Image Processing Reference
In-Depth Information
•
The synchronization of the time interval for pairwise key negotiation is critical. However,
the authors of Ref. [ZSJ] give no hint on how the nodes should know when this time
interval starts, or if there should be a signal and if so, what to do if a node misses this signal
or “sleeps” during the interval? It is clear that if any node is compromised before erasure
of
K
I
the approach fails to provide protection against disclosure of pairwise-shared keys.
•
It does not become clear, what is the purpose of the random value (nonce) in the pairwise-
shared key establishment dialog. Pairwise-shared keys are only established during
T
Tmin,
,
and most probably, all neighbors will answer to the first message anyway (including the
same nonce from this message). This random value is not even included in the compu-
tation of
K
u
,
v
, and so the only thing that can be defended against with it is an attacker
that sends replayed replies during
T
Tmin,
, but these would not result in additional storage
of keys
K
u
,
v
or anything else than having to parse and discard these replays.
•
The cluster key establishment protocol does not allow a node to check the authenticity
ofthereceivedkey,aseveryattackercouldsendsomebinarydatathataredecrypted
to “something.” This would overwrite an existing cluster key
K
u
with garbage, lead-
ing to a DoS vulnerability. By appending an MAC, this could be avoided. However, an
additional replay protection would be required in this case to avoid overwriting with
old keys.
Furthermore, after expiration of the initial time intervall
T
Tmin,
,itisnolongerpossibletoestab-
lish pairwise-shared keys among neighbors, so that the LEAP approach does not support later
addition/exchange of sensor nodes.
In , Eschenauer and Gligor proposed a “probabilistic key management scheme” [EG] that
is based on the simple observation that on the one hand, sharing one key
K
G
among all sensors leads
to weak security, and on the other hand, sharing individual keys
K
i
,
j
among all nodes
i
,
j
requires
too many keys in large sensor networks (
n
n
keys for
n
nodes). he basic idea of probabilistic key
management is to randomly give each node a so-called key ring containing a relatively small number
of keys from a large key pool, and to let neighboring nodes discover the keys they share with each
other. By properly adjusting the size of the key pool and the key rings, a “sufficient” degree of “shared
keyconnectivity”foragivennetworksizecanbeattained.
The basic scheme published in Ref. [EG] consists of three phases:
−
•
Key predistribution
•
Shared-key discovery
•
Path key establishment
The key pre-distribution consists of five steps that are processed offline. First, a large key pool
P
with about
to
keys and accompanying key identifiers is generated. hen, for each sensor
k
keys
are randomly selected out of
P
without replacement, to establish the sensor's key ring. Every sensor
is loaded with its key ring comprising the selected keys and their identifiers. Furthermore, all sensor
identifiers and the key identifiers of their key ring are loaded into a controller node. Finally, a shared
key for secured communication with each sensor
s
is loaded into the controller node
ci
, according
to the following rule: If
K
, ...,
K
k
denote the keys on the key ring of sensor
s
,thesharedkey
K
ci
,
s
is
computed as
K
ci
,
s
.
he main purpose of the key predistribution is to enable any two sensor nodes to identify a com-
mon key with a certain probability. This probability, that two key rings
KR
,
KR
shareatleastone
common key, can be computed as follows:
∶=
E
(
K
⊕⋯⊕
K
k
,
ci
)
Pr
(
KR
&
KR
shareatleastonekey
)=
−
Pr
(
KR
&
KR
sharenokey
)
