SECURING WIRELESS SENSOR NETWORKS: A SURVEY Oussalah, Mourad; S. Ould Amara, R. Baghdad

Transcription

1 SECURING WIRELESS SENSOR NETWORKS: A SURVEY Oussalah, Mourad; S. Ould Amara, R. Baghdad Document Version Early version, also known as pre-print Citation for published version (Harvard): S. Ould Amara, R. Baghdad 2013, 'SECURING WIRELESS SENSOR NETWORKS: A SURVEY' EDPACS: the E D P audit, control and security newsletter, pp Link to publication on Research at Birmingham portal General rights Unless a licence is specified above, all rights (including copyright and moral rights) in this document are retained by the authors and/or the copyright holders. The express permission of the copyright holder must be obtained for any use of this material other than for purposes permitted by law. Users may freely distribute the URL that is used to identify this publication. Users may download and/or print one copy of the publication from the University of Birmingham research portal for the purpose of private study or non-commercial research. User may use extracts from the document in line with the concept of fair dealing under the Copyright, Designs and Patents Act 1988 (?) Users may not further distribute the material nor use it for the purposes of commercial gain. Where a licence is displayed above, please note the terms and conditions of the licence govern your use of this document. When citing, please reference the published version. Take down policy While the University of Birmingham exercises care and attention in making items available there are rare occasions when an item has been uploaded in error or has been deemed to be commercially or otherwise sensitive. If you believe that this is the case for this document, please contact UBIRA@lists.bham.ac.uk providing details and we will remove access to the work immediately and investigate. Download date: 04. Jan. 2018

2 This article was downloaded by: [Rachid Beghdad] On: 06 March 2013, At: 12:22 Publisher: Taylor & Francis Informa Ltd Registered in England and Wales Registered Number: Registered office: Mortimer House, Mortimer Street, London W1T 3JH, UK EDPACS: The EDP Audit, Control, and Security Newsletter Publication details, including instructions for authors and subscription information: Securing Wireless Sensor Networks: A Survey Said Ould Amara, Rachid Beghdad & Mourad Oussalah To cite this article: Said Ould Amara, Rachid Beghdad & Mourad Oussalah (2013): Securing Wireless Sensor Networks: A Survey, EDPACS: The EDP Audit, Control, and Security Newsletter, 47:2, 6-29 To link to this article: PLEASE SCROLL DOWN FOR ARTICLE Full terms and conditions of use: This article may be used for research, teaching, and private study purposes. Any substantial or systematic reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any form to anyone is expressly forbidden. The publisher does not give any warranty express or implied or make any representation that the contents will be complete or accurate or up to date. The accuracy of any instructions, formulae, and drug doses should be independently verified with primary sources. The publisher shall not be liable for any loss, actions, claims, proceedings, demand, or costs or damages whatsoever or howsoever caused arising directly or indirectly in connection with or arising out of the use of this material.

3 E D P A C S 2013 SECURING WIRELESS SENSOR NETWORKS: A SURVEY SAID OULD AMARA, RACHID BEGHDAD, AND MOURAD OUSSALAH Abstract. Wireless sensor networks (WSNs) are more widespread in diverse domains (military, medical, etc). So, these networks need a high level of security. However, because of their characteristics, WSN security is, today, the source of several scientific and technical challenges. In this context, lots of work has been realized and most existing security schemes require intensive computation and memory, which are the limiting factors in WSNs. It is very hard to accumulate all requirements in a single security mechanism, as WSNs have severe resources constraints. Before elaborating any security mechanism, it is crucial to take note of all security requirements and the different attacks to which WSNs are exposed as well as the works already realized in this context. This article discusses typical constraints, security goals, threat models, and typical attacks on sensor networks and their defensive techniques or countermeasures relevant to the sensor networks, including security methods. INTRODUCTION Wireless sensor networks (WSNs) consist of hundreds or even thousands of small devices each with sensing, processing, and communication capabilities to monitor the real-world environment. Popular wireless sensor network applications include wildlife monitoring, bushfire response, military command, intelligent communications, industrial quality control, observation of critical infrastructures, smart buildings, distributed robotics, traffic monitoring, examining human heart rates, and so on. The majority of WSNs are deployed in hostile environments with active intelligent opposition. Hence security is a crucial issue. One obvious example is battlefield applications where there is a pressing need for secrecy of location and resistance to subversion and destruction of the network. Less obvious but just as important security dependent applications include [1]: Disasters: In many disaster scenarios, especially those induced by terrorist activities, it may be necessary to protect the location of casualties from unauthorized disclosure. Public Safety: In applications where chemical, biological, or other environmental threats are monitored, it is vital that the availability of the network is never threatened. Attacks causing false alarms may lead to panic responses or even worse, total disregard for the signals. Home Healthcare: In such applications, privacy protection is essential. Only authorized users should be able to query and monitor the network. So, security is a common concern for any network system, but security in WSNs is of great importance, hence they should be equipped with security mechanisms to defend against attacks such as node capture, physical tampering, eavesdropping, denial of service, and so on. Providing security for WSNs represents a rich 6 ª Copyright 2013 Taylor & Francis All rights reserved.

