ecce: enhanced cooperative channel establishment for secure pair-wise communication in wireless...

Ad Hoc Networks 5 (2007) 49–62

www.elsevier.com/locate/adhoc

ECCE: Enhanced cooperative channel establishment forsecure pair-wise communication in wireless sensor networks q

Mauro Conti *, Roberto Di Pietro, Luigi V. Mancini

Universita di Roma ‘‘La Sapienza’’, Dipartimento di Informatica, Via Salaria 113, 00198-Roma, Italy

Available online 28 June 2006

Abstract

This paper presents the ECCE protocol, a new distributed, probabilistic, cooperative protocol to establish a secure pair-wise communication channel between any pair of sensors in a wireless sensor network (WSN). The main contributions ofthe ECCE protocol are: to allow the set-up of a secure channel between two sensors (principals) that do not share anypre-deployed key. This feature is obtained involving a set of sensors (cooperators) in the channel establishment protocol;to provide probabilistic authentication of the principals as well as the cooperators. In particular, the probability for theattacker to break authentication check decreases exponentially with the number of cooperators involved; to trade offthe memory space required to store the pre-deployed encryption keys with the number of cooperators involved in the pro-tocol. Hence, memory storage can be used to store keys built with the ECCE protocol, which helps amortizing the (limited)overhead incurred in the ECCE key set-up; to be adaptive to the level of threat the WSN is subject to. We provide ana-lytical analysis and extensive simulations of ECCE, which show that the proposed solution increases both the probabilityof a secure channel set-up and the probability of channel resilience with respect to other protocols.� 2006 Elsevier B.V. All rights reserved.

Keywords: Wireless sensor networks; Key distribution and management; Authentication; Probabilistic key sharing; Cooperation

1. Introduction

A wireless sensor network (WSN) is a collectionof sensors whose size can range from a few hundred

1570-8705/$ - see front matter � 2006 Elsevier B.V. All rights reserved

doi:10.1016/j.adhoc.2006.05.013

q This work was partially supported by the WEB-MINDSproject from the Italian MIUR under the FIRB program.Roberto Di Pietro was partially founded with a Post-Doc grantfrom CNR-ISTI, Pisa, in the framework of the ‘‘SatNEx’’ NoEproject (Contract No. 507052).

* Corresponding author. Tel.: +39 06 49918421; fax: +39 068541842.

E-mail addresses: [email protected] (M. Conti), [email protected] (R. Di Pietro), [email protected] (L.V.Mancini).

sensors to a few hundred thousand or possiblymore. Sensors do not rely on any pre-deployednetwork architecture, thus they communicate viaan ad-hoc wireless network. The power supply ofeach individual sensor is provided by a battery,hence both communication and computation activ-ities must be optimized. Distributed in irregularpatterns and left unattended, sensors should auton-omously aggregate into collaborative, peer-to-peernetworks. Sensors networks must be robust andsurvivable in order to overcome individual sensorfailure due to either malicious (e.g. destruction) ornon-malicious (e.g. battery depletion) events. AWSN can be deployed in both military and civil

.

mailto:[email protected]

mailto:dipietro@ di.uniroma1.it

mailto:dipietro@ di.uniroma1.it

mailto:[email protected]

50 M. Conti et al. / Ad Hoc Networks 5 (2007) 49–62

scenarios [1]. For instance, it could be used: to pro-vide a relay network for tactical communications inthe battlefield; to collect data from a field in order toreveal the presence of toxic gases; to facilitate rescueoperations in wide open hostile areas; to fulfillperimeter surveillance duties; to operate in harshenvironments for commercial purposes.

WSNs are expected to be the basic building blockof pervasive computing environments, hence estab-lishing secure pair-wise communications could beuseful for many applications. In particular, it is apre-requisite for the implementation of secure rout-ing, and can be useful for secure group communica-tions. Further, secure pair-wise communicationallow in-network processing [25], or facilitate theestablishment of a cluster key, hence enablingpassive participation, in which a sensor can take cer-tain actions based on overheard messages. It waspointed out in [21,1,5], that asymmetric cryptogra-phy such as RSA or elliptic curve cryptography(ECC) is unsuitable for most sensor architecturesdue to high energy consumption and increased codestorage requirements. However, it is worth noticingthat evolution in technology allows to sparingly useasymmetric cryptography for a certain class ofWSN [24]. For instance, in [20] the authors devisea protocol that, with the seldom use of ECC,thwarts the replication attack [19,13]. However, itseems reasonable that there will be always someclasses of WSNs in which asymmetric cryptographywould rise an unfeasible cost due to either energyconsumption or memory constraints. Indeed, asfor energy consumption, in a mobile WSN if wehave a secure key establishment protocol based onECC whenever two sensors wants to agree on ashared key for the first time, this would put highrequirements on battery consumption. As formemory, it seems unfeasible that any node couldhost the public keys of all the other nodes in the net-work (for instance, the Mica mote is equipped witha 8 bit 4 MHz processor and has 4 kB of RAM and128 kB of flash RAM only). Note that the con-straint on memory stands even in a static WSN.Hence, while solutions that intend to addressspecific problems can directly benefit of the spar-ingly use of EEC [20], building communicationchannels on symmetric algorithms, which are threeorder of magnitude more efficient than ECC [24],is still an attractive research field [5,22].

