
0.98 0.98
0.97 0.97
Unaffected ratio
Unaffected ratio
0.96 0.96
0.95 0.95
0.94 0.94
0.93 0.93
0.92 0.92
N2 = 1 M1 = 30
0.91 N2 = 2 0.91 M1 = 45
N2 = 3 M1 = 90
0.9 0.9
0 5 10 15 20 0 5 10 15 20
Number of compromised C1 nodes Number of compromised C1 nodes
(a) (b)
which implies that a C 1 node can share more our scheme, a C 1 node can still transmit data
keys with neighboring C 2 nodes; and with the securely to C 2 nodes even if some of the keys
increasing of the shared keys, the network are compromised. For example, if K1 is the only
becomes more reliable. key that is compromised, we can see that node A
still has a 66 percent chance to forward the data
Resilience of the New Schemes: Key Connectivity of the to any one of the C2 nodes (with K2 or K3). This
New Schemes in Attack Conditions To evaluate the phenomenon can be observed clearly from Fig.
resilience of the new schemes, we study the per- 4a, where we find that a high percentage of
formance of the sensor network when some C1 secured communications still can be maintained
nodes are compromised. Here we assume that even if a large number of C 1 nodes have been
C 2 nodes are more tamper resistant. In Fig. 4a compromised. Moreover, we can see that more
we consider the scenario in which the keys per C 2 nodes can help to increase the fraction of
C1 node are selected in a manner such that the unaffected communications, given the same
network connectivity is 99 percent under normal number of compromised C1 nodes.
conditions. We also assume that the compro- In Fig. 4b, we consider scenarios in which we
mised C 1 nodes cannot be detected. In such a fix N 2 = 3 and let M 1 be 30, 45, and 90, where
scenario, the data transmission from an unaffect- M1 is the number of keys that can be stored in a
ed C1 node may be eavesdropped on by a nearby C1 node. In this case, M1 = 30 can represent the
compromised node. Therefore, it is important to lowest reliability because the connectivity of the
study the percentage of communications that are network will be less than 99 percent if one C 2
not affected. From Fig. 2 we can see that with node fails. At the other extreme, we notice that
Comp. and Commun. Sec., Oct. 2003. 2003. In 2004 and 2005, he was a postdoctoral research
associate in the Department of Electrical and Computer
BIOGRAPHIES Engineering, University of Florida. Currently, he is an assis-
tant professor in the Department of Electrical and Comput-
YI QIAN (yqian@ece.uprm.edu) received a Ph.D. degree in
er Engineering, at the University of Puerto Rico at
electrical engineering from Clemson University. He is an
Mayagez (UPRM). His research interests include architec-
assistant professor in the Department of Electrical and
ture and protocols design for computer and communica-
Computer Engineering at the University of Puerto Rico at
tion networks, performance analysis, network security, and
Mayagez (UPRM). His current research interests include
wireless communications.
network security, network design, network modeling, simu-
lation, and performance analysis for next generation wire-
less networks, wireless sensor networks, broadband DAVID TIPPER (dtipper@mail.sis.pitt.edu) is a graduate of the
satellite networks, optical networks, high-speed networks, University of Arizona (Ph.D. EE, M.S. SIE) and Virginia Tech
and the Internet. Prior to joining UPRM in July 2003, he (B.S.EE). He is an associate professor in the Telecommunica-
worked in the telecommunications industry for several tions and Networking Program with a secondary appoint-
years. ment in the Electrical Engineering Department at the
University of Pittsburgh. His current research interests are
KEJIE LU (lukejie@ece.uprm.edu) received his B.S. and M.S. network design and traffic restoration procedures for surviv-
degrees in telecommunications engineering from Beijing able networks, network control, and performance analysis
University of Posts and Telecommunications, China in 1994 techniques. Prior to joining the University of Pittsburgh in
and 1997, respectively. He received a Ph.D. degree in elec- 1994, he was an associate professor of electrical and com-
trical engineering from the University of Texas at Dallas in puter engineering at Clemson University, South Carolina.