4 2013 E D P A C S field of research problems as traditional security mechanisms with high overhead are not applicable for WSNs. This is because WSNs are limited in resources and their deployment nature is different than usual networks. Typically, a sensor network consists of a large number of tiny sensor nodes and possibly a few powerful control nodes called base stations. Sensor nodes are supplied with limited battery power and they have small memory size and limited computational ability. A typical sensor node processor is of 4 8 MHZ, having 4KB of RAM and 128KB flash [2]. Moreover, WSNs are supported low communication bandwidth. These characteristics of WSN make it vulnerable to lots of security problems and complicate the development of security mechanisms as well. In addition, the unreliable communication channel makes the security defenses even harder. All these security challenges are encouraging new researches to properly address sensor network security form the start and develop security protocols and algorithms suitable for WSNs. The researchers in WSN security have proposed various security schemes (secure and efficient routing protocols, secure data aggregation protocols, etc.), which are optimized for these networks with resource constraints. The remainder of this article is structured as follows: The next section gives an outline on WSN architecture, a brief comparison between WSNs and Ad Hoc networks, and finally focuses on the various security requirements and constraints in WSNs. The section after briefly describes some attacks at different layers and some countermeasures suggested in WSNs. The last section explores the different security mechanisms proposed in order to provide security in WSNs. And finally, this article ends with a conclusion. This article will evolve progressively with the results and the availability of works. Any contribution to the enrichment of this article, with remarks and critiques, will be welcome. WIRELESS SENSOR NETWORKS This section gives an outline on WSN architecture, a brief comparison between WSNs and Ad Hoc networks, and finally focuses on the various security requirements and constraints in WSNs. WSN Architecture (Figure 1) In a typical WSNs we see the following network components [3]: Sensor nodes (Field devices): Field devices are mounted in the process and must be capable of routing packets on behalf of other devices. In most cases they characterize or control the process or process equipment. A router is a special type of field device that does not have process sensor or control equipment and as such does not interface with the process itself. Gateway or Access point: A Gateway enables communication between Host application and field devices. Network manager: A Network Manager is responsible for configuration of the network, scheduling communication between devices (i.e., configuring super frames), management of the routing tables, monitoring and reporting the health of the network. ª Copyright 2013 Taylor & Francis All rights reserved. 7

5 E D P A C S 2013 Figure 1 WSN Architecture. Security manager: The Security Manager is responsible for the generation, storage, and management of keys. WSNs and Ad Hoc Networks While some aspects of WSNs are similar to traditional wireless ad hoc networks, important distinctions exist that greatly affect how security is achieved. The differences between sensor networks ad hoc networks are [4]: The number of sensor nodes in a sensor network can be several orders of magnitude higher than nodes in an ad hoc network. Sensor nodes are densely deployed. Sensor nodes are prone to failures due to harsh environments and energy constraints. The topology of a sensor network changes very frequently due to failures or mobility. Sensor nodes are limited in computation, memory and power resources. Sensor nodes may not have global identification. These differences affect how secure data-transfer schemes are implemented in WSNs. Constraints in WSNs Some of the major constraints of a WSN are: Resource constraints: Sensor nodes have limited resources, including low computational capability, small memory, low wireless communication bandwidth, and a limited, usually not rechargeable, battery [5]. Small message size: Messages in sensor networks usually have a small size compared with other networks. As a result, there is 8 ª Copyright 2013 Taylor & Francis All rights reserved.

6 2013 E D P A C S usually no concept of segmentation in most applications in WSNs [5]. Transmission range: The communication range of sensor nodes is limited both technically and by the need to conserve energy [4]. Addressing schemes: Due to relatively large number of sensor nodes, it is not possible to build a global addressing scheme for deployment of a large number of sensor nodes as the overhead of identity maintenance is high [4]. Security Requirements Before discussing the various possible attacks against WSNs and their countermeasures, the basic security requirements or goals to achieve are very much needed. The goal of security services in WSNs is to protect the information and resources from attacks and misbehavior. The security requirements in WSNs are [4]: Availability: Ensures that the desired network services are available even in the presence of denial of service attacks. Authorization: Ensures that only authorized sensors can be involve in providing information to network services. Authentication: Ensures that the communication from one node to another node is genuine. That is, a malicious node cannot masquerade as trusted network node. Confidentiality: Ensures that a given message cannot be understood by anyone other than the desired recipients. Integrity: Ensures that a message sent from one node to another is not modified by malicious intermediate nodes. Non-repudiation: Denotes that a node cannot deny sending a message it has previously sent. Data-freshness: Implies that the data is recent and ensures that no adversary can replay old messages. Robustness: When some nodes are compromised, the entire network should not be compromised. Self-organization: Nodes should be flexible enough to be self-organizing (autonomous) and self-healing (failure tolerant). Time synchronization: The protocols should be manipulated to produce correct data. Threat Models According to Karlof and Wagner [6], threats in WSNs can be classified into the following categories: Outsider versus insider attacks: The outsider attacks regard attacks from nodes that do not belong to a WSN. An outsider attacker has no access to most cryptographic materials in sensor networks. The insider attacks occur when legitimate nodes of a WSN behave in unintended or unauthorized ways. The inside attacker may have partial key material and the trust of other sensor nodes. Inside attacks are much harder to detect. Passive versus active attacks: Passive attacks are in the nature of eavesdropping on, or monitoring of packets exchanged within a WSN; the active attacks involve some modifications of the data stream or the creation of a false stream in a WSN. ª Copyright 2013 Taylor & Francis All rights reserved. 9