This paper presents the ECCE protocol, a newprotocol to establish a secure pair-wise communica-tion channel between any pair of sensors in the

WSN. The ECCE protocol can be classified as prob-abilistic and cooperative. Unlike other protocols forchannel establishment, ECCE allows to establish asecure channel between sensors that do not shareany key, involving a set of cooperating sensors(cooperators) which are not required to share akey with both principals. The same feature is notpresent in actual protocols such as Multipath KeyReinforcement [6] and Cooperative [10]. The over-head required is limited and it is sustained just onceduring the sensor life-time. ECCE shows better per-formance in channel existence and channel resiliencethan existing protocols. The Protocol also guaran-tees implicit and probabilistic mutual authenticationof principals and cooperators without any addi-tional overhead and without the presence of a basestation. Further, the proposed protocol could beused also between sensors that already share somesecret keys to increase the resilience of these sharedkeys. The proposed protocol is also adaptive to therequired security level: to achieve an higher level ofsecurity, it suffices to involve an higher number ofcooperators in the channel set-up. Finally, the pro-tocol allows to trade off the memory required tostore pre-deployed keys with cooperators. In partic-ular, it is possible to set the number of cooperatorsin order to have a reduced key ring that provides thesame level of security and the same probability ofchannel existence of solutions that involve no coop-erators but a larger key ring size. For example,choosing a pool of size 1.000, a key ring of size12, and involving 8 cooperators, provides the sameprobability of channel existence of a scenario inwhich every sensor has 20 pre-deployed keys butthere are no cooperators. As for resiliency, with apool of size 10.000, a key ring of size 100 and 8cooperating sensors, the attacker is required to cap-ture 110 sensors to corrupt a channel, while with thesame parameters, but with no cooperators, theattacker has to corrupt only 75 sensors to corruptthe channel. Note that reducing the key ring sizeprovides the possibility for sensors to store thecooperative keys set-up with the ECCE protocol.Analytical and experimental results show that theECCE protocol has better performance than theother protocols as for channel existence and channelresiliency to the attacker.

The remainder of this paper is organized asfollows. In Section 2, we review the current contri-butions in the field. In Section 3, we report somepreliminaries and define our system assumptions.In Section 4, we describe the ECCE protocol, while

M. Conti et al. / Ad Hoc Networks 5 (2007) 49–62 51

in Section 5, we analyze the probability to establisha secure channel and the resilience of the establishedchannel.

2. Related work

Some research focus on key establishment proto-col for WSN based on centralized solution. Exam-ples of centralized protocols include [9,17,21].Centralized protocols assume the presence of a BaseStation (BS), which takes part in the process ofestablishing a pair-wise key between pairs of sen-sors. This kind of solution has some drawbacks,for instance the energy consumption experiencedby the nodes close to the BS, and the presence ofa single point of failure. Other research focus on dis-tributed solution for pair-wise keys establishment.To better refine this classification, we can distin-guish between deterministic and probabilistic solu-tions. As for deterministic solutions one can see[18,22,5]. However, each of these solutions sufferof a specific type of problem. In [18], the attackeronly needs to corrupt a constant number of nodesto disrupt the confidentiality of the whole network.In [22], the authors recognise that given a fixed key-ring size, this limits the number of sensors in the net-work. Finally, in [5], each sensor is required to storeO

ffiffiffiffiNp� �

keys; moreover, the number of sensors thatbelong to the same WSN (that is N) must be knownat design time. As for probabilistic solutions, theidea of probabilistic key sharing for WSN was firstlyintroduced in [15]. In the proposed solution, each ofthe N sensors of the WSN is assigned k symmetricencryption keys randomly selected without replace-ment from a common Pool of P keys (key

pre-deployment phase). When two sensors need tocommunicate securely, they must first find outwhich keys (if any) of the Pool they share (shared-key discovery phase). Then, they compute a commonkey as a function of the shared keys (pairwise-key

establishment phase). This latter key is used to securethe channel by using a symmetric key encryptionalgorithm. Recent solutions based on pseudo-ran-dom key assignment were presented in [6,26,14],[18,10,11]. However, these solutions show limitedresiliency to tampering, as highlighted in [11,8], orjust require cooperating nodes to share a key withboth principals. For the shared-key discovery phasedifferent mechanisms have been proposed. In [15],the challenge-response and key index notificationare proposed. With k keys stored in each sensor,the challenge-response requires sending and receiv-

ing k messages, to perform k encryption and, inthe worst case, k2 decryption. With the pseudo-ran-dom key index transformation proposed in [26], nomessage exchange are needed between sensors thatwant to establish a secure channel. Moreover, theattacker can compute the IDs of the keys storedby each sensor just acquiring the sensor ID; thissolution shows a weakness similar to that in [15]and above exposed. The problem related to theinformation leakage of the keys’ ID is solved in[11,8]. Here the authors introduce a mechanism(ESP) that requires no message exchange for theshared-key discovery phase and reveals to theattacker no information about the keys it does nothold yet. Further, ESP provides probabilistic nodeauthentication: a sensor can prove its identity byproving knowledge of the keys it is supposed tohold. The Efficient and Secure Pre-deployment

