2. work controller is responsible for distributing
rekeying messages to the nodes in the group Data processing and
secured by encrypting them using the key management unit
encrypting key (KEK) [3]. Based on the security
requirement of the actual applications, a rekey-
ing process may be triggered to update the TEK
after each node attaches to or detaches from an Sensor field
active group session. This process ensures that a Internet/
new node cannot decrypt previous group mes- satellite
sages and prevents a detached node from eaves-
dropping on future group messages. Since each
network topology change triggers a new rekeying
process, the load of TEK refreshment messages
may degrade performance and scalability in case
of frequent network topology changes. Base station
Humidity sensor Temperature sensor
In this article we introduce two efficient self-
healing group-wise key schemes with time-limit-
ed node revocation, which ensures forward/ I Figure 1. The architecture of a wireless sensor network.
backward secrecy, certain collusion freedom, and
group confidentiality in high packet loss environ-
ments. Based on the dual directional hash chain ISSUES OF KEY MANAGEMENT IN WSNS
(DDHC) and hash binary tree (HBT), respec- Offering efficient key management in WSNs is
tively, the proposed schemes offer a practical challenging due to their constraints in hard-
seal-healing method and an implicit node revo- ware, deployment, network, and so on. The sen-
cation2 algorithm with lightweight computation sor network does not have fixed infrastructure
and communication overhead to cope with and contains a very large number of entities
dynamic network topology in WSNs. It is shown with high density. A WSN is usually deployed
that, comparing with existing schemes, the randomly; therefore, designing a security
DDHC/HBT mechanism can remarkably reduce scheme should not assume exact deployment
both the computation and communication over- knowledge of nodes. Sensor nodes may be
head at the GKM and the nodes, and thus deployed in public and hostile locations, and
improve the scalability and the performance of consequently exposed to physical attacks by an
the key distribution scheme. Furthermore, the adversary, who may undetectably capture a sen-
performance of the proposed schemes under sor node and compromise the secret keys. Base
poor broadcast channel condition is discussed. It stations in WSNs are centralized, powerful, and
is concluded that the proposed schemes can tol- expensive. It is tempting to rely on them too
erate high channel loss rate, and hence can much in functions. This may attract attacks on
make a good trade-off between performance and the base station and limit application of the
security. security protocol. There are also some limita-
The rest of this article is organized as follows. tions and impairments in physical design of the
We discuss the general issues in key manage- sensor node and wireless network environment,
ment in WSNs and related work. We introduce such as the imperfect wireless channel and lim-
the group-wise key distribution scheme based on ited bandwidth, memory resources, and compu-
the DDHC and the HBT, respectively. The secu- tation capacity. Therefore, some special security
rity and the performance evaluations are pre- and performance requirements should be
sented, followed by the conclusion. focused on in WSNs:
• Resilience against node capture: An adversary
RELATED WORK can mount a physical attack on a sensor node
after deployment. It is required to estimate
WSNs are often deployed in open and hostile the fraction of total network communications
environments, and thus are subjected to great compromised by such captured nodes.
security risks. In order to protect confidentiality • Resilience against node replication: An attack-
and integrity of the information, the sensor er may insert additional hostile nodes into a
nodes should be securely associated with the WSN. This is a serious attack since even a sin-
neighbouring nodes and/or data sink via encrypt- gle compromised node might allow an adver- 2 Node revocation can be
ed data link. Therefore, key management plays a sary to populate the network with a clone of described as follows. Let
critical role in establishing secure communica- the captured node to such an extent that legit- U be the set of all possible
tions in WSNs. The key management usually imate nodes could be outnumbered, and the group nodes, and a subset
includes the following three key distribution adversary can thus gain full control of the net- of U, R, be the set of
methods: key distribution, key agreement, and key work. revoked nodes. The group
predistribution. Traditional key distribution • Node revocation or participation: A new sen- node revocation is
schemes require a trusted server to establish sor may be deployed dynamically in a WSN, required to offer a secure
shared session keys between nodes. The key and a detected misbehaving node should also way for the GKM to trans-
agreement scheme is usually based on asymmet- be able to be removed dynamically from the mit rekeying messages
ric cryptography algorithms, which is not feasible system. over a broadcast channel
for resource constrained sensors. Presently, the • Scalability: When the number of sensors grows, shared by all nodes so that
only practical scheme for key management in security may be weakened. It is necessary to any nodes in R cannot
large sensor networks may be key predistribu- explore the maximum supported network size decrypt it, even when,
tion, where key information is installed in each for a given deployment policy, since different more strictly, they collude
sensor node prior to deployment. key deployment policies will result in different with each other.