7 E D P A C S 2013 Mote-class versus laptop-class attacks: In mote-class attacks, an adversary attacks a WSN by using a few nodes with similar capabilities as that of network nodes. In laptop-class attacks, an adversary can use more powerful devices like laptops, and so on and can do much more harm to a network than a malicious sensor node. ATTACKS IN WIRELESS SENSOR NETWORKS For securing WSNs, it is necessary to address the attacks and then take countermeasures in order to face these attacks. This section lists and gives a brief discussion about the major attacks against WSNs. Physical Attack This attack is also known as node capture. In this type of attack, attackers gain full control over some sensor nodes through direct physical access [2, 7]. As the cost of sensor nodes must be kept as cheap as possible for WSN, sensor nodes with tamper proofing features are impractical. This is why sensor nodes are susceptible to be physically being accessed. Physical attacks destroy sensors permanently, so the losses are irreversible. For instance, attackers can extract cryptographic secrets, tamper with the associated circuitry, modify programming in the sensors, or replace them with malicious sensors under the control of the attacker. Designing sensor nodes with hardware platform of up to date embedded system security can improve the physical level security. Moreover, monitoring sensor nodes for unusual length of inactivity period and revocation of suspicious node s authentication token are necessary steps those should be taken for securing WSN against physical or node capture attacks. Layering-Based Attacks and Possible Security Approaches Besides physical attacks, adversaries perform a large number of attacks remotely. These attacks take place affecting different networking layers of WSN. This subsection describes some of these well-known attacks. Physical Layer This layer is responsible for frequency selection, carrier frequency generation, signal detection, modulation, and data encryption [6]. As with any radio-based medium, there exists the possibility of jamming and interferences. Jamming: This attack can be done easily by adversaries by only knowing the wireless transmission frequency used in the WSN. A jamming source may either be powerful enough to disrupt the entire network or less powerful and only able to disrupt a smaller portion of the network. The attacker transmits radio signal randomly with the same frequency as the senor nodes are sending signals for communication. The radio signal interferes with other 10 ª Copyright 2013 Taylor & Francis All rights reserved.

8 2013 E D P A C S signal sent by a sensor node and the receivers within the range of the attacker cannot receive any message. Thus, affected nodes become completely isolated as long as jamming signal continues and no messages can be exchanged between affected nodes and other sensor nodes [8]. For preventing this attack, [9] suggests frequency hopping as a countermeasure. In frequency hopping spread spectrum, nodes change frequency in a predetermined sequence. But it is not suitable for WSNs because every extra frequency requires extra processing and the range of possible frequencies for WSNs is limited. [10] suggests Ultra Wide Band (UWB) transmission technique as an anti-jamming solution. This technique is based on sending very short pulses in order of nanoseconds across a wide frequency band and is very difficult to detect. This technique is suitable for WSNs because of its low energy consumption. Link Layer This layer is responsible for the multiplexing of data streams, data frame detection, medium access, and error control. This layer is vulnerable to data collisions. a. Collision: This attack occurs when more than one sender tries to send data on a single transmission channel [10]. When packets collide, a change will likely occur in the data portion and thus the destination stations cannot receive data correctly. An adversary may strategically cause collisions in specific packets such as ACK control messages. A possible result of such collisions is the costly exponential back-off in certain media access control (MAC) protocols. A typical defense against collisions is the use of error correcting codes. Most codes work best with low levels of collisions, such as those caused by environmental or probabilistic errors. However, these codes also add additional processing and communication overhead. It is reasonable to assume that an attacker will always be able to corrupt more than what can be corrected. While it is possible to detect these malicious collisions, no complete defenses against them are known at this time. b. Exhaustion: Repeated collisions can also be used by an adversary to cause resource exhaustion. A possible solution is to apply rate limits to the MAC, thus allowing the network to ignore excessive requests. As a result, the energy drain caused by repeated transmissions can be prevented. Network Layer The network layer is responsible for routing messages from one to another node that are neighbors or may be multi-hops away. There are several attacks exploiting routing mechanisms in WSNs. Some familiar attacks are listed here. a. Selective forwarding: It is an attack where compromised or malicious nodes just drops packets of its interest and selectively forwards packets [6]. A specific form of this attack is the black hole attack in which a node drops all packets (messages) it receives. ª Copyright 2013 Taylor & Francis All rights reserved. 11