(ESP) scheme works as follows. Consider a sensora. For every key kP

i of the pool, compute z ¼fyðakkP

i Þ, where fy is a pseudo-random function, thatis an efficient (deterministic) algorithm which givenan h-bit seed, y, and an h-bit argument, x, returnsan h-bit string, denoted fy(x), so that it is infeasibleto distinguish the responses of fy, for a uniformlychosen y, from the responses of a truly randomfunction. Then, put kP

i into the key ring of a, ifand only if z � 0 mod (jPj/k). ESP supports a veryefficient key discovery procedure. Consider a sensorb that is willing to know which keys it shares withsensor a. For every key kb

j in the key ring of b sensorb computes z ¼ fyðakkb

j Þ. Then, by testing z � 0 mod(jPj/k), b discovers whether sensor a also has key kb

j

or not. Indeed, whoever already knows key kPi is the

only one who can know whether kPi is in the key ring

of a or not. This is computationally impossible forall other entities, since fy, being a pseudo-randomfunction, is also one-way and thus hard to invert[16]. For this reason, from the ID of a node anattacker cannot acquire neither the keys stored bythis node, nor the corresponding key indexes: fy(x)is applied to the actual value of the key, not to thecorresponding key index. This kind of ID-basedsecurity could be twarthed only with the randomcapture of a large number of nodes (as shownlater in this paper) or via a node replication attack[7]. Finally, it is important to note that anotherproperty a WSN is required to enforce is connec-tivity. The connectivity problem was initiallyaddressed in [15]; however, recent work [12] hasrevised and extended the model of connectivity inWSN.


3. Preliminaries and assumptions

This section reports the notation and theassumptions that will be used in the following.For clarity, in Table 1 we list the symbols usedin the paper.

3.1. Security requirements and threat model

We assume the following working hypothesis:

• Communication infrastructure: We assume anunderlying routing mechanism such that any nodecan send a message (leveraging multi-hop) to anyother node in the network. An example of such aglobally addressable communication infrastruc-ture is in [4].

• Sensors are Randomly scattered in an unattendedand often adversarial environments. To preservetheir low cost, as well as to save power [3], theyare not tamper proof [25]. Hence, we can assumethat sensors can be physically captured and theattacker can acquire all the information storedwithin captured sensors.

• Good security engineering practice [2]: The algo-rithms, protocols and mechanisms that areemployed to secure the WSN are publicly known.Only the keys in the sensors’ key rings and in thePool are initially secret. Moreover, the crypto-graphic primitives that are employed are at leastcomputationally secure.

• Attacker model: We assume the strong node-com-promise attacker model adopted in [5]. Specifi-

Table 1Summary of the notation

N Number of seP Size of the Pok Number of kC Set of coopera, b Principalsci ith cooperatinw Number of coka

i ith key assignkh,l Key betweenKh,l Key computeKC

h;l Key computeKC

h;l Key computeEk(x) Encryption oDkðxÞ ¼ E�1

k ðxÞ Decryption oH(x) Hash functionDH(x) Hash functionLS(x) Less significaMS(x) Most significa

cally, we assume that the attacker is capable ofcompromising a fraction of the total number ofnodes in the network and exposing the secretinformation contained within them. There canbe two forms of node compromise. In passive

node compromise we assume that after node com-promise, the attacker can only launch passiveattacks such as eavesdropping. In active node

compromise we assume that the attacker is alsoable to perform active attacks such as providingfalse routing metrics through the compromisednode. We assume that the goal of the adversaryis the exposure of the keys stored within thesensors, including those established with theECCE protocol.

• Channel establishment: The ECCE protocolrequires three phases, that is, key pre-distribu-tion, shared-key discovery and channel establish-ment. We assume keys are assigned to sensorsaccording to the ESP procedure [11], hence thefirst two phases are carried out as described inSection 2.As for channel establishment, we will cope withthis issue exploiting cooperating sensors, asdescribed in Section 4. In the remainder of thispaper we assume that two sensors sharing oneor more pre-deployed keys can compute a sharedkey via the Direct protocol [10], that is the chan-nel is built combining the keys the two principalsshare. The existence of a key established via theDirect protocol translates into the existence of aDirect channel (that is a link) between the twosensors. Finally, we will use the term corrupted

nsors in the WSNol from which the keys are drawn

eys assigned to each sensor (key-ring size)ating sensors

g sensor, where 1 6 i 6 jCjrrupted sensor in the WSNed to sensor a, where 1 < i < k

sensors h and l

d with Direct protocol [10], if possible, string of 0s otherwised with Cooperative protocol [10]d with ECCE protocolf string x with key k

f string x with key k

DoubleHash, DH(x): {0,1}jxj ! {0,1}2jxj

nt bits of string x, where jLSðxÞj ¼ jxj2nt bits of string x, where jMSðxÞj ¼ jxj2


channel to refer either the fact that the keys thechannel is built with are known to the attacker,or that the channel does not exist (that is the sen-sors do not share any key).

4. The ECCE protocol

The ECCE protocol involves, beyond the princi-pals, other sensors (cooperating sensors). It is basedon the fact that each distinguished cooperating sen-sor ci can efficiently compute the keys it shares witheach other cooperator. This can be efficiently doneassuming that the key pre-deployment procedureis carried out according to ESP scheme, detailed inSection 2. Based on the keys cooperating sensor ci

shares with each other cooperator, ci can computeðs1; . . . ; si�1; siþ1; . . . ; sjCj�1Þ. These shared informa-tion are further combined to compute two values(v1,v2). Each value is then sent to the two principalsa and b. Each principal, upon receiving all thevalues provided by each cooperator, computes thekey KC

a;b that will be employed to secure communica-tion between the two principals. The details of theprotocol follow.

If sensor a wants to establish a secure channel withsensor b, a chooses a set C ¼ fc1; . . . ; cmg of cooper-ating sensors such that a; b 62 C and m P 1. Then, asends a request of cooperation to ci, for each ci 2 C.If a Direct key Ka;ci between a and ci exists, the requestof cooperation is sent encrypted with Ka;ci , else therequest is sent not encrypted. The request carriesthe ID of b and the IDs of the sensors in C.

