Re-examining Probabilistic Versus Deterministic Key Management Dahai Xu Jianwei Huang Jeffrey Dwosin Mung Chiang Ruby Lee {dahaixu, jianweih, jdwosin, chiangm, rblee}@princeton.edu Department of Electrical Engineering, Princeton University, NJ 8544, USA Abstract It is widely believed that although being more complex, a probabilistic ey predistribution scheme is much more resilient against node capture than a deterministic one in lightweight wireless ad hoc networs. Baced up by the surprisingly large successful attac probabilities computed in this paper, we show that the probabilistic approaches have only limited performance advantages over deterministic approaches. We first consider a static networ scenario as originally considered in the seminal paper by Eschenauer and Gligor [], where any node capture happens after the establishment of all pairwise lins, and show that the deterministic approach can achieve a performance as good as the probabilistic one. Furthermore in a mobile networ, the probabilistic ey management as described in [] can lead to a successful attac probability of one order of magnitude larger than the one in a static networ. A. Motivation I. INTRODUCTION Lightweight ad hoc networs typically consist of nodes that are highly distributed with very limited computation and energy resources, such as portable mobile devices and tiny low-cost sensors used for environment surveillance and emergency rescues. As the cornerstone of security communication, various ey management schemes have been proposed trying to provide a highly secure communication environment in lightweight ad hoc networs against malicious attacs of adversaries. Among various ey management schemes, symmetric ey predistribution schemes (e.g., [], [2] are more suitable to the light weight ad hoc networ than asymmetric public ey schemes, because their resource (e.g., battery, memory, computation power requirements are small and there is no need for a trusted third party. There are two main approaches within the symmetric ey predistribution schemes: probabilistic (e.g., [] [5] and deterministic (e.g., [6], [7]. In a probabilistic approach, the eys in each node s ey ring are randomly chosen from a large ey pool. In a deterministic approach, on the other hand, the ey ring is chosen deterministically. In general, probabilistic approaches end up with a large ey pool, a larger ey ring per node, and poorer networ connectivity than the deterministic approaches. On the other hand, a typical deterministic algorithm preloads each node with a single common ey and reaches connectivity of %. More related references can be found in [8]. It is often believed that a typical probabilistic scheme is much more resilient against node capture than a typical deterministic approach [], [3], [4], thus maing probabilistic schemes popular despite its clear disadvantage on many other metrics when compared with deterministic approach. In this paper, we show the probabilistic approaches have only limited performance advantages over deterministic approaches. Our This wor was supported by the National Science Foundation (NSF under award CNS-43487. For example, the probabilistic scheme in [] requires preloading each node with 83 eys out of a ey pool size of,, and achieves a local direct connectivity of 5%. performance measurement is the Successful Attac Probability (SAP. An attac on a pairwise lin between two authorized nodes is successful if a compromised node can intercept and decipher the information transmitted through that lin. B. Summary of our study between representative probabilistic and deterministic schemes The probabilistic scheme was first proposed in the seminal and widely cited paper by Eschenauer and Gligor [], and we call the corresponding scheme the EG scheme. It consists of three phases: ey distribution, shared ey discovery and pathey establishment. In the ey distribution phase, each node is loaded with eys randomly chosen from a large ey pool of size m, where m. The shared ey discovery is the procedure of establishing a pairwise lin between two neighbor nodes if they share one or more ey(s. Finally, in the path-ey establishment phase, a pairwise lin is established between any two neighbor nodes who do not share any ey but can establish a path between them through one or more relay nodes. In this case, a path-ey is sent from one node to its neighbor through the relays(s, and then a lin is established