Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing
ACKDs: An Authenticated Combinatorial Key Distribution Scheme for
Wireless Sensor Networks
Linchun Li, Jianhua Li, Ling Tie, Jun Pan
Department of Electrical Engineering, Shanghai Jiao Tong University, Shanghai, China
lilinchun@sjtu.edu.cn, lijh888@sjtu.edu.cn
Abstract
In wireless sensor networks, sensor nodes
generally cooperate with each other in collecting
sensing data and in-network processing according to
the group communication model. Key distribution is at
the heart of secure group communications. In this
paper, we present a scalable, efficient and
authenticated scheme for group key distribution. The
proposed scheme is based on a combinatorial
exclusion basis system (EBS) for efficiency and one-
way hash chains for authentication. It guarantees an
authenticated group rekeying procedure and is
efficient in terms of storage, communication and
computation overheads.
1. Introduction
Typically, the wireless sensor networks (WSNs)
consisting of a large number of tiny sensors with
limited resources are deployed in open, hostile,
unattended environments, for a wide variety of
applications, including object tracking, environment
monitoring, smart environments, and so on. For
efficiency, the sensor nodes usually form into groups
(clusters) and perform in-network processing
according to the inherently collaborative nature of
wireless sensor networks, consequently, create needs
for efficient and secure group communications.
Effective solutions for the problem of key
management are essential for the feasibility of secure
group communication in sensor networks. While, the
security of the group key distribution messages, that is,
the confidentiality and authenticity of the distribution
messages, should also be considered as well as the
efficiency. The key distribution messages are usually
encrypted with symmetric cryptography, so the
confidentiality is guaranteed. But the authenticity of
the source of distribution message cannot be verified.
0-7695-2909-7/07 $25.00 © 2007 IEEE
DOI 10.1109/SNPD.2007.107
The group member should be sure that it is definitely
the key management server rather than others who
generate the renewed keys in the distribution messages.
The easy and usual way to solve this problem is to
make the key management server sign the renewed
keys using public key cryptography (PKC). Due to the
computational complexity and communication
overhead of the public key cryptography and the
frequent group rekeying, using PKC for authentication
in wireless sensor networks may be energy consuming,
even though a number of studies [1, 2] focusing on the
energy analysis of PKC have shown that PKC is
feasible to be used in sensor networks.
Mohamed Eltoweissy et al. proposed an EBS-based
group key management scheme in [3], which levers on
exclusion basis system (EBS), a combinatorial
formulation of the group key management problem.
This approach then be put into use for ad hoc and
sensor networks in [4,5,6]. EBS provides a matrix-like
key distribution structure. It stores less number of keys
than LKH tree [7,8] for the multicast group of the
same size. Relation between number of group
members N and parameters k and m is as follows:
C (k + m, k ) ≥ N . The overhead of an optimum EBS
has been proved to be half that of a binary key tree
(refer to [3] for details). It gives very good scalability
of the key distribution scheme compared with previous
approaches for ad hoc and sensor networks, such as
GKMPAN [9]. But as far as we know, these EBS-
based key distribution schemes did not address the
issue of authentication. The security of the key
distribution message is not fully guaranteed. Also, an
original EBS-based key distribution scheme may suffer
from collusion attacks, which is point out by Younis et
al. in [10].
In this paper, we present a lightweight
authentication method for group key distribution in
wireless sensor network based on EBS and one-way
hash chain, which is efficient in terms of storage,
communication and computation overheads. Also, our
262
proposed authenticated combinatorial key distribution
scheme (ACKDs) can reduce the damage of collusion
if there is any as the analysis later shows.
The paper is organized as follows. Section 2 gives
preliminaries for this paper, including networks
assumption and threat model. Section 3 introduces our
scheme in detail through an example of 8-node-size
sensor networks after a brief description of one-way
hash chain and an overview of EBS-based scheme.
Section 4 gives analysis of the proposed scheme. Last,
section 5 offers concluding remarks.