Each sensor computes two different values(v1,v2), v1 to be sent to the sensor a and v2 to be sentto the sensor b. In particular, every cooperating sen-sor ci computes the value v1 to be sent to sensor a asfollows. The key Kci;b is computed and then hashedwith the ID of a (IDa): HðIDa;Kci ;bÞ. The keysshared with all other cooperating sensors are com-puted via the ESP protocol. For each cooperatingsensor cj where IDci < IDcj , the hash HðIDa�IDb; LSðDHðKci ;cjÞÞÞ is computed; for all cooperatingsensor cj, where IDci > IDcj , the hash HðIDa�IDb;MSðDHðKci ;cjÞÞÞ is computed. The XOR of allthe computed hash is executed and the resultingstring v1 is sent to a encrypted with Direct keyKci ;a. Note that, as exposed in Table 1, we haveassumed that the Direct key procedure alwaysreturns a key. This key is Kci ;a if it exists, or anappropriate string of 0s – a publicly known key –otherwise.

Every cooperating sensor ci computes the valuev2 to be sent to sensor b as follows. Key Kci;a iscomputed and then hashed with the ID of b:HðIDb;Kci;aÞ. The keys shared with all other cooper-ating sensors are computed and for each cooperat-ing sensor cj satisfying IDci < IDcj the hashHðIDa � IDb;MSðDHðKci ;cjÞÞÞ is computed. For allcooperating sensors cj, with IDci > IDcj , the hashHðIDa � IDb; LSðDHðKci;cjÞÞÞ is computed. TheXOR of all the computed hash are executed andthe resulting value v2 is sent to b encrypted withDirect key Kci;b.

For every cooperating sensor ci from which sen-sor a receives a reply message v1 before time-outexpires (let Cr the set of replying cooperatingsensors), sensor a computes the hash HðIDb;Ka;ciÞand then gi ¼ v1 � HðIDb;Ka;ciÞ. When a eitherreceives all the reply messages from the cooperatingsensors, or the last time-out expires, a computes theECCE key as follows: KC

a;b ¼ Ka;b�jCr ji¼1 gi. The ECCE

key KCa;b is finally hashed and sent to b. The hashed

ECCE key, when received by b could be used by b tocheck whether the locally computed ECCE keymatches the ECCE key computed by a. Sensor b

can set a time-out to limit the delay of expected mes-sages. When the time out expires, b computes theECCE key in a way similar to a, and will finallycheck whether the hash of the ECCE key receivedby a matches with the hash of the ECCE key locallycomputed.

Fig. 1 shows the detailed pseudo-code of theECCE protocol. Figs. 2 and 3 illustrate the func-tions ComputeMsgForSource and ComputeMsgFor-

Destination used by every cooperating sensor tocompute the message to be sent to a and b respec-tively. The H function used in the protocol isemployed to produce a non-invertible image of thekeys, to avoid information leakage [10,6]. The algo-rithm SelectRandom selects the cooperating sensorsin a pseudo-random fashion among all the possiblesensors in the network. However, note that thischoice of cooperators could be unsatisfactory. Forinstance, the number of cooperators that share akey with the principals or with other cooperatorsmight be small. This could affect the channel resil-ience, as we will see in Section 5.2. To cope with thisproblem, we could select cooperators according tosome other policy. For instance, we could accept aselected cooperator only if it shares a Direct keywith both principals. Note that it is not requiredthat the key shared with principal a is the samekey shared with principal b.

Fig. 1. Pseudo-code of the ECCE protocol.

Fig. 2. Pseudo-code of the algorithm ComputeMsgForSource.

Fig. 3. Pseudo-code of the algorithm ComputeMsgForDestina-

tion.


Involving cooperators allow the ECCE protocolto be adaptive to different security requirements: ifit is required to increase the channel resilience, thanthis objective can be achieved involving more coop-erating sensors. The use of cooperators in the ECCEprotocol further allows to balance the burden ofprotocol execution among all the cooperators andthe principals. Indeed, each cooperator computesjCj + 1 Direct keys and hash, while sending onlytwo messages. If principal a wants to set-up anECCE key with principal b, a has to forwardjCj + 1 messages and to receive jCjmessages. Sensorb only needs to collect the jCj messages sent to it bythe cooperating sensors.

If a cooperating sensor in C is not available (forinstance, due to a node failure), using the time-outthe protocol will not fail or deadlock, granting sen-sor failure resilience. Observe also that if there is nota Direct key between some of the cooperatorsinvolved in the protocol, this does not imply the fail-ure of the protocol.

Sending the list of all cooperators to each ci 2 Ccan help the attacker: it will be sufficient to corrupta channel between the sender and one of the coop-erators, and the set of cooperators would be dis-closed. However, employing the ESP mechanism,the attacker cannot know the set of keys the coop-erators hold, other than the subset of keys it alreadyknows. Hence, the attacker is still forced to corruptcooperating nodes if it wants to reduce its efforts [8].Further, to decrease the possibility for the attackerto acquire the list of all the cooperators, the set Cof cooperators could be partitioned in subsetC1; . . . ;Cq: Corrupting a channel or a cooperatorwithin a specific subset Ci does not reveal any infor-mation about the cooperators belonging to othersubsets. This countermeasure has been implementedin a version of the ECCE protocol that we will referto as partitioned ECCE.