similarly to the shared-ey discovery phase. A representative deterministic scheme is to use single common ey, where each node is preloaded with the same initial ey. After the deployment, each pair of neighbor nodes exchange messages encrypted by the common initial ey to derive a unique (or even random ey for all later communications between them. Throughout the paper, we will compare the performance of probabilistic and deterministic ey management schemes based on the EG scheme [] and single common ey scheme. We will consider two networ scenarios: static networ and mobile networ. In a static networ, all pairwise lins have been established before an adversary can capture any node. This implies that all nodes are deployed almost at the same time and remain static after deployment. This is the case previously considered in []. In contrast, in a mobile networ, an adversary can capture a node before all pairwise lins have been established. This is the case for the networ where nodes are constantly on the move and need to establish new lins. This includes, for example, a sensor networ of buoys floating freely on the ocean to gather environmental data, and a networ consisting of sensors moving around in an unnown environment to form a reasonable coverage. In a static networ, the initial common ey can be deleted permanently from all nodes after the establishment of all pairwise eys (as in [6]. Therefore, single common ey scheme can achieve almost perfect resiliency against node capture (i.e. SAP, since all pairwise eys are randomly generated and nown only to the corresponding two neighbor nodes. Thus they cannot be deduced by a captured node even if the common initial ey is disclosed. On the other hand, the SAP equals /m with one captured node in the EG scheme
2 where each neighbor node pair uses one of the shared eys to encrypt the communication. The SAP could be reduced to almost zero as in the single common ey case if two neighbor nodes also generate a random ey for future communication. In short, the deterministic scheme can achieve a performance as good as a probabilistic approach in a static networ, but with much lower complexity. In a mobile networ, single common ey scheme could lead to an SAP as high as % if the common initial ey is obtained by an adversary before any lin is established. However, we show that the EG algorithm is also quite vulnerable in this case, and may lead to a value of SAP one order of magnitude larger than the one in the static networ case (e.g., as high as 6%, especially when the adversary can fully utilize the eys obtained from several compromised nodes. The intuition for the surprising result in this case is as follows. In the static networ, there is only one way to attac a lin successfully, i.e., nowing the ey with which the communications on that lin is encrypted. In a mobile networ, however, a compromise node can also attac a lin by acting as a relay during the path-ey establishment phase. By intercepting the ey information that is being relayed, a compromised node can figure out the ey which the two authorized nodes will use for future mutual communication. This new man-in-the-middle attac opportunity can significantly increase the value of SAP for a probabilistic approach, since there is a high chance of using a relay for lin establishment. The rest of the paper is organized as follows. In Sec. II, we calculate the values of SAP in both static and mobile networs, with a focus on the probabilistic approach (i.e., EG scheme. In Sec. III, we validate the analytical results in Sec. II with simulations based on a C++ simulator and a unit dis networ model. We conclude in Sec. IV. II. FRAGILITY ANALYSIS FOR PROBABILISTIC KEY MANAGEMENT In this section, we first review the results in [], where the successful attac probability (SAP is calculated for a static networ. We then consider a mobile networ, and show how the value of SAP needs to be substantially revised. We only consider the attacs on the pairwise lin between two authorized nodes that are within each other s communication range. The SAP will be even higher if A and B are far away and can only be connected with a multi-hop path, since a successful attac on any hop will jeopardize the confidentiality of the whole communication. The establishment of a lin requires two neighbor nodes, A and B, to be able to encrypt the communication over such a lin using a common ey. This could