2. Network assumption and threat model
For scalability and efficiency, we adopt a
hierarchical model for WSNs. In this model, a large
number of resource-limited sensor nodes distributed
over an area of interest may statically or dynamically
form a group as in [9, 10]. While group heads, more
resource-rich than sensor nodes, manage group
topology, routing information. The group head also
aggregates data of interest from its member sensor
nodes, and sends it to the base station. They are able to
communicate with the base station (also known as
command node). In addition, we assume that in each
group, the group head is capable of reaching all sensor
nodes within its group via broadcast. The base station
in charge of the network’s mission can be assumed to
pose no restrictions in terms of communication,
computation and storage.
In our network assumption, the base station is the
only authority for key generation. To be secure, though
group header is responsible for the key management of
its group, the exclusion basis system for individual
groups and corresponding keys still have to be
generated by the base station and secretly sent to each
group header. Then the group header will distribute
administrative keys and the group session key to
sensor nodes within its group according to the EBS
canonical matrix.
The wireless nature of WSNs renders the sensor
nodes and group headers exposed to different types of
malicious attack, especially when deployed in hostile
and unattended environments. The various attacks may
range from passive eavesdropping ongoing packet
transmissions to active modifying messages. In this
paper we mainly consider active attacks on WSN. The
adversary may try to modify, fabricate or replay the
key distribution message. In particular, the adversary
will likely compromise devices in WSNs and further
manipulate the sensor networks. This goal can be
achieved in two ways: 1) the adversary can
incrementally aggregate the cryptographic information
263
through compromising sensor nodes and colluding to a
level that allows revealing all cryptographic keys in the
group, since the sensor nodes are usually not tamper-
resistant due to the low cost, and all the information
including the cryptographic keys is revealed when a
node gets compromised; 2) the adversary may directly
attack a group header, and acquire a full acknowledge
of the EBS canonical matrix and according
administrative keys of its group. Then the attacker can
exploit this advantage to evict any legal sensor nodes
in this group and update a group session key, while the
sensor nodes cannot be aware of this. So an
authenticated EBS-based group key distribution
scheme is on demand.
We also assume all the devices in WSNs are
monitored by the intrusion detection system so that the
compromised ones, including sensor nodes and group
header, can be evicted once they are identified.
3. The proposed key distribution scheme
Our authenticated EBS-based group key
distribution scheme inherits the formulation of EBS,
but update keys in a different approach. One-way hash
chain is used. The new administrative key and the old
administrative key will be in the same sequence of
one-way hash chain.
3.1. Implicit Authentication based on One-way
Hash Chain
Hash function takes a binary string of arbitrary
length as input, and outputs a binary string of fixed
length. A one-way function H satisfies the following
properties: (1) given x , it is easy to compute y such
that y = H ( x) ; (2) given y , it is computationally
infeasible to compute x such that y = H ( x) ; (3) given
x, it is computationally infeasible to find y such that
y ≠ x and H ( y ) = H ( x) .
A one-way hash chain is a sequence of hash values
{x n , x n−1 ,..., x j ,..., x1 } such that:
{ x j ∀j : 0 < j ≤ n, x j−1 = H ( x j )} .
Here, x n is randomly selected as a cryptographic
seed, and then the entire chain is computed using the
one-way hash function, where each x j is derived as
x j = H ( x j+1 ) = ... = H n− j ( x n ) . Finally, we can get
x1 = H ( x 2 ) = ... = H n−2 ( x n−1 ) = H n−1 ( x n ) .
Owing to the one-way property of hash function,
one-way hash chain is extensively applied in
authentication, e.g. x1 can be used to verify the
authenticity of its succeeding elements in the chain.
That is, by determining x1 = H i−1 ( x i ) or not, the
membership of x i in the sequence of one-way hash
chain can be verified. This procedure is called implicit
authentication.