IEEE Wireless Communications • October 2007 39
3. Forward hash Seed
chain (fwd) Node n
Recursive hash operation
Backward hash Seed
chain (bwd)
I Figure 2. Structure of dual directional hash chains.
network scales, which significantly impacts the possible to use an existing pair-wise key struc-
scalability of key schemes. ture to establish group-wise keys.
In practice, it is difficult to deal with all these The rekeying mechanism is another critical
constraints perfectly. A trade-off is usually made security function for group communications in
according to the actual application or purpose of WSNs. Inefficient rekeying eventually causes WSNs
the sensor network. to not work as planned. In order to tackle the scala-
bility problem of rekeying operation with highly
STUDY OF GROUP-WISE dynamic network topology, a number of efficient
approaches have recently been proposed (LKH [9],
KEY DISTRIBUTION SCHEMES Subset Difference [10], etc.). Considering the inter-
Due to the dynamic nature of group communica- dependency of rekeying messages, a group key dis-
tions, the group key needs to be not only estab- tribution scheme with revocation can be classified
lished at the initial phase but also refreshed into two distinct classes: stateful or stateless. In a
from time to time. Typically, the additional secu- stateful scheme [9], a legal node’s state in the cur-
rity requirements for group-wise key distribution rent rekey affects its ability to decrypt future group
schemes include [4]: keys. A stateless scheme relies only on the current
• Group confidentiality: Nodes that are not part rekeying message and the node’s initial configura-
of the group should not have access to any tion [11]. A non-revoked node can decrypt the new
key that can decrypt any data broadcasted to TEK independent of previous rekeying messages
the group. without contacting the GKM, even if the node is
• Forward secrecy: Nodes that detach from the offline for certain sessions. This property makes a
group should not have access to any future stateless scheme more useful in scenarios where
keys, which ensures that a detached node can- some nodes are not constantly online or suffer from
not decrypt further data. burst packet losses.
• Backward secrecy: A new node that attaches to The scheme with stateless node revocation
the session should not have access to any old was first investigated in [11], which requires
key, which ensures that a node cannot decrypt O(tn 2 logt) storage keys and O(t 2 nlog 2 t) mes-
data sent before it attaches to the group. sages, and allows the GKM to revoke any num-
• Collusion freedom: Any set of fraudulent nodes ber of nodes, while at most t of them could
should not be able to deduce the current collude to obtain the TEK. Subsequently, two
active TEK. stateless revocation schemes, CS and SD, were
In addition, the lossy channel usually causes proposed in [12]. Given N nodes with logN keys,
scheme failure if nodes cannot communicate the CS scheme can revoke any R nodes with
with the GKM due to communication interrup- O(Rlog(N/R)) messages. The SD scheme reduces
tion. The dynamics of the network topology also the message number to O(R), while the node
increase service disruption probability, since storage overhead is increased to O(log2(N)) with
some nodes may lose connections temporarily. O(logN) cryptographic operations.
Hence, it is required to offer a reliable rekeying The lossy channel usually results in scheme
process with minimum number and size of rekey- failure if nodes cannot communicate with the
ing messages. The rekey scheme should also GKM. The dynamics of the network topology also
require neither a large number of storage keys increase service disruption probability, since some
nor high computation overhead at the GKM or nodes may lose connection temporarily. There-
the nodes in the group. fore, in addition to node revocation capacity, some
A straightforward approach to key establish- recent work also addressed self-healing issue so
ment is to use the key distribution method on that a group node could recover the missed ses-
top of a pre-installed key in the sensor nodes to sion keys from the latest rekeying message on its
establish group-wise keys. A lightweight key own. Based on two-dimensional t-degree polyno-
management system [5] considered a WSN mials, Staddon et al. [13] first presented a self-
where a group of sensor nodes are deployed in healing group key distribution scheme, which was
different phases, and proposed a group-wise key further improved by Liu and Ning [14].
distribution scheme through links secured with
pair-wise keys. Other approaches include using
secure but costly asymmetric cryptography. SELF-HEALING GROUP-WISE KEY
Burmester-Desmedt [6] and IKA2 [7] used a DISTRIBUTION SCHEMES WITH
Diffie-Hellman-based group key transport proto-
col. These two algorithms were further improved TIME-LIMITED NODE REVOCATION
3 Due to page limits, we by ID-STAR [8], which adopted identity-based We introduce two efficient self-healing group key
go through the major fea- cryptography where sensor nodes’ public keys schemes with time-limited node revocation based
tures of the two schemes. can be derived from their identities. It is also on the DDHC and HBT. 3 It is defined that a
40 IEEE Wireless Communications • October 2007
4. A non-revoked node
S (0,0) can decrypt the new
TEK independently
from previous
re-keying messages
S (1,0) S (1,1)
without contacting
the GKM, even if the
node is off-line for
certain sessions.