be achieved in two ways: (i A and B share a ey within their preloaded ey rings, thus can establish the lin directly. (ii A and B do not share a ey initially, and need to exchange additional information through one or more relay nodes, with whom the pairwise lins have already been established. For example, A can randomly choose an unused ey from its ey-ring and send it to B through the relay node(s. Then A and B can use this ey to encrypt the pairwise ey between them. In either case, SAP of the lin between A and B is defined as S AP P(A B A B, ( Notations A B A C h B A B A B (A B C (A B C h (A, B C h (A, B C h r TABLE I SUMMARY OF NOTATION Meaning A and B establish a pairwise lin between them A and B communicate through one node in C h The lin between A and B is successfully attaced A and B share at least one ey C has all the eys ( shared by A and B At least one node of C h has all the eys ( shared by A and B At least one node in C h shares at least one ey with A and at least one ey with B Exactly r nodes out of C h, each of which shares at least one ey with A and at least one ey with B where A B denotes the event that the lin between A and B is successfully attaced, and A B denotes the event that A and B establish a lin between them. Since a lin can only be attaced if it has been established, we have (2 and (3 below. P(A B A B (2 S AP P(A B All the notation used in this section are defined in Table I to enable a cleaner presentation of later derivations. A, B and C denote three generic nodes, and C h denotes a set of h nodes. Each node is preloaded with a ey-ring of randomly chosen eys out of a ey pool of size m. A. SAP for a static networ If a compromised node wants to attac an established lin, it needs to now the ey used to encrypt the lin. Therefore a compromised node can successfully attac an existing lin with probability /m, as stated in []. B. SAP for a mobile networ In a mobile networ, a compromised node C can attac the lin between A and B in three ways: (i If A and B share a ey initially and establish the lin directly, then C needs to now the ey chosen by A and B to encrypt the lin. (ii If A and B do not share a ey initially and use C as a relay, then C can get the desired information while relaying the information between A and B. A first communicates with C via encrypted messages protected by shared ey K ac. C decrypts this with K ac giving it access to the plaintext message, and encrypts this with K cb, a ey it shares with node B, then sends the re-encrypted message to B. This sets C up as a man-in-the-middle eavesdropper between A and B, since C can see the plaintext of all messages going from A to B. (iii If A and B do not share a ey and do not choose C within the relay path, C can still attac the communication between A and B by either eavesdropping on the lins along the relay path or attacing the eventual pairwise lin established between A and B, if it has any of the eys used for these lins. Overall, the value of SAP depends on the number of compromised nodes and authorized nodes within both A and B s (3
3 communication range, as well as how A and B choose the relay nodes. To simplify the analysis, we only consider cases (i and (ii, and further assume only one node relay in case (ii. In the simulation in Sec. III, we calculate SAP for all three cases. It will be useful to now the probability of sharing at least one ey between any two nodes in the networ. Denote δ m as the probability that any two nodes A and B do not share any ey, then δ m P ( A B ( m /( m, (4 where A B denotes A and B share at least one ey. The value of δ m can be either accurately calculated as i (m i/(m i, or approximated using Stirling s approximation for n! as in [], i.e., ( m δ m ( m 2(m +. (5 ( 2 m m 2+ ( m Then the probability of A and B sharing at least one ey is P(A B δ m. (6 For example, if 83, m, P(A B 5%. Next we derive the value of SAP based on the number of authorized users and compromised users within both A and B s communication range. We start with the simplest case, where there is only one compromised node available. We then consider the case where there are h compromised nodes. Finally, we consider the case with h compromised nodes and g authorized nodes. Scenario I: only one compromised node C is within both A and B s communication range: Depending on whether A and B share a ey initially, they may establish the pairwise lin with or without the relay of