3.2. Exclusion basis system (EBS)
An EBS is defined as a collection Γ of subsets of
the set of members [3]. Each subset corresponds to a
key and the elements of a subset A ∈ Γ are the nodes
that have that key. An EBS Γ of dimension (N, k, m)
represents a situation in a secure group where there are
N members numbered 1 through N, and where a key
server holds a distinct key for each subset in Γ . If the
subset Ai is in Γ , then each of the members whose
number appears in the subset Ai knows the distinct
key (provided by the key server) for that subset.
Furthermore, for each t ∈ [1, N ] there are m elements
in Γ whose union is [1, N ] − {t} . From this, it follows
ACK EBS N1 N2 N3 N4 N5 N6 N7 N8 N9 N10
that the key server can evict any member t , re-key,
periodically as well as upon node compromise,
eviction, or addition to maintain secure group
communications in the presence of attacks. Thus,
provide key update to support current, forward and
backward secrecy. More details of the EBS are
referred to [3].
3.3. Authenticated EBS-based group key
distribution
For simplicity of discussion, we consider an
example of a group consisting of 8 sensor nodes.
3.3.1. Constructing an authenticated EBS(8,3,2).
Since C (5,3) = 10 > 8 , an EBS(8,3,2) is constructed.
Among the enumeration of all C(5,3) ways to form a
subset of three keys from five keys, we select 8 to
form a canonical matrix for EBS(8,3,2) as shown in
the un-shadowed part of Table I. The sensor nodes are
numbered from N 1 to N 8 .
B B B B B B B B B B B B B B B B B B B B

KC1 K1 1 0 0 1 0 1 0 1 1 1
and let all remaining members know the replacement
B B B B

KC2 K2 1 0 1 0 1 0 1 0 1 1
keys for the k keys they are entitled to know, by
B B B B

KC3 K3 1 1 0 0 1 1 1 1 0 0
multicasting m messages encrypted by the keys
B B B B

KC4 K4 0 1 1 1 0 0 1 1 1 0
corresponding to the m elements in Γ whose union is
B B B B

KC5 K5 0 1 1 1 1 1 0 0 0 1
[1, N ] − {t} . That is to say, among the dimension (N, k,
B B B B

Table 1. The canonical matrix for EBS(8,3,2) and the

m) of an EBS Γ , N is the total number of group
members, k is the number of keys each member is
entitled to know, and m is the number of messages
multicast by the key server when updating keys to
evict a suspected member.
To construct EBS (N, k, m) for feasible values of N,
k, and m, we employ a canonical enumeration of all
possible ways of forming subsets of k objects from a
set of k+m objects. For any k and m, let Canonical(k, m)
be the canonical enumeration of all C (k + m, k ) ways
to form a subset of k elements from a set of k+m
objects. For the sequence of bit strings in Canonical(k,
m), we form a matrix A, whose C (k + m, k ) columns
are the successive bit strings of length k + m, each with
k ones. “A” is called the canonical matrix for EBS (N,
k, m).
When using an EBS-based group key management
for wireless sensor networks, an EBS-based scheme
can yield optimal results for the number of
administrative keys per sensor node, k, and the number
of re-keying messages, m, according to the group size
N, and consequently create lightweight communication
and computation overhead, and impose relatively low
load on base station and group headers.
Through EBS, the group header can refresh keys
extended portion for new joining node N 9 , N 10
Each sensor node has three administrative keys and
each key corresponds to a subset of sensor nodes in the
group as in table I. In the original EBS, the
administrative keys are randomly generated. While in
our proposed scheme, the administrative keys are
picked up from one-way hash chains.
First, the base station responsible for key
generation randomly generates five keys as seeds of
one-way hash chains: K 1n , K 2n , K 3n , K 4n , K 5n , S n .
Second, five one-way hash key chains of length n
are created as KC i = {K i1 , K i2 ,..., K in−1 , K in } , i = 1, ⋅⋅⋅,5 ,
where { K i j ∀j : 0 < j ≤ n, K i j−1 = H ( K i j )} .
Third, the base station sets the first keys of the five
key chains, K 11 , K 21 , K 31 , K 41 , K 51 as the
administrative keys.