S (2,0) S (2,1) S (2,2) S (2,3)
S (3,0) S (3,1) S (3,2) S (3,3) S (3,4) S (3,5) S (3,6) S (3,7)
TEK0 TEK1 TEK2 TEK3 TEK4 TEK5 TEK6 TEK7
I Figure 3. Example of a hash binary tree with D = 3.
sender may transmit a broadcast message to backward hash chains with size z + 1, respec-
receivers (group members) directly or indirectly, tively
and the life cycle of a wireless network is divided • Repeatedly applying the same one-way func-
into time intervals called sessions of fixed duration. tion on each seed to generate two hash chains
of equal length
DUAL DIRECTIONAL HASH CHAIN AND
Hash Binary Tree — The generation of an HBT
BINARY HASH TREE requires two (left and right) hash functions. The
We first introduce the concept of a one-way HBT in the proposed group-wise key distribution
hash function, which is the foundation of the scheme is constructed from a hash function
DDHC. A hash function Hash(.) takes a binary Hash(.) by applying one of two cyclic bit shift
string of arbitrary length as input, and outputs a functions, LeftShift(.) and RightShift(.) before the
binary string of fixed length. A one-way function hash function, that is, Hash(LeftShift(.)) and
H satisfies the following two properties: Hash(RightShift(.)). As shown in Fig. 3, it is an
• Given x, it is easy to compute y such that y = HBT with depth equal to 3. S(1,0) generated by
Hash(x). computing Hash(LeftShift(S(0,0))), and S(1,1) is
• Given y, it is computationally infeasible to generated by computing Hash(RightShift(S(0,0))).
compute x such that y = Hash(x). All other elements are generated similarly.
The security features of the proposed group-
wise key distribution schemes are based on the DDHC BASED GROUP-WISE
one-way property of the hash function.
KEY DISTRIBUTION SCHEME
Dual Directional Hash Chain — A one-way hash Initial System Setup — At the initial phase, the
chain, as illustrated by forward or backward hash GKM first selects a secret seed as the end ele-
chains in Fig. 2, is formed by recursively hashing ment of the RK chain. Then the GKM generates
x and lining them up in sequence. Let us take a one-way hash chain and uses the last hash
the forward hash chain as an example. Due to value as the first element of the RK chain, as
the one-way property of the hash function, given shown in Fig. 4. The length of the RK chain is
any point node n in the chain, it is computation- sufficient to cover the session line of the life
ally infeasible to calculate the elements on its cycle of the multicast group. The rekeying mes-
left, but easy to compute those on its right. sage is broadcast within the sensor network from
A DDHC (Fig. 2) is composed of two one- time to time. Each legitimate node within the
way hash chains of equal length, a forward hash multicast group is able to compute TEK, which
chain and a backward hash chain. It can be encrypts and decrypts the multicast messages
derived as follows: from the received RK. The GKM generates a
• Generating two random key seed values, seed sufficiently long DDHC chain, as shown in the
(fwd) and seed (bwd), for the forward and figure.
IEEE Wireless Communications • October 2007 41
5. At the initial phase, Forward hash Seed NF
the GKM first selects chain (fwd) t
Backward hash
a secret seed as the chain NB
t
Seed
(bwd)
end element of the Rekeying RKt RK seed
RK chain. Then the
Group user 0 1 ...... t1-1 t1 t2 t1+1
...... ...... z
GKM generates a life cycle
Time
one way hash chain
I Figure 4. Time-limited node revocation based on DDHC.
and uses the last
hash value as the A main or master KEK is shared between the ing if its hash value equals the previous RK.
GKM and each node for InitGroupKey message Such implicit authentication notably decreases
first element of the encryption and authentication. In order to per- the message size.