C. The probability of successfully establishing the lin is (7 and we have (8 below. P(A B P(A B + P((A C B C A B, (7 P((A B C + P((A C B C A B. (8 Here ((A B C means that A and B share at least one ey, and all the shared eys between A and B are within the eyring of node C. Since we ignore the case where C only nows a subset of the shared eys between A and B, where C still has a chance to successfully attac the lin between A and B, we have an inequality in (8 instead of an equality. Let us calculate each term in (7 and (8. We now the value of P(A B from (6. Also, Define P(A C B C A B P(A C P(B C + P(A C B C A B (9 ( /( m 2 m 2δ m + ( ( /( ( /( m m m 2 m 2δ m + ( 2δ m + δ m δ m (2 φ m P(A C B C A B, (3 we then have P(A C B C A B Thus from (6, (7 and (4 Meanwhile, P(A B P(A C B C A B δ mφ m. (4 P(A B δ m + δ mφ m, (5 P((A B C ( ( m ( m i i i i i (6 ( ( m ( m (7 ( m (m! m 2 + ( m (8 (!(m! m!!(m! δ m 3 m(m 2 +, (9 whereas in (7, for simplicity we ignore the event that A, B and C share more than one ey. Define we then have S AP γ m P((A B C, P(A B γ m + δ mφ m. (2 δ m + δ mφ m 2 Scenario II: h compromised nodes are within both A and B s communication range: We use C h to denote the set of h compromised nodes. Since P((A, B C h A B P(A B P((A, B C h A B (2 P(A B ( ( P(A C B C A B h (22 δ m ( ( φ m h, (23 then using a similar argument as in Scenario I, we have S AP P((A B Ch + P((A, B C h A B P(A B + P((A, B C h A B ( γ m h + δ m ( ( φ m h δ m + δ m ( ( φ m h. (24 (25 3 Scenario III: h compromised nodes and g authorized nodes are within both A and B s communication range: In this case, if A and B do not share any ey initially and need to communicate through a relay, a successful attac can happen if one compromised node is chosen as the relay. Assuming there are a total of a qualified relays (i.e, nodes who can establish pairwise lins with both A and B, b out of which are compromised nodes. Denote µ b a as the probability of A and B picing a compromised node as the relay, which could be b/a under honest attacs, or some higher value under smart attacs.
4 The probability of having r useable relays out of all h compromised nodes when A and B do not share eys is P((A, B C h r A B ( h (P(A C r ( h r B C A B P(A C B C A B r (26 ( h (φ r m r ( φ m h r. (27 Similarly, the probability of having w useable relays out of all g authorized nodes when A and B do not share eys is ( P((A, B C g g w A B (φ w m w ( φ m g w. (28 Then the probability of sending a message through a compromised node given the existence of h compromised nodes, g authorized nodes and A, and B do not share any ey is P(A C h B A B h g µ r r+w(p((a, B C h r A B P((A, B C g w A B (29 Since r w h g r w µ r r+w (( ( h g ((φ r w m r+w ( φ m h+g (r+w. (3 P(A C h B A B P(A B P(A C h B A B, (3 we have the following lower bound on SAP S AP P(A B P((A B Ch + P(A C h B A B (33 P(A B + P(A C h+g B A B ( γ m h + δ m ( hr g (( h ( g ( w µr r+w r w (φ m r+w ( φ m h+g (r+w fabricated nodes. δ m + δ m ( ( φ m h+g. (32 (34 4 Numerical results: Table II shows the SAP for different values of h and g based on the previous analysis. The ey-ring size is 83, with a ey pool size of m. TABLE II Successful attac probability (SAP for different numbers of authorized nodes (g and compromised nodes (h. We assume there are a total of a qualified relays, b out of which are compromised nodes. µ b a is the probability of picing a compromised node as the relay. The ey pool size m, the preloaded ey-ring size 83, and the original SAP estimation is h/m. g g 2 h g µ b a b/a µ b a µ b a b/a µ b a h/m 2% 4.7% 3.% 2.7% 2.8% % 2 3.% 8.8% 22.7% 5.% 22.4%.7% 3 37.6% 2.3% 3.% 7.4% 29.7% 2.5% 4 4.9% 5.3% 35.5% 9.5% 35.2% 3.3% 5 44.8% 8.% 39.7%.4% 39.5% 4.2% 6 46.9% 2% 42.9% 3.2% 42.7% 5.% 7 48.5% 22.5% 45.4% 5.% 45.2% 5.8% 8 49.7% 24.4% 47.3% 6.6% 47.2% 6.6% 9 5% 26.2% 48.8% 8.% 48.7% 7.5% Several observations are in order. When (the probability of picing a compromised node as the relay, µ b a b/a, the SAP increases with h (compromised nodes under fixed g (authorized nodes. When µ b a, the general trend is similar, but the SAP is not very sensitive in the cases of g and g 2, since A and B will always choose a compromised node as relay if possible. Comparing with the value of SAP estimated in [], which is approximated as h/m, the SAP in Table II is much larger. For example, with µ b a b/a, h 9 and g 2, we have a SAP of 8.