9 E D P A C S 2013 Figure 2 Selective forwarding attack. Figures 2(i) and 2(ii) show scenarios of selective forwarding attack. In Figure 2(i), source node S forwards its data packets D1, D2, D3, D4 to node A and node A forwards these received packets to node B. In other hand an adversary node AD selectively forwards packets D1, D3 while dropping packets D2 and D4. In another scenario shown in Figure 2(ii), an adversary may selectively drop packets originated from one source and forward that of others. One defense against selective forwarding attack is using multiple paths to send data [6]. A second defense is to detect the malicious node or assume that it has failed and seek an alternative route. b. Sybil attack: It is a case where one node presents more than one identity to the network [6]. This attack has a significant effect in geographic routing protocols. This attack disrupts these protocols functionality by being simultaneously at more than one place. Figure 3 demonstrates Sybil attack where an adversary node AD is present with multiple identities. AD appears as node F for A, C for B and A for D, so when A wants to communicate with F, it sends the message to AD. Identity verification is the key requirement for countering against Sybil attack. Unlike traditional networks, verification of identity in WSNs cannot be done with single shared symmetric key and public key algorithm because of computational limitations of WSNs. c. Sinkhole attack: In a Sinkhole attack, an attacker makes a compromised node look more attractive to surrounding nodes by forging routing information [6]. The final result is that surrounding nodes will choose the compromised node as the next node to route their data through. This type of attack makes selective forwarding very simple, as all traffic from a large area in the network will flow through the adversary s node. Figure 4 demonstrates sinkhole attack where SH is a sinkhole. This sinkhole attracts traffic from nearly all the nodes to rout through it. d. Wormhole attack: Wormhole is a critical attack, where the attacker receives packets at one point in the network, tunnels 12 ª Copyright 2013 Taylor & Francis All rights reserved.

10 2013 E D P A C S Figure 3 Sybil attack. Figure 4 Sinkhole attack. them through a less latency link to another point in the network [11]. This convinces the neighbor nodes that these two distant points at either end of the tunnel are very close to each other. If one end point of the tunnel is near to the base station, the wormhole tunnel can attract a significant amount of data traffic to disrupt routing and operational functionality of WSNs. In this case, the attack is similar to a sinkhole attack as the adversary at the other side of the tunnel advertises a better route to the base station. ª Copyright 2013 Taylor & Francis All rights reserved. 13

11 E D P A C S 2013 Figure 5 Wormhole attack. Figure 5 demonstrates a Wormhole attack where WH is the adversary node that creates a tunnel between nodes E and I. These two nodes are present at most distance from each other. Both Sinkhole and Wormhole attacks are difficult to detect, especially in WSNs that use routing protocols in which routes are decided based on information advertisements such as remaining energy or minimum hop count to the base station. [9] suggests using geographic routing protocols, which have better resilience against these attacks. e. Hello Flood attack: Many protocols that use hello packets make the naïve assumption that receiving such a packet means the sender is within radio range and is therefore a neighbor. An attacker may use a high powered transmitter to trick a large area of nodes into believing they are neighbors of that transmitting node [6]. Consequently, instead of sending information to the base station, the victim nodes will send them to the adversary s node. Figure 6 depicts how an adversary node AD broadcasts hello packets to convince nodes in the network that they are neighbors of AD. Although some nodes like I, H, F are far away from AD they think AD is their neighbor and try to forward packets through it, which results in wastage of energy and data loss. To counter this attack, it is possible to use the mechanism of authentication by a third node. Transport Layer In this layer, end-to-end connections are managed. Two possible attacks in this layer, flooding and desynchronization, are discussed here: a. Flooding: At this layer, adversaries exploit the protocols that maintain state at either end of the connection. An attacker sends many connection establishment requests to the victim node to exhaust its resources causing the flooding attack. 14 ª Copyright 2013 Taylor & Francis All rights reserved.

12 2013 E D P A C S Figure 6 Hello flood attack. One solution against this attack is to limit the number of connections that a node can make. But, this can prevent legitimate node to connect to the victim node. Another solution is based on the client puzzles [12]. According to this idea, if a node wants to connect with other nodes, it, at first, must solve a puzzle. An attacker does not likely have infinite resources and it is not possible for him to make connections fast enough to exhaust a serving node. b. Desynchronization: Desynchronization refers to the disruption of an existing connection. In this attack, an attacker repeatedly forges messages to one or both points of an active connection and thus desynchronizes the end points so that sensor nodes retransmit messages and waste their energy. One countermeasure against these attacks is to authenticate all packets exchanged between sensor nodes along with all the control fields in transport header [13]. Application Layer In this layer data is collected and managed. Here, a sensor node can be subverted to reveal its information, hence compromising the entire network. If a node is compromised, detection and exclusion of that node from the sensor network is a probable solution. LEAP (Localized Encryption and Authentication Protocol) [2] can verify if a node has been compromised or not and can revoke compromised nodes with efficient rekeying mechanism. Table 1 summarizes all the attacks discussed previously. Attacks on Secrecy and Authentication Standard cryptographic techniques can protect the secrecy and authenticity of communication channels from outsider attacks such as eavesdropping, packet replay attacks, and modification or spoofing of packets. There are different types of attacks under this category. ª Copyright 2013 Taylor & Francis All rights reserved. 15