RK chain. form self-healing recovery of a rekeying mes-
sage, a node has a small buffer that can store up
In the rekeying phases, all RKs are released
to all nodes by the GKM in reverse order (i.e.,
to l RKs. Assume a node is legitimate between RKo will be released for session 0, RK1 for ses-
time window [t1, t2]. In the initiation stage, the sion 1, …, RK n for session n, etc.). Therefore,
GKM sends each sensor node the element in the given current RK j in the hash chain, nodes can
forward hash chain at time t1, the element in the only compute previous keys recursively. Since
backward hash chain at time t2, and the lth RK, most sensor nodes work in wireless and likely
which are encrypted by the corresponding KEK hostile environments, it is possible that a sensor
associated with the sensor node. node does not receive the RKs all the time. A
self-healing rekeying mechanism offers equiva-
Time-Limited Node Revocation Scheme — The applica- lent reliable RK transmission over a lossy broad-
tion of the DDHC in the time-limited node cast channel.
revocation mechanism is shown in Fig. 4. The Consider that each rekeying message con-
TEK at time t is composed by the corresponding tains only one RK in the current session.
elements in the forward hash chain, backward Although rekeying messages may be lost during
hash chain, and rekeying chain, transmission, self-healing can be achieved. The
lost RKs in previous rekeying messages can be
TEKt = f(NtF, NtB, RKt),
recovered using the one-way hash function and
where f(.) is a one way function. the last received RK. Consequently, the TEK
Due to the one-way property of the DDHC, a can be successfully derived by each node. Thus,
sensor node can only access the TEKs between the proposed self-healing scheme can efficiently
t1 and t2, since computing the TEK requires both tolerate high packet loss or error up to the size
corresponding elements in forward and back- of the RK buffer. On the other hand, if the
ward hash chains. The sensor nodes can feasibly channel condition is good but the application of
obtain both values within the time window [t1, t2] the sensor network is not delay-sensitive, receiv-
from information sent by the GKM in the initia- ing or sending the rekeying message every time
tion stage. For any time out of the time window, is not necessary, and energy consumption can
the sensor node cannot compute both elements be reduced.
in the DDHC; therefore, it cannot achieve the
TEK. Thus, an implicit time-limited node revo- HBT-BASED GROUP-WISE KEY DISTRIBUTION
cation is achieved. Each sensor node can only Earlier, we proposed a DDHC-based self-heal-
access a predefined contiguous range of the ing group key distribution scheme with time-lim-
TEKs between [t1, t2]. ited node revocation. To further improve the
During the system life cycle, when a node security and performance with high computation
attaches to an active group, the GKM assigns efficiency (fewer hash operations), here we pro-
the pair of the element in the forward hash pose a second scheme in which the HBT is
chain at t1 and the element in the backward hash adopted to generate all pre-assigned seeds. Each
chain at t2 to the new node according to its pre- TEK is linked to a leaf node in the HBT, and all
arranged life cycle [t1, t2]. Due to the property of leaf nodes are derived using a hash algorithm on
the DDHC, once the node’s life cycle is expired, these seeds.
it is forced to detach from the multicast session
without need for direct intervention of the GKM. Initial System Setup — The GKM generates an
HBT with the scale according to the maximum
Self-Healing Rekeying Mechanism — The GKM number, or life cycle, of the multicast session.
broadcasts the RK, which is encapsulated in the Without loss of generality, we assume that the
rekeying (RefreshKey) message at a defined time maximum number of group sessions, or life cycle
interval so that the legitimate sensor nodes are time unit, is m. Correspondingly, the depth of
able to renew the TEK. Due to the one-way the HBT is D = log 2 m. Then the derivation
property of the RK sequence, the RefreshKey algorithm of the HBT can be illustrated in detail
message does not need message authentication as follows.
code since the receiver can verify if the received The GKM randomly generates an initial seed
RK belongs to the same key sequence by check- S(0,0) that is sufficiently large (e.g., 256 bits).
