Random Key Predistribution Schemes for Sensor
Networks
1
Haowen Chan Adrian Perrig Dawn Song
21 April 2003
CMU-CS-02-207
School of Computer Science
Carnegie Mellon University
Pittsburgh, PA 15213
Abstract
Key establishment in sensor networks is a challenging problem because asymmetric key cryptosystems are
unsuitable for use in resource constrained sensor nodes, and also because the nodes could be physically
compromised by an adversary. We present three new mechanisms for key establishment using the frame-
work of pre-distributing a random set of keys to each node. First, in the q-composite keys scheme, we
trade off the unlikeliness of a large-scale network attack in order to significantly strengthen random key
predistribution’s strength against smaller-scale attacks. Second, in the multipath-reinforcement scheme,
we show how to strengthen the security between any two nodes by leveraging the security of other links.
Finally, we present the random-pairwise keys scheme, which perfectly preserves the secrecy of the rest of
the network when any node is captured, and also enables node-to-node authentication and quorum-based
revocation.
1
We gratefully acknowledge funding support for this research. This work was made possible in part by a gift from Bosch
Research. This paper represents the opinions of the authors and does not necessarily represent the opinions or policies, either
expressed or implied, of Bosch Research.
Keywords: Sensor network, key distribution, random key predistribution, key establishment, node
revocation, authentication.
1 Introduction
Wide-spread deployment of sensor networks is on the horizon. Networks of thousands of sensors may
present an economical solution to some of our challenging problems: real-time traffic monitoring, build-
ing safety monitoring (structural, fire, and physical security monitoring), military sensing and tracking,
distributed measurement of seismic activity, real-time pollution monitoring, wildlife monitoring, wildfire
tracking, etc. Many applications are dependent on the secure operation of a sensor network, and have
serious consequences if the network is compromised or disrupted.
In sensor network security, an important challenge is the design of protocols to bootstrap the estab-
lishment of a secure communications infrastructure from a collection of sensor nodes which may have
been pre-initialized with some secret information but have had no prior direct contact with each other.
We refer to this problem as the bootstrapping problem. A bootstrapping protocol must not only enable a
newly deployed sensor network to initiate a secure infrastructure, but it must also allow nodes deployed
at a later time to join the network securely. The difficulty of the bootstrapping problem stems from the
numerous limitations of sensor networks. We discuss these limitations in detail in Section 2.2; some of the
more important ones include the inability to utilize existing public key cryptosystems (since the expen-
sive computations involved could expose the power-constrained nodes to a denial-of-service attack), the
inability to pre-determine which nodes will be neighbors after deployment, and the inability of any node
to put absolute trust in its neighbor (since the nodes are not tamper resistant and are vulnerable to physical
capture).
Eschenauer and Gligor recently proposed a random key predistribution scheme to address the boot-
strapping problem. Its operation is briefly described as follows. A random pool of keys is selected from
the key space. Each sensor node receives a random subset of keys from the key pool before deployment.
Any two nodes able to find one common key within their respective subsets can use that key as their
shared secret to initiate communication [10]. We review their approach (which we call the basic random
key scheme) in Section 4.
In this paper, we propose three new mechanisms in the framework of random key predistribution to
address the bootstrapping problem. First, we propose the q-composite random key predistribution scheme,
which achieves greatly strengthened security under small scale attack while trading off increased vulnera-
bility in the face of a large scale physical attack on network nodes. We will explain why this trade-off is a
desirable one. Second, we present the multi-path key reinforcement scheme, which substantially increases
the security of key setup such that an attacker has to compromise many more nodes to achieve a high
probability of compromising any given communication. Finally, we propose the random-pairwise keys
scheme, which assures that, even when some number of nodes have been compromised, the remainder of
the network remains fully secure. Furthermore, this scheme enables node-to-node mutual authentication
between neighbors and quorum-based node revocation without involving a base station. Node-to-node
mutual authentication here refers to the property that any node can ascertain the identity of the nodes that
it is communicating with.
To the best of our knowledge, no previous security scheme for sensor networks supports efficient node-
to-node authentication without involving a base station. We give a detailed analysis of each proposed
scheme and show under which situations our schemes can be used to achieve maximum security.
The remainder of the paper is organized as follows. We describe the problem area and present evalu-
ation criteria for successful bootstrapping protocols in Section 2. We summarize our notation in Section
3. We then give an overview of the basic random key scheme by Eschenauer and Gligor in Section 4.
We describe our q-composite random key predistribution scheme in Section 5, and our multi-path key
reinforcement scheme in Section 6. We present our third scheme, the random-pairwise keys scheme in
Section 7. Finally, we discuss related work in Section 8, and summarize our results in Section 9.