13 E D P A C S 2013 Table 1 Attacks and Their Defenses in the Layers of WSNs Layers Attacks Defenses Physical Jamming Frequency Hopping, UWB Link Collision Error Correcting Codes Exhaustion Rate limitation Network Selective Forwarding Use of multiple paths, detecting compromised nodes, Authentication Sybil Authentication, control Sinkhole Geographic routing Wormhole Hello Authentication, verification of the bidirectional link Flood Transport Flooding Solving puzzles Desynchronization Authentication Application Nodes Corruption LEAP Node Replication Attack In a node replication attack, an attacker attempts to add a node to an existing WSN by replicating (i.e., copying) the node identifier of an already existing node in the network [14]. A node replicated and joined in the network in this manner can potentially cause severe disruption in message communication in the WSN by corrupting and forwarding the packets in wrong routes. This may also lead to network partitioning, communication of false sensor readings. In addition, if the attacker gains physical access to the entire network, it is possible for him/her to copy the cryptographic keys and use these keys for message communication from the replicated node. The attacker can also place the replicated node in strategic locations in the network so that s/he could easily manipulate a specific segment of the network, possibly causing a network partitioning. In Figure 7, N is the identity of cloned nodes that are mounted in multiple places in the network to bias the entire network. This attack can be avoided if we centrally compute the datagathering path by the base station; then multiple place occurrence of the node can be detected. The other way to detect the attack is Figure 7 Node replication attack. 16 ª Copyright 2013 Taylor & Francis All rights reserved.

14 2013 E D P A C S verifying the identities (authentication) of nodes by a trustworthy node. Attacks on Privacy The privacy preservation in WSNs is even more challenging since these networks make large volumes of information easily available through remote access mechanisms. Since the adversary need not be physically present to carry out the surveillance, the information-gathering process can be done anonymously with a very low risk. In addition, remote access allows a single adversary to monitor multiple sites simultaneously [15]. Following are some of the common attacks on sensor data privacy [15]: Eavesdropping and passive monitoring: This is the most common and easiest form of attack on data privacy. If the messages are not protected by cryptographic mechanisms, the adversary could easily understand the contents. Packets containing control information in a WSN convey more information than accessible through the location server. Eavesdropping on these messages proves more effective for an adversary. Traffic analysis: In order to make an effective attack on privacy, eavesdropping should be combined with a traffic analysis. Through an effective analysis of traffic, an adversary can identify some sensor nodes with special roles and activities in a WSN. For example, a sudden increase in message communication between certain nodes signifies that those nodes have some specific activities and events to monitor. Deng et al. have demonstrated two types of attacks that can identify the base station in a WSN without even underrating the contents of the packets being analyzed in traffic analysis [16]. SECURITY SOLUTIONS IN WSNs Security schemes can be applied to provide security in WSN, but keeping in view their resource-starved nature is very difficult. Some researchers are striving to develop improved WSN protocols, others are attempting to improve node design; still others are working to resolve security issues including the main WSN security threat of insecure radio links with eavesdropping and information corruption possible. Most security mechanisms that exist today require intensive computation and memory and consequently consume more energy. A number of security suites already exist and are at least in some way appropriate for use in WSNs, and combat some of the threats on these networks. This section reviews some of the more popular and suitable solutions. Cryptography in WSNs Selecting the most appropriate cryptographic method is vital in WSNs because all security services are ensured by cryptography. Public key cryptography (Diffie-Hellman key agreement protocol or RSA signature) is not suitable for WSN because of its limitation in memory, computation, and power; to perform a single security ª Copyright 2013 Taylor & Francis All rights reserved. 17

15 E D P A C S 2013 operation RSA executes thousands or even millions of multiplication instructions. However, symmetric cryptography and hash functions are faster and more computationally efficient than public key algorithms. That is why most security schemes and security researches for WSN are based on symmetric key cryptography. Key Management Protocols Key management is a core mechanism to ensure the security of network services and applications in WSNs. The goal of key management is to establish required keys between sensor nodes that must exchange data. Further, a key management scheme should also support node addition and revocation while working in undefined deployment environments. Due to the constraints on sensor nodes, key management schemes in WSNs have many differences with the schemes in ad hoc networks. As public key cryptography suffers from limitations in WSNs, most proposed key management schemes are based on symmetric key cryptography. According to the network structure, the protocols can be divided into centralized key schemes and distributed key schemes and according to the probability of key sharing between a pair of sensor nodes, the protocols can be divided into probabilistic key schemes and deterministic key schemes [4]. Network Structure Key Management Protocols a. Centralized key management protocols: In a centralized key scheme, there is only one entity, often called a key distribution center (KDC), that controls the generation, regeneration, and distribution of keys. The only proposed centralized key management scheme for WSNs in the current literature is the LKHW scheme, which is based on the Logical Key Hierarchy (LKH) [17]. In this scheme, the base station is treated as a KDC and all keys are logically distributed in a tree rooted at the base station. Discussion: With only one managing entity, the central server is a single point of failure. The entire network and its security will be affected if there is a problem with the controller. During the time when the controller is not working, the network becomes vulnerable as keys are not generated, regenerated, and distributed. Furthermore, the network may become too large to be managed by a single entity, thus affecting scalability. b. Distributed key management protocols: In the distributed key management approaches, different controllers are used to manage key generation, regeneration, and distribution, thus minimizing the risk of failure and allowing for better scalability. In this approach, more entities are allowed to fail before the whole network is affected [4]. Most proposed key management schemes are distributed schemes. These schemes also fall into deterministic and probabilistic categories, which are discussed in the following subsection. 18 ª Copyright 2013 Taylor & Francis All rights reserved.