42 IEEE Wireless Communications • October 2007
6. The GKM generates two left and right interme-
diate seeds in the first level by applying the left
PERFORMANCE EVALUATION OF PROPOSED if the channel
and right hash functions to the initial seed S(0,0), GROUP-WISE KEY DISTRIBUTION SCHEMES condition is good,
respectively, as shown earlier, repeatedly execut-
ing and operations until all seed values in the SECURITY PERFORMANCE EVALUATION but the application
tree depth D = log 2 m are generated. Each
TEK is related to a leaf node in the HBT, as We evaluate the proposed schemes to see if they of the sensor
demonstrated in Fig. 3. That is, TEK1 is associat- satisfy the security requirements for secure
ed with S(D,0), TEK 2 with S(D,1), and so on. group communications described earlier. The network is not delay
The HBT in Fig. 3 can satisfy a group communi-
cation with maximum eight sessions. All leaf
confidentiality of the key distribution informa-
tion is protected by the preshared key between
sensitive, receiving
nodes in the HBT can be derived by applying a the sensor nodes and the KGM. A sensor node or sending the
hash algorithm on the root seed value S(0,0) in not belonging to the group cannot generate an
the HBT. effective TEK even with the broadcast RK. re-keying message
The group key distribution mechanism in the
Time-Limited Node Revocation Mechanism — In the proposed schemes can ensure the refreshment of every time is not
group-wise key distribution scheme based on the the TEK by periodic rekeying when a node
HBT, TEKt at time t is composed by the corre- attaches to or detaches from an active group ses- necessary, and
sponding element of the leaf node in the HBT
and current RK,
sion. In the DDHC-based scheme, as indicated
in Fig. 4, a sensor node is restricted to access the
energy consumption
TEKt = f(S(D, t – 1), RKt),
group communication in the shaded range. The can be reduced.
forward hash chain guarantees backward secrecy.
where f is a one-way function. Therefore, the A new node that participates in the group com-
accessibility of a TEK can be controlled by munication at time t1 cannot calculate the previ-
knowledge of the elements of the leaf nodes. ous hash keys before time t 1 because of the
When a sensor node attaches to an active group, property of a one-way hash function. Similarly,
the GKM distributes the elements of the leaf the backward hash chain guarantees forward
nodes to the sensor nodes corresponding to the secrecy. Once a node detaches from the group
allowable time window [t1, t2]. session at time t2, it cannot compute the subse-
However, the distribution of sending each quent hash keys after time t2. TEKt is computed
element is not efficient for storage and wire- as the combination of corresponding elements in
less bandwidth. Since any node down a branch the forward hash chain, backward hash chain,
node can feasibly be computed as shown earli- and RK chain at time t. In the HBT-based
er, subtrees for a node with an allowable time scheme, subroot nodes only are sent to the sen-
window [t1, t2] need to be found that can cover sor node to generate subtrees. TEKt is computed
all the leaf nodes in the time window [15]. as the combination of the elements in the leaf
The pre-assigned seed set includes the sub- node in the subtrees and RK chain at time t.
root nodes in all such subtrees. All the leaf Within the allowable time window, the sensor
node seeds in the range of [ t 1 , t 2 ] c an be node has all the required information to com-
derived by repeatedly applying the hash func- pute the TEK, and is able to send and receive
tion on such pre-assigned seeds. For instance, multicast messages. It is not feasible for the sen-
as shown in Fig. 3, for a node with allowable sor node to compute the undistributed elements
time window [3, 6], the GKM will assign seeds in forward or backward hash chains, or the ele-
{S(2,1), S(2,2)} to this node via a secure chan- ment in the leaf node, respectively, in the time
nel. The GKM does not need to assign seeds out of the time window. Take the example in
{S(3,2), S(3,3), S(3,4), S(3,5)} to the node Fig. 3 and assume the allowable time window is
directly, since it can calculate these seeds by between 3 and 6. Due to the property of the
applying hash functions on {S(2,1), S(2,2)}. one-way function, the sensor node is not able to
Therefore, the storage requirement for the know S(2,1) from S(3,3). Therefore, it cannot
group node is greatly reduced. Once a group compute TEK 2 at S(3,2). Thus, both proposed
node’s life cycle is expired, it autonomously schemes meet the security requirements for for-
exits the group session without the GKM’s ward and backward secrecy with time-limited
direct intervention. node revocation.