2 Problem statement and evaluation metrics
In this section, we first discuss the topology and architecture of a typical sensor network. We then list the
technical properties of typical sensor networks that makes the bootstrapping problem a challenge. Finally,
we present the goals and evaluationmetrics for a successful sensor network security bootstrapping scheme.
2.1 Sensor network architecture
A typical sensor network has hundreds to several thousand sensor nodes. Each sensor node is typically
low-cost, limited in computation and information storage capacity, highly power constrained, and com-
municates over a short-range wireless network interface. Most sensor networks have a base station that
acts as a gateway to associated infrastructure such as data processing computers. Individual sensor nodes
communicate locally with neighboring sensors, and send their sensor readings over the peer-to-peer sensor
network to the base station. Sensors can be deployed in various ways, such as physical installation of each
sensor node, or random aerial scattering from an airplane. In this paper we assume that any sensor network
is only deployed by a single party, i.e. sensor nodes deployed by multiple independent untrusted parties
are not part of the same network.
Generally, sensor nodes communicate over a wireless network. A typical sensor network forms around
one or more base stations, which connect the sensor network to the outside network.
The communication patterns within a sensor network fall into three categories: node to node commu-
nication (e.g., aggregation of sensor readings), node to base station communication (e.g., sensor readings),
base station to node communication (e.g., specific requests).
An example of a sensor node’s hardware configuration is the Berkeley Mica Motes. They feature
a 8-bit 4 MHz Atmel ATmega 128L processor with 128K bytes program store, and 4K bytes SRAM.
The processor only supports a minimal RISC-like instruction set, without support for multiplication or
variable-length shifts or rotates. The ISM band radio receiver communicates at a peak rate of 40Kbps at a
range of up to 100 feet.
The deployment density and the overall size of the network can vary depending on the application. In
this paper, we are examining very large sensor networks (> 1000 nodes) with a sizable communication
range (> 20 neighboring nodes within communication range) and possibly multiple base stations. We
focus on large networks because they cannot rely on existing non-scalable solutions for small networks
such as base-station authentication. Due to their smaller overall statistical variance, they are uniquely
suited to the random key approaches that we propose in this paper.
2.2 Sensor network limitations
The following characteristics of sensor networks complicate the design of secure protocols for sensor net-
works, and make the bootstrapping problem highly challenging. We discuss the origins and implications
of each factor in turn.
• Impracticality of public key cryptosystems. The limited computation and power resources of sensor
nodes often makes it undesirable to use public-key algorithms, such as Diffie-Hellman key agree-
ment [9] or RSA signatures [21]. Currently, a sensor node may require on the order of tens of
seconds up to minutes to perform these operations [7, 8]. This exposes a vulnerability to denial of
service (DoS) attacks.
• Vulnerability of nodes to physical capture. Sensor nodes may be deployed in public or hostile
locations (such as public buildings or forward battle areas) in many applications. Furthermore, the
large number of nodes that are deployed implies that each sensor node must be low-cost, which
makes it difficult for manufacturers to make them tamper-resistant. This exposes sensor nodes to
physical attacks by an adversary. In the worst case, an adversary may be able to undetectably take
control of a sensor node and compromise the cryptographic keys.
• Lack of a-priori knowledge of post-deployment configuration. If a sensor network is deployed via
random scattering (e.g. from an airplane), the sensor network protocols cannot know beforehand
which nodes will be within communication range of each other after deployment. Even if the nodes
are deployed by hand, the large number of nodes involved makes it costly to pre-determine the
location of every individual node. Hence, a security protocol should not assume prior knowledge of
which nodes will be neighbors in a network.
• Limited memory resources. The amount of key-storage memory in a given node is highly con-
strained; it does not possess the resources to establish unique keys with every one of the other nodes
in the network.
• Limited bandwidth and transmission power. Typical sensor network platforms have very low band-
width. For example, the UC Berkeley Mica platform’s transmitter has a bandwidth of 10 Kbps, and
a packet size of about 30 bytes. Transmission reliability is often low, making the communication of
large blocks of data particularly expensive.
• Over-reliance on base stations exposes vulnerabilities. In a sensor network, base stations are few
and expensive. Hence it may be tempting to rely on them as a source of trust. However, this invites
attack on the base station and limits the application of the security protocol.
2.3 The problem of bootstrapping security in sensor networks
Based on the limitations described in Section 2.2, a bootstrapping scheme for sensor networks needs to
satisfy the following requirements:
• Deployed nodes must be able to establish secure node-to-node communication.
• The scheme should be functional without involving the base station as an arbiter or verifier.
• Additional legitimate nodes deployed at a later time can form secure connections with already-
deployed nodes. This implies that bootstrapping information must always be present and cannot
simply be erased after deployment to prevent compromise in the event of capture.
• Unauthorized nodes should not be able to establish communications with network nodes and thus
gain entry into the network.
• The scheme must work without prior knowledge of which nodes will come into communication
range of each other after deployment.