Fourth, the base station generates a group session
key chain as the same way above:
SC = {S 1 , S 2 ,..., S n−1 , S n } .
Last, the base station secretly sends the EBS that
includes the canonical matrix, administrative keys and
S 1 to the group header. In turn, the group header
assigns group session key S 1 and administrative keys
to sensor nodes according to the canonical matrix via

264
secure channels. Hence, the collection of subsets of
EBS(8,3,2) is:
Γ = {K 11 = {1, 4, 6,8}, K 21 = {1,3,5, 7}, K 31 = {1, 2,5, 6, 7,8},
K 41 = {2,3, 4, 7,8}, K 51 = {2,3, 4,5, 6}} ;
where the number in the subset represents the
corresponding sensor node.
3.3.2. Adding a new sensor node to the group. When
a new node, e.g. N 9 , joins the group, since 8 < C (5,3) ,
the first thing the group header should do is to extend
the canonical matrix. According to the theorem in [3],
group header can easily create a new column in the
canonical matrix, distinct from the former eight ones,
by choosing the rest bit string in Canonical(k, m). It is
shown as the bit string under N 9 in the shadowed part
of table I. Thus, N 9 can be added to the group without
changing any administrative keys in the system. Then
the group header requests the next group session key
S 2 from the base station. After that, it generates
following messages:
Message 1: S 1 ( S 2 ) ;
Message 2: SK 9 ( S 2 , K 11 , K 21 , K 41 ) ;
where A( B ) means B is encrypted with A , and
SK 9 is the personal key shared between N 9 and
group header.
First, the group header multicasts new group
session key S 2 encrypted with S 1 to the sensor nodes
within its group. The session key is updated in order to
provide backward secrecy.
Second, the group header unicasts to N 9 the group
session key S 2 and the administrative key that are
entitled to N 9 according to the bit string under N 9 ,
encrypted using its personal key SK 9 .
Upon receiving the multicast message, all the other
sensor nodes decrypt the first multicast message with
S 1 and obtain the new group session key S 2 , then,
they perform hash operation to see whether
H ( S 2 ) = S 1 . If so, it can be concluded that the new
group session key is really distributed from the base
station. The source authentication of group session key
is verified. If not, the key distribution message is
discarded.
While, the new joining node N 9 decrypts the
second message using SK 9 , obtain S 2 and its
administrative keys K 11 , K 21 , K 41 .
When the expanding group size exceeds C (5,3) ,
the relationship C (k + m, k ) ≥ N is broken and new
administrative keys should be added to the system. The
group header will request the base station to extend
current EBS, and assign administrative keys to new
265
node according to the extended EBS. Since this
procedure is the same as the original EBS-based key
distribution scheme, we do not dwell on the operations
in this paper for brevity. Refer to [3] for the detail.
3.3.3. Evicting a sensor node from the group. Our
key distribution scheme can efficiently evict
compromised sensor nodes. Revocation procedure is
triggered after the faulty or compromised sensor nodes
are detected.
The group header will identify which
administrative keys in the EBS are known to the
evicted node and should be revoked, then request
replacement keys from the base station. After receiving
the request message, the base station will identify
which key chains the revoked keys belong to, and
determine the succeeding key in the key chain to be
used to update the revoked key. Then the base station
sends the replacement keys and new group session key
to the group header via secure channel. After receiving
that message, the group header will simply multicast
these new keys encrypted with current administrative
keys that the evicted sensor does not know.
Suppose sensor node N 1 should be evicted. Since
N 1 possesses first keys of KC1 , KC 2 , KC 3 , these keys
have to be updated. Now, the set K 41 ∪ K 51 is the set of
keys known to all members except N 1 , that is,
K 41 ∪ K 51 = [1,8] − {1} . Hence, the keys K 41 and K 51 will
be used to encrypt updating message. The following
messages will be generated for updating administrative
keys K 11 , K 21 , K 31 and distributing new group session
key:
Message 1: K 41 ( S 2 , K 11 ( K 12 ), K 21 ( K 22 ), K 31 ( K 32 )) ;
Message 2: K 51 ( S 2 , K 11 ( K 12 ), K 21 ( K 22 ), K 31 ( K 32 )) .