5. Security analysis

The condition that must be verified to guaranteethe confidentiality of keys set-up using the ECCEprotocol, is the existence of a non corrupted pathbetween the principals a and b (a–b), where eachlink of this path is built with a Direct key and theintermediate nodes between a and b are the cooper-ating sensors. As an example, in Fig. 4 the sensors a

and b use the ECCE protocol to build a confidentialkey. In Fig. 4 the path composed of continuous linessignals a Direct key unknown to the attacker, while

Fig. 4. Example of ECCE channel not corrupted: existence ofpath (a,c1,c2,c3,b).


the dashed line signals a corrupted link or a nonexisting channel. In this example, the confidentialityof the established key KC

a;b is guaranteed by the exis-tence of the path (a,c1,c2,c3,b). If the attacker doesnot hold the Direct keys used to secure the links(a,c1), (c1,c2), (c2,c3), and (c3,b) there is no way tobuild the ECCE key.

5.1. Channel existence

In this section we analyze the probability thatone pair of sensors succeeds to establish a confiden-tial key using the ECCE protocol. This probabilitydepends on the probability of existence of Directkeys shared between all the possible pairs of sensorsin C [ fag [ fbg. The probability to establish aDirect key is given by the probability that twosensors share at least one of the assigned keys ofthe Pool. From [15], it follows that:

Pr½link exists� ¼ 1�

P � k

k

� �P

k

� � ¼ 1� k!ðP � kÞ!ðP � kÞ!P !k!ðP � 2kÞ! :

ð1ÞIn the following to ease exposition, we assume

that the existence of each link is independent fromeach other [15,6]. We indicate with p the probabilityof existence of a single link. Further, pathECCE(jCj)represents the event of a path between principals(that can be established also via a direct link betweenprincipals), while pathECCE(jCj,nodir) accounts forthe event of a path between principals but note thatthis path can be formed only through cooperatingsensors (it is assumed that the direct link betweenprincipals does not exist). Then, we have:

Pr½pathECCEðjCjÞ� ¼ p þ ð1� pÞPr½pathECCEðjCj; nodirÞ�:ð2Þ

The existence of a not corrupted direct link betweenthe principals implies the existence of a non cor-rupted ECCE channel. Should this direct link donot exist, then the existence probability of a not cor-rupted channel is equal to the probability that atleast one non corrupted path involving cooperatingsensors do exists.

To compute this probability, take into consider-ation all the possible links of type (a,ci) (grouped inthe set lsrc) and (ci,b) (grouped in the set ldst). Hence:

Pr½pathECCEðjCj; nodirÞ� ¼XjCjA¼0

XjCjB¼0

Pr½jlsrcj ¼ A�

� Pr½jldstj ¼ B� � ðPr½pathECCEðjCj; nodirÞjjlsrcj

¼ A; jldstj ¼ B�Þ ¼XjCjA¼0

XjCjB¼0

pAð1� pÞjCj�A

� pBð1� pÞjCj�B � ðPr½pathECCEðjCj; nodirÞjjlsrcj¼ A; jldstj ¼ B�Þ: ð3Þ

We remark that when A = 0 we have a null prob-ability of having a path between a and the set ofcooperators; if B = 0 then there are no pathsbetween b and the sensors in C. Let C(lsrc) and C(ldst)be the sets of cooperating sensors in C that share akey with sensor a and b respectively. A path betweenthe principals exists with probability 1 if C(lsrc) \C(ldst) 5 ;. Set jlsrcj = A and jldstj = B, we have that:

Pr½CðlsrcÞ \ CðldstÞ 6¼ ;� ¼ 1�

jCj � A

B

� �jCjB

� � :

Eq. (3) can then be expressed as

XjCjA¼0

XjCjB¼0

pAð1� pÞjCj�ApBð1� pÞjCj�B

� 1�

jCj � A

B

!

jCj

B

!0BBBB@

1CCCCAþ Pr½pathECCEðjCj; nodirÞ

0BBBB@�jCðlsrcÞ \ CðldstÞ ¼ ;; jlsrcj ¼ A; jldstj ¼ B�Þ: ð4Þ

We must now calculate the existence probabilityof the paths (a–b) that use more than one cooperat-ing sensor; see for instance Fig. 4. In order not to

Fig. 6. Paths (s–d) of length 2.


incur in problems of dependency when dealing withprobability, we will consider a modified scheme ofthe ECCE protocol. This scheme helps the attackerbecause it excludes some cases in which the pathcould exist, hence this analysis will provide a lowerbound to the security of the scheme. In particular,we will only use the paths that join cooperatingsensors in C(lsrc) (called s) to cooperating sensorsin C(ldst) (called d), of length 1 or 2. As an example,Figs. 5 and 6 show the paths (s–d) of length 1 and 2respectively, for one particular choice of C, lsrc andldst. Finally, Eq. (2) can be expressed as

Pr½pathECCEðjCjÞ� ¼ pþð1�pÞ

�XjCjA¼0

XjCjB¼0

pAð1�pÞjCj�ApBð1�pÞjCj�B � 1�

jCj�A

B

� �jCjB

� �0BBB@

1CCCA

0BBB@

0BBB@

þð1�ðð1�pÞABð1�p2ÞðjCj�A�BÞ�minfA;BgÞÞ

jCj�A

B

� �jCjB

� �0BBB@

1CCCA1CCCA1CCCA:ð5Þ

These analytical results will be compared withsimulation results in Section 6. The simulations per-formed support the behaviour predicted by the ana-lytical model.

5.2. Channel resilience

In this section, we analyze the probability thatthe key established by the principals, using theECCE protocol, is not corrupted, that is not com-putable by the attacker through the information itholds. As discussed for the channel existence proba-bility, also the resilience probability depends on theprobability of resilience of the single Direct keysused in the construction of ECCE key. The proba-bility that a Direct key is corrupted depends onthe probability that a single key ki of the Pool iscorrupted. Considering w compromised sensors:

Fig. 5. Paths (s–d) of length 1.