Compared to the group-wise key distribution
Self-Healing Rekeying Mechanism — As described scheme based on the DDHC, the group-wise key
earlier, the self-healing method for group rekey- distribution scheme based on the HBT offers
ing distribution is based on a one-way hash stronger collusion freedom. In the DDHC-based
chain. Each legitimate node can derive the allow- scheme, a sensor node is able to compute part of
able time window as TEKt = f(S(D, t – 1), RKt). the elements in either a forward or backward
S(D, t – 1) does not need to be transmitted at hash chain beyond the time window [t1, t2]. For
each rekeying. Each node can individually com- example, sensor node A is assigned elements at
pute them according to the pre-assigned seeds the far right of the DDHC in Fig. 4, and sensor
and the current time. RKt is encapsulated in the node B is assigned elements at the far left of the
rekeying message, which is periodically sent by same DDHC. If they exchange the information
the GKM to all users. With a similar mecha- of the elements in the DDHC, sensor node A is
nism, self-healing can be achieved since the lost able to compute the whole forward hash chain
in RKs previous rekeying messages can be recov- using the information held by B, and B is able to
ered using the hash function and the latest compute the whole backward hash chain using
received RK. The TEK will be successfully the information held by A. On the other hand,
derived by each node on its own. the sensor node cannot determine the position
IEEE Wireless Communications • October 2007 43
7. 4.5 Maximum Minimum Average
pl=0.1
pl=0.2
pl=0.3 DDHC 2(m – 1) 2 O(m)
4 pl=0.4
pl=0.5
HBT log2m 1 O(log2m)
3.5
I Table 1. Computation overhead of the proposed
Communication cost
group-wise key distribution schemes.
3
2.5 tions is 2(m–1). Assume that the lifecycle of
each group node is uniformly distributed in [1,
m]. On the average, the computation overhead is
2 m – 1, that is, O(m). Therefore, the HBT based
algorithm has higher computation efficiency.
Table 2 shows a concise comparison among
1.5
the proposed schemes and other similar two self-
healing key distribution methods [13, 14] in
1 terms of communication and storage overhead.
1 2 3 4 5 6 7 8 9 10 Our schemes behave similar to the scheme in
Buffer length [14], and better than the scheme in [13] in stor-
age overhead. The broadcast communication
I Figure 5. Normalized communication costs vs. key buffer length. cost of the two proposed schemes is O(tlogq),
while the cost of the scheme in [13] is O((mt2 +
mt)log q), and that for [14] is O((mt + m + t)log
of the elements it received in the DDHC easily. q), where q is related to the number of revoked
Serious bleach of the DDHC requires the exact nodes, k is related to the time window, and m is
ones of many sensor nodes that are holding the the life cycle (total session number) of the group
information at the very ends of the DDHC. communication. Obviously, the communication
Therefore, in rare cases it is possible that two performance in our scheme is improved to a
sensor nodes could combine the information large extent, since the size of broadcast packet is
they have and get access to TEKs outside of reduced to O(t log q). Especially, the communi-
their allowable time window. In the HBT-based cation cost is independent of session number m.
scheme, any two nodes of the same level in the Thus, the optimized outcome is more distinct,
HBT are isolated by the one-way property of the especially when m becomes larger. The unicast
hash function. Therefore, a sensor node can only communication overhead follows the same trend.
compute the elements in those leaf nodes that Table 2 indicates that the two proposed schemes
are derivable from the seeds the sensor has perform better in communication and storage
received. Sensor nodes are no longer able to overhead than the two schemes in [13, 14] do.
cooperate with each other to access TEKs Additionally, the proposed HBT-based
beyond the allowable time window. scheme reduces the communication and storage
overheads without sacrificing any security prop-
OVERHEAD PERFORMANCE EVALUATION erty. However, the HBT is a two-dimensional
Besides the security requirements, we discuss the data structure, so its implementation is expected
operation overhead in terms of storage, compu- to be a bit more complex than that of the
tation, and communication. The computation DDHC-based scheme.
overhead comparison is shown in Table 1. For The effectiveness of the self-healing mecha-
each group node in the HBT, the minimum nism is also evaluated. Since both schemes share
number of hash operations is 1, while the maxi- a similar concept, we focus on the scheme based
mum number of hash operations is log 2 m, on the DDHC. We first discuss the relationship
since the maximum depth of the HBT is log2m. between RK buffer size and communication
On average, the computation overhead is overhead between the GKM and nodes, as
O(log 2 m). Accordingly, for the DDHC based shown in Fig. 5 with packet loss rate varying
scheme, the minimum number of hash operation from 0.1 to 0.5. It can be seen that the key buffer
is 2, while the maximum number of hash opera- length in each node determines the communica-
Communication Communication overhead Implementation
Storage overhead
overhead (broadcast) (unicast) complexity
HBT Low Low Low Medium
DDHC Low Low Low Low
[13] High High High —
[14] Low Medium Low —
I Table 2. Storage/communication overhead and implementation complexity.
