Image Processing Reference
In-Depth Information
To establish a cluster key with all its immediate neighbors, a node randomly generates a cluster
key
K
u
and sends it individually encrypted to all neighbors
v
,
v
, ...:
K
u
,
v
i
,
K
u
u
→
v
i
∶
E
(
)
All nodes
v
i
decrypt this message with their pairwise-shared key
K
u
,
v
i
and store the obtained cluster
key. When a node is revoked, a new cluster key is distributed to all remaining nodes.
If a node
u
wants to establish a pairwise-shared key with a node
c
that is multiple hops away, it can
do so by using other nodes known to it as proxies. To detect suitable proxy nodes
v
i
,
u
broadcasts a
query message with its own node id and the node id of
c
. Nodes
v
i
knowing both nodes
u
and
c
will
answer to this message:
u
→∗∶
u
∣
c
v
i
→
u
∶
v
i
Assuming that node
u
has received
m
answers, it then generates
m
shares
sk
, ...,
sk
m
of the secret
key
K
u
,
c
to be established with
c
and sends them individually over the appropriate nodes
v
i
:
u
→
v
i
∶
E
(
K
u
,
v
i
,
sk
i
)∣
f
(
sk
i
,
)
v
i
→
c
∶
E
(
K
v
i
,
c
,
sk
i
)∣
f
(
sk
i
,
)
The value
f
allows the nodes
v
i
and
c
to verify if the creator of such a message actually knew
the key share
sk
i
, as otherwise it would not have been able to compute this value (the function
f
needs to be a one-way function for this to be secure). After receiving all values
sk
i
,node
c
computes
K
u
,
c
(
sk
i
,
)
sk
m
.
To establish a new group key
K
g
,thebasestation
s
randomly generates a new key and sends it
encrypted with its own cluster key to its neighbors:
∶=
sk
⊕⋯⊕
K
s
,
K
g
s
→
v
i
∶
E
(
)
All nodes receiving such a message forward the new group key encrypted with their own cluster key
to their neighbors.
Node revocation is performed by the base station and uses μTESLA. All nodes, therefore, have to
be preloaded with an authentic initial key
K
, and loose time synchronization is needed in the sensor
network. To revoke a node
u
,thebasestation
s
broadcasts the following message in time interval
T
i
using the μTESLA key
K
i
valid for that interval:
K
′
g
,
K
′
g
,
s
→∗∶
u
∣
f
(
)∣
MAC
(
K
i
,
u
∣
f
(
))
K
′
g
,
The value
f
later on allows all nodes to verify the authenticity of a newly distributed group
key
K
′
g
. .This revocation becomes valid after disclosure of the TESLA key
K
i
.
A couple of remarks to some security aspects of LEAP have to be mentioned at this point:
(
)
•
As every node
u
knowing
K
I
may compute the master key
K
v
of every other node
v
,
there is little additional security to be expected from distinguishing between these dif-
ferent “master keys.” Especially, all nodes need to hold
K
I
during the discovery phase to
be able to compute the master keys of answering nodes. he authors of Ref. [ZSJ] give
no reasoning for why they think that this differentiation of master keys should attain any
additional security. As any MAC construction should not leak information about
K
I
in
a message authentication code
MAC
(
K
I
,
r
u
∣
v
)
,itishardtoseeanybeneitinthis(isit
“crypto snake oil”?).