16 2013 E D P A C S Key Management Protocols Based on the Probability of Key Sharing In the remainder of this section, we present the key management protocols based on the probability of key sharing between a pair of sensor nodes. We first discuss deterministic approaches and then discuss probabilistic approaches. a. Deterministic approaches: Zhu et al. [18] proposed a key management protocol for sensor networks named LEAP, which provides the basic security services such as confidentiality and authentication. In this protocol, it is observed that there are several types of messages; this led to the use of four different keys for each node: Individual Key shared with the base station to secure the messages between a sensor node and the base station. A Pairwise Key (unique) shared between a node and its neighboring nodes, which is used to secure peer to peer communications. A Group Key pre-distributed and shared among all nodes in the network and the base station uses this key to provide security of broadcast messages sent to the whole group. And finally, a Cluster Key shared with multiple neighboring nodes, used for securing locally broadcast messages. More details of this protocol are in [18]. Discussion: LEAP can minimize the effect of selective forwarding attack as it uses local broadcast, thereby the effect of this attack cannot be transferred more than two hops away. LEAP can prevent HELLO Flood and Sybil attacks as the authentication is assured. The disadvantage of this scheme is that memory for each node has to store four types of keys as well as computation and communication overhead increase if the density of WSN increases. And as the Group Key is shared among all the nodes, there is a chance that an adversary can get the key by compromising a node. Lai et al. [19] have proposed a BROadcast Session Key (BROSK) negotiation protocol. BROSK assumes a master key is shared by all nodes in the network. To generate a session key between two sensor nodes, each node sends to the other node a key negotiation message. When receiving this message, the two nodes can verify the message using the master key and both can calculate the shared session key. Like LEAP, BROSK has the same problem, that is, as the master key is shared between all nodes, an attacker can corrupt a node and thus seize the master key and in this case, s/he can pass for a legitimate node in the network. The authors of [20] have proposed a deterministic key distribution scheme for WSNs using Combinatorial Design Theory. The combinatorial design theory based Pairwise key pre-distribution (CDTKeying) scheme is based on block design techniques in combinatorial design theory. It employs symmetric and generalized quadrangle design techniques. The scheme uses a finite projective plane of order n (for prime power n) to generate a symmetric design with parameters n 2 + n + 1, n + 1, 1. The design supports n 2 + n + 1 ª Copyright 2013 Taylor & Francis All rights reserved. 19

17 E D P A C S 2013 nodes, and uses a key-pool of size n 2 + n + 1. It generates n 2 + n + 1 key chains of size n + 1 where every pair of key chains has exactly one key in common, and every key appears in exactly n + 1 key chains. After the deployment, every pair of nodes finds exactly one common key. Thus, the probability of key sharing among a pair of sensor nodes is 1. Discussion: The disadvantage of this solution is that the parameter n has to be a prime power, thus indicating that not all network sizes can be supported for a fixed key-chain size. Lee and Stinson have proposed two combinatorial design theory based deterministic schemes: the Id-based One-way function Scheme (IOS) and the Deterministic Multiple space Blom s Scheme (DMBS). The details are in [21]. b. Probabilistic Approaches: Most proposed key management schemes are probabilistic and distributed schemes. [22] introduced a key pre-distribution scheme for sensor networks that relies on probabilistic key sharing among the nodes of a random graph. The key distribution is divided into three phases, which are key pre-distribution, sharedkey discovery, and path-key establishment. In the key predistribution stage, a large pool of S keys and associated identifiers for each key are generated. Then from that key pool a number of key rings are generated by randomly drawing P keys along with their identifiers for each key ring and then each sensor node is given a key ring. The base station stores the key rings of each node and the associated node identifiers. In shared key discovered phase, after deployment, each sensor node tries to find with which of its neighbors it shares a key by broadcasting the identifier list of its keys. Two sensors that discover that they share a key check it by using a challenge/response protocol. If two sensor nodes that do not share a common key but want to communicate and are at two or more links away, then they can get a path-key in path establishment phase. If a node is compromised, the base station sends a message containing the identifier list of the keys of the compromised node s key chain to all the nodes encrypting with the pair wise keys shared with them. The nodes in the network can then delete the corresponding key from their key chain. Discussion: This scheme is basic and it ensures scalability. Again, when a node is compromised, the probability of an attacker to successfully attack a node is P/S where P,, S. So, in a key revocation process much communication overhead is not introduced as a small number of nodes are affected.but,thisschemeisnotabletoprovidenodetonode authentication, which is a requirement to protect from node replication attack (Sybil attack). Chan et al. [23] proposed Q-Composite Scheme, which was introduced to increase the resilience of the network against node capture compared to a basic scheme. In this scheme, in the shared key discovery phase, to establish a secure link 20 ª Copyright 2013 Taylor & Francis All rights reserved.