44 IEEE Wireless Communications • October 2007
8. tion cost. A larger RK buffer can significantly
reduce the communication overhead. Figure 6 1.8
pl=0.1
depicts the computation cost as a function of the pl=0.2
RK buffer length, where path loss pl varies from 1.7 pl=0.3
pl=0.4
0.1 to 0.5 for n = 500. It can be seen that the pl=0.5
computation cost of each node is low, since it
1.6
only computes less than two hash functions per
RK refreshment even in the worst case, pl = 0.5.
Computation cost
From Figs. 5 and 6, the desirable number of 1.5
RK buffers should be greater than 10 so that the
normalized communication or computation cost 1.4
is lower and in the range of 1~1.5, which indi-
cates that the proposed scheme is efficient in
1.3
terms of communication and computation over-
head, even in high packet loss or error rate envi-
ronments. 1.2
CONCLUSION 1.1
We have proposed two novel group-wise key dis- 1
tribution schemes based on the DDHC and HBT, 2 4 6 8 10 12 14 16 18
respectively, for secure group communications in Buffer length
WSNs. The proposed schemes offer self-healing
group key distribution, which features periodic
I Figure 6. Computation costs vs. key buffer length.
rekeying with implicit authentication and effi-
cient tolerance for lost rekeying messages; and
time-limited group node revocation so that for- [11] A. Fiat and M. Naor, “Broadcast Encryption,” Proc.
ward and backward secrecy can be ensured. Per- Advances in Cryptology ’93, vol. 773, 1994, pp. 480–91.
[12] D. Naor, M. Naor, and J. Lotspiech, “Revocation and Trac-
formance and security evaluations demonstrate ing Schemes for Stateless Receivers,” Proc. Advances in
that storage, computation, and communication Cryptology ’01), LNCS 2139, 2001, pp. 41–62.
overheads of the two proposed schemes are quite [13] J. Staddon et al., “Self-Healing Key Distribution with
low. The HBT-based key distribution scheme has Revocation,” Proc. IEEE Symp. Sec. and Privacy, 2002,
pp. 241–57.
stronger collusion resistance capability with a [14] D. Liu, P. Ning, and K. Sun, “Efficient Self-Healing
slight increase of implementation complexity as Group Key Distribution with Revocation Capability,”
the trade-off. Both group-wise key distribution Proc. 10th ACM CCS, 2003, pp. 231–40.
schemes are suitable for WSNs with frequent [15] Y. Jiang et al., “Hash-Binary-Tree Based Group Key Dis-
tribution with Time-Limited Node Revocation,” Tech.
dynamic network topology changes. rep., 2006.
ACKNOWLEDGMENT
This research has been supported in part by the
BIOGRAPHY
M INGHUI S HI (mshi@bbcr.uwaterloo.ca) received a B.S.
NSFC under contracts no.60573144, 60218003, degree (1996) from Shanghai Jiao Tong University, China,
60429202, 60673187, 60432030, and 90412012, and an MASc. degree (2002) and a Ph.D. degree (2006)
Intel IXA University Research Plan, and a grant from the University of Waterloo, Ontario, Canada, all in
electrical and computer engineering. He is currently with
from the Natural Sciences and Engineering McMaster University, Ontario, Canada as an NSERC post-
Research Council of Canada (NSERC) Postdoc- doctoral fellow and a research associate with the Centre
toral Fellowship. for Wireless Communications, University of Waterloo. His
current research interests include network security and
mobility management in wireless LAN/cellular network inte-
REFERENCES gration, vehicular communications networks, and delay-tol-
[1] I. F. Akyildiz et al., “A Survey on Sensor Networks,” IEEE erant networks.
Commun. Mag., vol. 40, 2002, pp. 102–14.
[2] H. Harney and C. Muckenhirn, “Group Key Manage- YIXIN JIANG (yxjiang@csnet1.cs.tsinghua.edu.cn) received a
ment Protocol (GKMP) Specification,” RFC 2093, 1997. Ph.D. degree (2006) from Tsinghua University, China. and
[3] H. Harney and C. Muckenhirn, “Group Key Manage- an M.E. degree (2002) from Huazhong University of Sci-
ment Protocol (GKMP) Architecture,” RFC 2094, 1997. ence and Technology, both in computer science. In 2005
[4] Y. Challal and H. Seba, “Group Key Management Proto- he was a visiting scholar with the Department of Computer
cols: A Novel Taxonomy,” Int’l. J. Info. Tech., vol. 2, Sciences, Hong Kong Baptist University. His current research
2005, pp. 105–19. interests include security and performance evaluation in
[5] B. Dutertre, S. Cheung, and J. Levy, “Lightweight Key wireless communication and mobile computing. He has
Management in Wireless Sensor Networks by Leverag- published more than 20 papers in research journals and
ing Initial Trust,” Tech. rep., vol. SRI-SDL-04-02, 2004. IEEE conference proceedings in these areas.