Pr½key ki is corrupted� ¼ 1� 1� kP

� �w

: ð6Þ

If one knows the probability that a key is corrupt,then it could be possible to calculate the probabilitythat an existing link is corrupted.

Pr½link is corruptedjlink exists�

¼ Pr½link is corrupted \ link exists�Pr½link exists�

¼Pk

i¼1ðPr½key is corrupted�ÞiPr½i shared keys�Pr½link exists�

¼

Pki¼1 1� 1� k

P

� �W� �i

k

i

� �P � k

k � i

� �P

k

� �

1�

P � k

k

� �P

k

� �: ð7Þ

Replacing the probability given by Eq. (7) in Eq.(5) (Eq. (7) gives the value for probability p), it ispossible to obtain the probability that an ECCEchannel is corrupted, assuming that all the pairs ofcooperators share a Direct key. In a similar way,to assess the probability that an ECCE channelexists and is not corrupted, it is sufficient to replacethe parameter p in Eq. (5) with the followingformula:

Pr½link exists� �Pr½link not corruptedjlink exists�¼Pr½link exists� �ð1�Pr½link corruptedjlink exists�Þ:

ð8Þ

Again, in Section 6 we will show that simulationresults support the derived analytical model.

5.3. Probabilistic authentication

Another important issue of WSN security is nodeauthentication. For instance, any scheme for the


revocation of misbehaving nodes has its basis on thecertainty of the nodes identities. Authentication canmitigate many dangerous attacks, like the replica-tion of malicious sensors [19,13]. In the followingwe discuss how the ECCE protocol provides proba-bilistic authentication.

Based on the ECCE protocol, every cooperatingsensor ci generates the messages to send by XORingthe strings derived from the keys shared with theothers cooperating sensors and the strings:

• HðIDa;Kci;bÞ, for the message destined to thesender sensor.

• HðIDb;Ka;ciÞ, for the message destined to thereceiving sensor.

Note that all cooperating sensors implicitly verifythat both the principals have the keys that the prin-cipals should possess. This verification is possibledue to the ESP mechanism. If a principal declaresa false ID, cooperating sensors will use the keys thatthey should share with the sensor identified by ID. Ifjust one of these keys is not possessed by the mali-cious principal that provided the fake ID the ECCEkey cannot be established [11]. However, if the mali-cious principal possesses all the keys shared by thecooperators with the sensor identified by ID, theauthentication process succeeds. For this reasonthe authentication is only probabilistic. Observethat, with respect to the Direct channel in whichonly one principal verifies the identity of the otherparty, in ECCE all the cooperating sensors verifythe same identity with possibly different key-rings,hence the probability that a malicious sensor isnot detected is smaller than in the Direct channel.In particular, since the authentication check per-formed by cooperators is carried out independentlyfrom each other, the probability that a fake princi-pal succeeds in the authentication process, decreasesexponentially with the number of cooperatorsinvolved. Further, note that the same mechanismsupports authentication among the cooperating sen-sors as well. We remark that this authenticationmechanism does not involve message overheadother than the (limited) overhead required for thecreation of the confidential channel.

6. Simulations and discussion

In order to supply an experimental support to theanalytical results developed in the previous section,we have performed extensive simulations. In partic-

ular, the ECCE protocol has been compared withthe following protocols:

• Direct [11].• Cooperative [11].• Extended Cooperative.• MKR (Multipath Key Reinforcement) [6].• Extended MKR.• Partitioned ECCE (we have divided the set C in

independent subsets of size 2–4).

We assume that in all the considered protocolsthe ESP mechanism [11] is used in the shared-key

discovery phase. We introduce the Extended versionof both the Cooperative and the MKR protocol, inwhich we assume that the existence of the Directchannel between the principals is not necessary.This optimization is based on the observation that,in the Cooperative and the MKR channel construc-tion, the existence of the direct link between princi-pals is only used to send some information to thereceiving sensor; however, this information couldbe sent via a threshold scheme (t,c) [23] throughthe cooperating sensors.

We remark that a channel built according to theCooperative Protocol, which requires that there is atleast one shared key between sender and receiver,has the same existence probability of a channelestablished with the Direct protocol. In fact, in boththe Direct and the Cooperative protocol, the neces-sary condition for the channel existence is the exis-tence of the Direct link between the principals.Hence, the use of cooperating sensors in the Coop-erative protocol is only useful to increase confiden-tiality resiliency against the attacker, while theexistence probability does not increase. This obser-vation holds for the MKR Protocol as well.

The extended cooperative needs only a direct linkor a 2-hop path between principals realized throughthe cooperators in C for the channel to exist. Thebehaviour of the extended multipath key reinforce-ment (MKR) [6], assuming a 2-hop MKR schemeas in [6], provides the same probability of channelexistence and channel resiliency as the Cooperative.In both ECCE and Extended MKR the necessarycondition for channel existence is the existence ofa direct link between the principals or a paththrough the cooperators in C. Hence, we can statethat the existence probability of ECCE and theExtended MKR is roughly the same but, as dis-cussed in Section 5.2, this equivalence does not holdas for the resilience, where ECCE performs better.

0

0.2

0.4

0.6

0.8

1

0 5 10 15 20

Pro

babi

lity

Cooperating sensors

Direct, Cooperative, MKR (sim.)Extended Cooperative (sim.)ECCE, Extended MKR (sim.)

ECCE part. 4 (sim.)

Fig. 8. Channel existence: P = 1000, k = 12.

0

0.2

0.4

0.6

0.8

1

0 5 10 15 20

Pro

babi

lity

Cooperating sensors


ECCE part. 4 (sim.)