Since node N 1 does not have the knowledge of
K 41 and K 51 , it cannot decrypt the updating messages
and update its administrative keys and group session
key. Thus, node N 1 is evicted from the group
communication.
Whereas, other sensor nodes, upon receiving
updating messages, can decrypt encrypted message
using K 41 or K 51 , which is known to itself, and get new
group session key S 2 and encapsulated encrypted
administrative keys. We consider node N 5 for
example. After decrypting message using K 51 , it
further decrypts sub-messages using K 21 and K 31
respectively, and gets K 22 , K 32 . Then N 5 performs
hash operations on the new administrative keys to see
whether H ( K 22 ) = K 21 , H ( K 32 ) = K 31 and H ( S 2 ) = S 1 .
If so, N 5 determines that K 22 , K 32 and S 2 are really
distributed from the base station, because the
undisclosed keys in one-hash chains are only known to
the base station. If the equation does not hold, the key
distribution message is discarded. Thus, the source of
updated keys is authenticated.
Now, the collection of subsets of EBS(7,3,2) is:
Γ = {K 12 = {4, 6,8}, K 22 = {3,5, 7}, K 32 = {2,5, 6, 7,8}, K 41 = {2,3,
4, 7,8}, K 51 = {2,3, 4,5, 6}}
4. Analysis
In this section, we analyze the security of the
proposed authenticated combinatorial key distribution
scheme (ACKDs). Our proposed key distribution
scheme is effective in defeating active attacks on
sensor network as follows.
First, if adversaries try to modify an updating
message with fabricated or replayed keys in order to
evict a trustworthy sensor node or replace a spurious
group session key for the original one, the attack will
be frustrated. Because attackers cannot fabricate
subsequent keys in the sequence of one-way hash key
chain to be used to update the revoked key due to the
one-way property. Thus, only the keys from base
station rather than others can prove its authenticity to
sensor nodes.
Second, if compromised nodes within a group
collude to share their administrative keys, our key
distribution scheme can prevent them from further
manipulating the sensor network and limit the
destruction of collusion attack to a minimum extent.
Since the value of m is selected to be relatively small
to reduce the number of re-key messages, there always
exist common administrative keys between any pair of
sensor nodes. As a result, selective compromise and
collusion of certain nodes can reveal all the
administrative keys and group session key at that
session. For example, the collusion of N 1 and N 2 can
reveal all the administrative keys at that session, e.g.
K 11 , K 21 , K 31 , K 41 , K 51 , and S 1 . Then, in the original
EBS-based key distribution scheme, the adversaries
can exploit such information to work as a group header
and control the sensor networks as their will. But they
cannot do further damage if the sensor networks are
secured by ACKDs. The collusion of sensor nodes can
only recover the previously and currently disclosed
keys of one-way hash chains. Any attempt to further
control sensor nodes, such as evicting a node, adding a
new node, etc, will be defeated in the implicit
authentication procedure for they don’t know the rest
keys of one-way hash chains. The active attack of the
coalition only leads to its exposure to the intrusion
detection system responsible for monitoring.
266
Corresponding actions will be taken as soon as
possible to remove this threat, e.g. evict the
compromised sensor nodes using our proposed
ACKDs.
Third, if the adversary directly compromises a
group header and tries to further control the sensor
nodes within the group, the attack will be thwarted in
the same way as above.
Last, ACKDs ensures backward secrecy and
forward secrecy. Through the key distribution process,
the compromised nodes or leaving nodes can be
efficiently evicted and new joining nodes are denied
access to previous communication.
The above analysis shows that those active attacks
always fail because the adversary cannot authenticate
himself to sensor nodes.
Our proposed ACKDs is efficient because no extra
storage and communication overhead is incurred on
sensor side compared with original EBS-based scheme.