[6] M. Burmester and Y. Desmedt, “A Secure and Efficient Con-
ference Key Distribution System,” Eurocrypt ’94, 1994. XUEMIN (SHERMAN) SHEN (xshen@bbcr.uwaterloo.ca) received
[7] M. Steiner, G. Tsudik, and M. Waidner, “Key Agreement a B.Sc. (1982) degree from Dalian Maritime University,
in Dynamic Peer Groups,” IEEE Trans. Parallel and Dis- China, and M.Sc. (1987) and Ph.D. degrees (1990) from
trib. Sys., 2000. Rutgers University, New Jersey, all in electrical engineering.
[8] D. Carman, B. Matt, and G. Cirincione, “Energy-Efficient He is with the Department of Electrical and Computer
and Low-Latency Key Management for Sensor Net- Engineering, University of Waterloo, Canada, where he is a
works,” 23rd Army Sci. Conf., 2002. professor and the associate chair for graduate studies. His
[9] C. K. Wong, M. G. Gouda, and S. S. Lam, “Secure research focuses on mobility and resource management in
Group Communications Using Key Graphs,” IEEE/ACM interconnected wireless/wireline networks, UWB wireless
Trans. Net., vol. 8, 2000, pp. 16–30. communications systems, wireless security, and ad hoc and
[10] Y. Nakamura and H. Kikuchi, “Efficient Key Management sensor networks. He is a coauthor of two books, and has
Based on the Subset Difference Method for Secure Group published more than 200 papers and book chapters on
Communication,” Proc. 19th Int’l. Conf. Advanced Info. wireless communications and networks, control, and filter-
Net. and Apps., vol. 1, 2005, pp. 707–12. ing. He serves as Technical Program Committee Chair for
IEEE Wireless Communications • October 2007 45
9. IEEE GLOBECOM ’07, General Co-Chair for Chinacom ’07 CHUANG LIN [SM] (clin@csnet1.cs.tsinghua.edu.cn) is a pro-
and QShine ’06, and is Founding Chair of the IEEE Commu- fessor of the Department of Computer Science and Tech-
nications Society Technical Committee on P2P Communica- nology, Tsinghua University, Beijing, China. He received a
tions and Networking. He also serves as a Founding Area Ph.D. degree in computer science from Tsinghua University
Editor for IEEE Transactions on Wireless Communications; in 1994. His current research interests include computer
Editor-in-Chief for Peer-to-Peer Networking and networks, performance evaluation, network security analy-
Application; and as an Associate Editor for IEEE Transac- sis, and Petri net theory and its applications. He has pub-
tions on Vehicular Technology, KICS/IEEE Journal of Com- lished more than 260 papers in research journals and IEEE
munications and Networks (on computer networks); conference proceedings in these areas, and has published
ACM/Wireless Networks; and Wireless Communications and three books. He is the Chinese Delegate in TC6 of IFIP. He
Mobile Computing (Wiley). He has also served as Guest serves as Technical Program Vice Chair for the 10th IEEE
Editor for IEEE JSAC, IEEE Wireless Communications, and Workshop on Future Trends of Distributed Computing Sys-
IEEE Communications Magazine. He received the Excellent tems; General Chair, ACM SIGCOMM Asia Workshop 2005;
Graduate Supervision Award in 2006 and the Outstanding Associate Editor, IEEE Transactions on Vehicular
Performance Award in 2004 from the University of Water- Technology; Area Editor, Journal of Computer Networks,
loo, the Premier’s Research Excellence Award (PREA) in and Area Editor, Journal of Parallel and Distributed Com-
2003 from the Province of Ontario, Canada, and the Distin- puting.
guished Performance Award in 2002 from the Faculty of
Engineering, University of Waterloo. He is a registered Pro-
fessional Engineer of Ontario, Canada.
46 IEEE Wireless Communications • October 2007