Fig. 7 compares the analytical and experimentalresults as for channel existence. We have fixedP = 100, k = 5, while jCj ranges from 0 to 12. Asexpected, the assumption of independence amongthe links, used to ease the analysis in Section 5,implies an upper bound on the estimation of chan-nel existence, as simulation results show (an. res.

refers to the analytical results of Section 5 whilesim. refers to simulation results). However, the sim-plified model used to analytically study the behav-iour of the ECCE Protocol did not take intoconsideration some cases in which a channelbetween cooperators could exist. For this reason,when more than 9 cooperating sensors are involvedin the channel establishment, the analytical resultsfor ECCE are superseded by the simulation results.However, note that the difference between the simu-lation and the analytical results between the twoslopes is tiny for the whole range of cooperatingsensors considered. Observe that using no cooperat-ing sensors, the behaviour of the ECCE, the Coop-erative and MKR protocol is similar to that of theDirect protocol, while increasing the number ofcooperators, the existence probability of the cooper-ative protocols (Cooperative, MKR and ECCE)increases as well. In particular, the ECCE protocolprovides better channel existence probability, andthis probability improves with the number ofcooperators.

Figs. 8–10 plot the existence probability of asecure channel established with the ECCE protocol,together with the same probability for the other pro-tocols. These figures show the results obtained vary-

0

0.2

0.4

0.6

0.8

1

0 2 4 6 8 10 12

Pro

babi

lity

Cooperating sensors

Direct, Cooperative, MKR (an. res.)Extended Cooperative (an. res.)

ECCE modif., MKR modif. (an. res.)ECCE part. 2 (an. res.)ECCE part. 3 (an. res.)ECCE part. 4 (an. res.)


ECCE part. 4 (sim.)

Fig. 7. Channel existence: comparison between analytical andsimulation results for P = 100, k = 5.


0

0.2

0.4

0.6

0.8

1

0 5 10 15 20

Pro

babi

lity

Cooperating sensors


ECCE part. 4 (sim.)


0

20

40

60

80

100

120

140

160

180

0 50 100 150 200 250 300

Sen

sor

to c

orru

pt

Per sensor number of keys k

Direct (sim.)Cooperative, Extended Cooperative (sim.)

MKR, Extended MKR (sim.)ECCE (sim.)

Fig. 12. Resiliency: P = 10,000, C = 4.

0

20

40

60

80

100

120

140

160

180

0 50 100 150 200 250 300

Sen

sors

to c

orru

pt




ECCE part. 4 (sim.)


ing the number of cooperating sensors for P = 1000and k = 12, 15 and 20 respectively. From these threefigures it is possible to notice that increasing thekey-ring size, the channel existence probabilityincreases as well. Hence, it is possible to obtainthe same existence probability with different key-ring size, varying the number of involved cooperat-ing sensors. The better performance of the ECCEprotocol, compared to the Cooperative one is dueto the greater number of possible paths between a

and b generated by the ECCE protocol. Indeed,the higher the number of possible paths, the higherthe probability of channel existence, as analyticallyexposed in Section 5. For instance, in Fig. 4, theprincipals cannot set-up a secure channel via theCooperative protocol, while this is possible adopt-ing the ECCE protocol.

Fig. 11 shows the existence probability of a chan-nel for the compared protocols, when P = 10,000and k = 50, while jCj ranges from 0 to 20. We cannotice that the curves behaviour is similar to thatobtained in Fig. 9. This is because, as noticed in Sec-tion 5, the overall channel probability existencestrictly depends on the existence probability of a sin-gle link.

Furthermore, we investigated the resilience of theestablished channels. In particular, we have per-formed our analysis assuming the existence betweenthe two principals of at least the Direct channel,while the cooperating sensors are randomly selected.In Figs. 12–15 we report on the x axis the key ringsize, while on the y axis the number of sensors tocorrupt to compromise a channel, considering

0

0.2

0.4

0.6

0.8

1

0 5 10 15 20

Pro

babi

lity

Cooperating sensors


ECCE part. 4 (sim.)

Fig. 11. Channel existence: P = 10,000, k = 50.


0

20

40

60

80

100

120

140

160

180

0 50 100 150 200 250 300

Sen

sors

to c

orru

pt




ECCE part. 4 (sim.)


0

20

40

60

80

100

120

140

160

180

0 50 100 150 200 250 300

Sen

sors

to c

orru

pt




ECCE part. 4 (sim.)



P = 10,000 and 4 and 16 cooperating sensors,respectively.

From Fig. 12, with 150 keys stored per sensor,the attacker has to capture about 82 sensors to cor-rupt a Direct channel; if 4 cooperating sensors areinvolved, the attacker has to corrupt about 113 sen-sors to corrupt a Cooperative channel, a little moreto corrupt the MKR channel, while 120 sensors arerequired to corrupt an ECCE channel. Increasingthe number of cooperating sensors also improvesthe resilience of these protocols. Indeed, inFig. 15, with 16 cooperating sensors, for a key-ringsize of 150, the attacker needs to corrupt about 138sensors to corrupt the Cooperative, a little more tocorrupt the MKR channel, while the attacker isrequired to compromise about 159 sensors to cor-rupt an ECCE channel. It is worth noticing thatfor all the simulated scenarios, the ECCE protocolperforms better than the Cooperative protocol. InFigs. 12–15 the behaviour of the Direct Protocol is

Table 2Features comparison of different protocols

Protocol Features

Involve cooperatingsensors

Principals mutualauthentication

Usaof nbetw

Direct No – –Multipath key

reinforcementYes No No

Cooperative Yes Yes NoExtended cooperative Yes Yes YesECCE Yes Yes Yes

the same: The resilience of the Direct channel isnot influenced by the number of cooperating sen-sors. From these figures we can also notice thatthe resilience to corruption of these protocolincreases as the key ring size increases up to a cer-tain value, after that value, the resiliency to corrup-tion decreases. As observed in [15], this is due to thenumber of keys that the attacker can acquire tam-pering with a sensor.