18 2013 E D P A C S two nodes require at least q common keys in their key rings instead of a single common key as in a basic scheme. According to the authors observation, this property increases the resilience to node capture when a small number of nodes are compromised. However, this scheme performs badly when more nodes are compromised as the same keys are used repeatedly in a network. But usually adversaries first try to attack on a small scale and if they succeed then they proceed for large-scale attack. So, this scheme is reasonable to protect against small-scale attack, thus preventing a large-scale one. Discussion: This scheme also cannot provide node to node authentication and if an attacker performs a large-scale attack the security of the network breaks down under this scheme. Moreover, this suffers from memory and node capture problems. There are other key pre-distribution schemes based on the polynomials [24], grids, or the matrices [25]. Table 2 summarizes and compares the various key management protocols previously discussed. Although some key management protocols have been proposed for sensor networks, the design of these protocols is still largely open to research. Secure Communications Protocols The goal of a secure communication protocol is to ensure the integrity, authentication, and availability of messages. The proposed secure communication protocols for WSNs in the literature are based on symmetric key cryptography. Perrig et al. [26] present Security Protocols for Sensor Networks (SPINS), which comprises two security building blocks optimized to use in WSN, which are Sensor Network Encryption Protocol (SNEP) and mtesla. SNEP provides semantic security, data authentication, replay protection, and weak freshness by implementing symmetric cryptographic primitives such as MAC, and encryption with RC5. Before encrypting the message the sender attaches a random bit string with the message and this property provides semantic security, replay protection, and weak freshness. For excluding extra communication overhead of sending this extra random bit with each message, SNEP shares a counter between the communicating nodes for the block cipher in counter mode (CTR). The communicating parties increment the shared counter after each block. Data authentication is achieved by verifying the MAC value of the message. Discussion: mtesla provides broadcast authentication by using symmetric primitives, but it is not suitable for local broadcast authentication. This is because mtesla does not provide immediate authentication. For every received packet, a node has to wait for one mtesla interval to receive the MAC key used in computing the MAC for the packet. As a result, if mtesla is used for local broadcast authentication, a message traversing k hops will take at least k mtesla intervals to arrive ª Copyright 2013 Taylor & Francis All rights reserved. 21

19 E D P A C S 2013 Table 2 Key Management Approaches Protocol Theory Master key Pairwise key Path key Cluster key Scalability Resilience Processing load Communication load Storage load Deterministic LEAP Yes Yes Yes Yes Good Low Low Low Low BROSK Yes Yes No No Good Low Low Low Low LKHW LKH Yes Yes No Yes Limited Low Low Low Low Probabilistic CTDKeying Combinatorial Yes No No Good Good Medium Medium High IOS & MBS Combinatorial Yes No No Good Good Medium Medium High Basic Predistribution Random Graph Yes Yes No Good Good Medium Medium High Q-composite Random Graph Yes Yes No Good Good Medium Medium High Polynomials t-degree polynomial and Yes Yes No Good Good Medium Medium High Random graph Matrices Blom s method & random Yes Yes No Good Good Medium Medium High graph 22 ª Copyright 2013 Taylor & Francis All rights reserved.