In order to verify the authenticity of the updating keys,
each sensor node only needs to perform one extra
computation-efficient hash operation. In our scheme,
the base station is required to generate and store one-
way hash chains in advance. The base station can
afford such operations since it is assumed to be
powerful in terms of communication, computation and
storage.
5. Conclusion
To secure the group communication for wireless
sensor networks, this paper presents an authenticated
combinatorial key distribution scheme (ACKDs) that
aims at providing authenticity of key distribution
messages. The analysis shows that our scheme can
effectively defeat active attacks on the key distribution
message and improve the security of group
communication. The scheme is also lightweight in
terms of storage, communication and computation
overheads. Using one-way hash chain other than PKC
to implement authentication extends the lifetime of
sensor nodes and improves the scalability of sensor
network.
6. References
[1] A. S. Wander, N. Gura, H. Eberle, V. Gupta, and
Sheueling Chang Shantz, “Energy Analysis of Public-Key
Cryptography for Wireless Sensor Networks.” 3rd IEEE
International Conference on Pervasive Computing and
Communication (PerCom 2005).
[2] G. Gaubatz, J. Kaps, and B. Sunar. Public keys
cryptography in sensor networks – revisited. In The
Proceedings of the 1st European Workshop on Security in
Ad-Hoc and Sensor Networks (ESAS), 2004.
[3] M. Eltoweissy, H. Heydari, L. Morales, and H.
Sudborough, “Combiiatorial Opdmization for Group Key
Management, ” Journal of Network and System Management,
Vol. 12, No. 1, March 2004.
[4] M.Eltoweissy, M.Younis, K.Ghumman, “Lightweight
key management for wireless sensor networks, ”
Performance, Computing, and Communications, 2004 IEEE
International Conference on, April 15-17, 2004 Pages:8 13-
818
[5] M. Moharrum, R. Mukkamala, and M. Eltoweissy,
“CKDS: An Efficient Combinatorial Key Distribution
Scheme for Wireless Ad-Hoc Networks”, in Proceedings of
IEEE International Conference on Performance, Computing,
and Communications (IPCCC ‘04), pages 631-636, Phoenix,
Arizona, April 2004.
[6] M. Moharrum, M. Eltoweissy and R. Mukkamala,
“Dynamic combinatorial key management scheme for sensor
networks,” Wireless Communications and Mobile
Computing, 2006; 6:1017–1035
[7] C. K. Wong, M. G. Gouda, and S. S. Lam. “Secure Group
Communications using Key Graphs.” IEEE/ACM
Transactions on Networking, 8(1): 16–30, February 2000.
267
[8] Pavel Korshunov , “Multicast security in ad hoc
networks.” Available online.
[9] S. Zhu, S. Setia, S. Xu, and S. Jajodia, “GKMPAN: An
Efficient Group Rekeying Scheme for Secure Multicast in
Ah-Hoc Networks”, in Proceeding of International
Conference on Mobile and Ubiquitous Systems: Networking
and Services (MOBIQUITOUS ‘04), pages 42-51, Boston,
Massachusetts, USA, August, 2004.
[10] M Younis, K. Ghumman, and M. Eltoweissy, “Key
Management in Wireless Ad Hoc Networks: Collusion
Analysis and Prevention,” 24th IEEE International
Performance Computing and Communications Conference,
Arizona, IPCCC’ 2005, April 2005.
[11] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E.
Cayirci. “Wireless sensor networks: a survey,” Computer
Networks, 38(4): 293–422, March 2002.
[12] T. Park and K. G. Shin. “LiSP: A Lightweight Security
Protocol for Wireless Sensor Networks,” ACM Transactions
on Embedded Computing Systems, 3(3): 634–660., August
2004.
[13] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D.
Tygar. “SPINS: Security suite for sensor networks.” In
Proceedings of the Seventh Annual International Conference
on Mobile Computing and Networking (MOBICOM-01),
pages 189–199, New York, July 16–21 2001. ACM Press.