%, as opposed to h/m 7.5%. The value of SAP increases further when µ b a. The value of µ b a heavily depends on the attac model used by the compromised nodes. Two attac models, honest attac and smart attac, are defined in Sec. I. In an honest attac, the relays nodes are randomly chosen and µ b a b/a. In a smart attac, however, the compromised nodes will improve the value of µ b a by various methods. In a smart attac with incentive, the compromised nodes provide incentives for nodes A and B to choose one of them as relay. If the choice of relay is determined by a shortest path routing protocol, the compromised nodes can announce distance metrics of the lins connected to them smaller than the actual values. If the choice of relay is based on energy efficiency, the compromised nodes can pretend to be very energy efficient. In most cases, the incentives provided by the compromised nodes can mae the value of µ b a very close to. In a smart attac with virtual node fabrication, each compromised node is able to collect the eys from all other compromised nodes, then can fabricate up to ( h nodes with distinct ey rings. The number will be very large if h 2. For example, when two nodes are captured with non-overlapping ey rings, then ( 2 (2!! 2π(2 2+ e 2 ( 2π( + e 2 22+ 2π, (35 which is around 5.8 48 if 83. As a result, the value of µ b a will be closer to with the increase of the number of III. SIMULATION RESULTS To verify our probability computations in Sec. II, we evaluate the SAP of the probabilistic ey predistribution scheme (the EG scheme through a simulator written in C++. We consider a unit dis networ model. A total of g authorized nodes are uniformly distributed in the unit dis. All the compromised nodes (including any virtually fabricated nodes are placed at the center of the unit dis. All nodes are assumed to have the same transmission range equal to the radius of the dis. This means an adversary can eavesdrop on any communication in the unit dis through the compromised nodes as long as it has the right ey(s. Two neighbor nodes will setup a pairwise lin if they share one or more eys. Otherwise, they will try to find an relay path through one or more nodes to exchange additional ey information, so that they can set up pairwise lin between them. When there is more than one qualified relay node available, the authorized nodes will choose a relay randomly in the case of µ b a b/a (i.e, honest attac or finite virtual node fabrication, or search for a shortest relay path in an attac with incentive. 2 Any two nodes that are not neighbors cannot establish pairwise lins among themselves. The main reason of using the above unit dis networ model 2 In the simulation, the smart attac with incentive is approximated as setting the cost of the lins adjacent to the compromised nodes as 999 instead of as unit (hop for other authorized nodes.
5 Successful Attac Probability Successful Attac Probability.3.2. 83, m h9 h6 h3 h2 h 4 8 5 2 25 3 35 4 Number of Authorized Nodes (g.3.2. (a Honest attac 83, m, g4 h9 h6 h3 h2 2 4 8 5 2 25 3 35 4 Number of Fabricated Nodes (c Smart attac (node fabrication Successful Attac Probability Successful Attac Probability.3.2..3.2. 83, m h9 h6 h3 h2 h 4 8 5 2 25 3 35 4 Number of Authorized Nodes (g (b Smart attac (incentive 83, m, g4 Smart Attacer (Incentive Smart Attacer (Fabrication Honest Attacer Original Estimation (h/m 2 3 6 9 5 2 25 3 Number of Captured Nodes(h (d Different attac models Fig.. Successful Attac Probability with various numbers of captured nodes (h and authorized nodes (g is to derive a uniform and fair metric (SAP among various approaches where failing to attac is only due to the lacing in appropriate eys rather than the limitation of transmission range. The SAP is calculated as the fraction of the lins that can be eavesdropped by the compromised nodes among all the pairwise lins. As we explained in Sec. I, a basic deterministic scheme lie single common ey either enables almost zero SAP in a static networ, or leads to % SAP for the unit dis model in a mobile networ since it has the common ey and can observe all the ey exchanges between nodes. Hence, our focus here is to determine the SAP for the probabilistic ey predistribution scheme (i.e., the EG scheme. All the simulation results are averaged over sets of random seeds which affect the distribution of the authorized nodes within the unit dis, the ey ring preloaded to each node and the choices in case of multiple