20 2013 E D P A C S at the destination. In addition, a sensor node has to buffer all the unverified packets. A problem with this protocol is that the broadcast here is limited to the base station. If any node wants to broadcast it has to do that via base station. Karlof et al. designed the replacement for the unfinished SNEP, known as TinySec [27]. Inherently it provides similar services, including authentication, message integrity, confidentiality, and replay protection. A major difference between TinySec and SNEP is that there are no counters used in TinySec. TinySec supports two different security options: authenticated encryption (TinySec-AE) and authentication only (TinySec-Auth). In TinySec-AE, TinySec encrypts the data payload and authenticates the packet with a MAC. With TinySec-Auth, the packet authentication is performed with a MAC without encrypting the data payload. Discussion: The drawback for implementing TinySec is that TinySec packets are one to five bytes longer than normal WSN packets, which may reduce bandwidth and increase latency and energy consumption. In ZigBee [28], the concept of a Trust Center is introduced. Generally a ZigBee Coordinator acts as Trust Manager, which allows other devices to join the network and also distributes the keys. It plays three roles: Trust manager, whereby authentication of devices requesting to join the network is done, Network manager, maintaining and distributing network keys, and Configuration manager, enabling end-to-end security between devices. It operates in both Residential Mode and Commercial Mode. The Trust Center running on Residential Mode is used for low security residential applications. In Residential Mode, the Trust Center will allow devices to join the network, but does not establish keys with the network devices. Commercial mode is designed for high-security commercial applications; it establishes and maintains keys and freshness counters with every device in the network, allowing centralized control and update of keys. There are three types of keys employed: The Master keys: It is the basis for long-term security between two devices. The Link key: It is a basis of security between two devices. The Network key: It is the basis of security across the entire network. Discussion: The problem with this protocol is in the commercial mode; establishing, maintaining, and updating the keys and freshness counters of each piece of equipment costs enormously in terms of memory and particularly when the size of the network is large. The standard [29] provides link layer security services, and has three modes of operation unsecured, an Access Control List (ACL) mode, and secured mode. In unsecured mode, as the ª Copyright 2013 Taylor & Francis All rights reserved. 23

21 E D P A C S 2013 name implies, no security services are provided. In ACL mode the device maintains a list of devices with which it can communicate. Any communication from devices not on the list is ignored. However, it must be noted that this mode offers no cryptographic security so it is trivial for the message source address to be spoofed. Secured mode offers seven security suites and depending on which is used any of four security services are offered, these being access control, data encryption, frame integrity, and sequential freshness. One cryptographic algorithm, AES-128, is employed for all security suites. Discussion: According to the authors of [29], some problems were found with security modes at the lower levels but higherlevel protocols overcome these limitations. MiniSec [30] is a secure network layer protocol that claims to have lower energy consumption than TinySec while achieving a level of security that matches that of ZigBee. A major featureofminisecisthatitusesoffsetcodebook(ocb)modeas its block cipher mode of operation, which offers authenticated encryption with only one pass over the message data. Normally two passes are required for both secrecy and authentication. Another major benefit of using OCB mode is that the cipher-text is the same length as the plaintext. MiniSec has two modes of operation: MiniSec-U and MiniSec- B; the first is used for unicast packets and the second is used for broadcast packets. Discussion: Like ZigBee, MiniSec presents the problem of memory because of the saved keys. Nasser and Chen [31] proposed SEER: Secure and Energy Efficient multipath Routing protocol in which the base station performs the route discovery, maintenance, and route selection. Instead of using a single path, the base station periodically selects a new path from multipaths based on the current energy level of nodes along each path. Attacks on routing protocols that attract traffic by advertising a high-quality route to the base station such as Wormhole and Sinkhole can be defended by SEER as the routing path is selected by the base station. Discussion: The problem here is, if adversaries can breach the security of base station, they can disrupt the whole network. Table 3 recapitulates the various protocols discussed previously. Secure Data Aggregation Data communication constitutes an important share of the total energy consumption of the sensor network. Data aggregation can greatly help conserve the scarce energy resources by eliminating redundant data. In a WSN, there are usually certain nodes, called aggregators, helping to aggregate information requested by queries. When an aggregator node is compromised, it is easy for the adversary to inject false data into sensor networks. Thus the data aggregation requires confidentiality, integrity, authentication, and cooperation between the sensor nodes to identify the compromised ones. Various approaches were proposed to secure data aggregation, and Figure 8 shows a taxonomy of these approaches. 24 ª Copyright 2013 Taylor & Francis All rights reserved.

22 2013 E D P A C S Table 3 Secure Communications Protocols Protocols Encryption Freshness Overhead MAC used Key agreement SPINS Yes Yes 8 bytes Yes Symmetric TinySec Yes No 4 bytes Yes Pre-deployed and variable ZigBee Yes Yes 4, 8, or 16 Yes Trust center (commercial) (Secure Mode) Yes Yes (sequential) bytes 4, 8, or 16 bytes Yes MiniSec Yes Yes 7 bytes Yes Any mechanism SEER Figure 8 Approaches to secure data in WSNs. Plain-text based aggregation SA, SIA, SINP, ESPDA, SDDA, WDA Protocol operations Cipher based aggregation CDA, HSC Articles [32, 33] describe in a detailed way all these approaches. Data aggregation is essential for WSNs; several secure data aggregation protocols have been proposed; however, no comparisons have been conducted on these protocols. Further evaluation and comparison are desirable to learn the performance of these protocols. So, new data aggregation protocols need to be developed to address higher scalability and higher reliability against aggregator and sensor node cheating. Intrusion Detection The impact of an attack can be greatly reduced if it is detected as early as possible. Intrusion detection systems (IDS) have therefore grown to major security tools in Internet networking. Their purpose is to detect patterns in system behavior that indicate malicious activities. In a sensor network, an intrusion can occur at two levels. Either one or more sensor nodes have been taken control of by the adversary, or the adversary is disrupting the sensor network s operation ª Copyright 2013 Taylor & Francis All rights reserved. 25