qualified relays. Figs. (a to (d illustrate the values of SAP under different assumptions on the number of compromised nodes (h, number of authorized nodes (g and different attac models (honest attac, smart attac with incentive, or smart attac with fabrication. Fig. (a shows the SAP for various values of h and g under the honest attac. For a fixed value of h, the SAP decreases when the density of authorized nodes increases. This is because in a denser networ, there are more qualified relay nodes available between any two neighbor nodes, thus the probability of choosing a compromised node as the relay is smaller under honest attac. For a fixed number of authorized nodes g, a higher value of h increases the probability of picing a compromised node as the relay, thus leads to a higher value of SAP. In a networ where there are 9 compromised nodes and 5 authorized nodes, the SAP could be as high as 42%. Fig. (b shows the SAP for various values of h and g under the smart attac with incentive. In this case, two neighbor nodes without a common ey will have high chance to pic a compromised node as relay if it is qualified. There is a high probability of finding a qualified relay node among the compromised nodes when h is large, in which case the SAP is insensitive to the number of authorized nodes g. In a networ with 4 authorized nodes and 9 compromised nodes, the SAP would be around 5%. Fig. (c shows the SAP for the smart attac of various numbers of compromised nodes and different total numbers of virtually fabricated nodes. The total number of authorized nodes is ept at 4. The node fabrication is achieved as follows. All the eys collected from the h compromised nodes will constitute a compromised ey pool. Then each fabricated node will be loaded with 83 eys randomly chosen from the compromised ey pool. A larger number of fabricated nodes increases the chance of such a node being chosen as a relay node, thus increasing SAP. A larger value of h leads to a larger compromised ey pool, which again increases the chance of a fabricated node serving as a qualified relay. Fig. (d shows the SAP under different numbers of captured nodes, for different inds of attacs as well as the estimation based on [] 3. The number of authorized nodes is fixed at 4. It is clear that the results in [] significantly underestimate the SAP in mobile networs. With a large enough number of compromised nodes, the SAP can easily reach an unacceptably high value of 5% with all attac models. IV. CONCLUDING REMARKS In this paper, we discuss the ey management in lightweight mobile ad hoc networs. Baced up by the large successful attac probabilities computed in this paper, we show that the probabilistic ey predistribution schemes are in fact quite vulnerable to node captures in many practical cases. Considering the large ey pool and ey ring sizes, complex ey predistribution, low networ connectivity, and complex pairwise lin establishments, the advantage of the probabilistic approach over the deterministic approach is not as much as people have believed. REFERENCES [] L. Eschenauer and V. D. Gligor, A ey-management scheme for distributed sensor networs, in CCS 2, New Yor, NY, 22, pp. 4 47. [2] R. D. Pietro, L. V. Mancini, and A. Mei, Random ey-assignment for secure wireless sensor networs, in SASN 3, New Yor, NY, 23, pp. 62 7. [3] H. Chan, A. Perrig, and D. Song, Random ey predistribution schemes for sensor networs, in IEEE Symposium on Security and Privacy, 23. [4] W. Du et al., A ey management scheme for wireless sensor networs using deployment nowledge, in INFOCOM 4, Hong Kong, Mar. 24. [5] J. Hwang and Y. Kim, Revisiting random ey pre-distribution schemes for wireless sensor networs, ACM worshop on Security of ad hoc and sensor networs, pp. 43 52, 24. [6] S. Zhu, S. Setia, and S. Jajodia, LEAP: efficient security mechanisms for large-scale distributed sensor networs, in CCS 3, New Yor, NY, 23, pp. 62 72. [7] J. Lee and D. Stinson, Deterministic ey predistribution schemes for distributed sensor networs, Selected Areas in Cryptography, 24. [8] S. A. Çamtepe and B. Yener, Key distribution mechanisms for wireless sensor networs: a survey, Rensselaer Polytechnic Institute, Computer Science Department, Tech. Rep. TR-5-7, Mar. 25, available at http://www.cs.rpi.edu/research/pdf/5-7.pdf. 3 When the networ is static, an adversary captures h nodes, then its successful attac probability on a lin is ( m h h m.