Table 2 outlines the features of the ECCE proto-col, compared with the others protocols reported inSection 2. As can be seen, the ECCE protocol ben-efits from all the features introduced by the use ofcooperation among sensors. This explains why theECCE protocol performs better than the other pro-tocols, as shown in the previous figures.

7. Concluding remarks

In this paper, we presented ECCE, a new cooper-ative protocol to establish a secure pair-wise com-munication channel between any pair of sensors ina WSN. The contributions are the following: thisprotocol does not require cooperating sensors toshare a key with both principals for the channelbetween principals to be established. Also cooperat-ing sensors that do not share any key with any ofthe two principals can help in the set-up of thesecure channel; cooperating sensors implement aprobabilistic authentication of both principals aswell as other cooperators. The probability that afake principal or a fake cooperator could escapethe authentication procedure decreases exponen-tially with the number of cooperators involved inthe protocol; it is possible to trade-off key ring sizewith the number of cooperating sensors whilepreserving the same level of security. Note that this

ble in the caseo secret sharedeen principals

Authenticationbetweencooperating sensors

Cooperating sensorsthat do not share keyswith principals helpchannel establishment

– –No Yes

No NoNo NoYes Yes


feature gives the possibility to have some memoryavailable to store the ECCE keys, that could be usedlater for further use, hence amortizing the (limited)overhead incurred in the ECCE key set-up; the secu-rity provided by the protocol is adaptive with thelevel of threat in the WSN, on one hand, the higherthe security threat, the more cooperators can beinvolved to enhance the resiliency of the channel;on the other hand a required downgrade on therequired level of security can be implementedinvolving less cooperators, hence improvingperformances.

Finally, in comparison with other protocols,ECCE shows better performances in channel exis-tence and channel resilience even when the numberof involved cooperators is small.

References

[1] Ian F. Akyildiz, Weilian Su, Yogesh Sankarasubramaniam,Erdai Cayirci, Wireless sensor networks: a survey, Interna-tional Journal of Computer and Telecommunications Net-working 38 (4) (2002) 393–422.

[2] Ross Anderson, Security Engineering: A Guide to BuildingDependable Distributed Systems, John Wiley & Sons, Inc.,2001.

[3] Ross Anderson, Markus G. Kuhn. Tamper resistance—acautionary note, in: The 2nd USENIX Workshop onElectronic Commerce Proceedings, 1996, pp. 1–11.

[4] Antonio Caruso, Alessandro Urpi, Stefano Chessa, SwadesDe, Gps-free coordinate assignment and routing in wirelesssensor networks, in: Proceedings of IEEE INFOCOM’05,2005, pp. 150–160.

[5] Haowen Chan, Adrian Perrig. PIKE: Peer intermediaries forkey establishment in sensor networks, in: Proceedings ofIEEE INFOCOM’05, 2005, pp. 524–535.

[6] Haowen Chan, Adrian Perrig, Dawn Song, Random keypredistribution schemes for sensor networks, in: Proceedingsof IEEE S&P’03, 2003, pp. 197–213.

[7] Mauro Conti, Roberto Di Pietro, Luigi Vincenzo Mancini,Alessandro Mei. Requirements and open issues in distrib-uted detection of node identity replicas in WSN, in:Proceedings of the 2006 IEEE International Conference onSystems, Man, and Cybernetics (SMC’06), Special Sessionon Wireless Sensor Networks, in press.

[8] Roberto Di Pietro, Luigi V. Mancini, AlessandroMei, Energy efficient node-to-node authentication and com-munication confidentiality in wireless sensor networks,Wireless Networks, Corrected Proof, Available Online,May 2006.

[9] Roberto Di Pietro, Luigi Vincenzo Mancini, Sushil Jajodia,Providing secrecy in key management protocols for largewireless sensors networks, Journal of Ad Hoc Networks 1 (4)(2003) 455–468.

[10] Roberto Di Pietro, Luigi Vincenzo Mancini, AlessandroMei, Random key-assignment for secure wireless sensor

networks, in: Proceedings of ACM SASN’03, 2003, pp. 62–71.

[11] Roberto Di Pietro, Luigi Vincenzo Mancini, AlessandroMei, Efficient and resilient key discovery based on pseudo-random key pre-deployment, in: Proceedings of IEEEIPDPS’04, 2004, pp. 217–224.

[12] Roberto Di Pietro, Luigi Vincenzo Mancini, AlessandroMei, Alessandro Panconesi, Jaikumar Radhakrishnan, Con-nectivity properties of secure wireless sensor networks, in:Proceedings of ACM SASN’04, 2004, pp. 53–58.

[13] John R. Douceur, The sybil attack, in: Proceedings of the 1stInternational Workshop on Peer-to-Peer Systems (IPTPS’01),Springer, 2002, pp. 251–260.

[14] Wenliang Du, Jing Deng, Yunghsiang S. Han, Pramod K.Varshney, A pairwise key pre-distribution scheme for wire-less sensor networks, in: Proceedings of ACM CCS’03, 2003,pp. 42–51.

[15] Laurent Eschenauer, Virgil D. Gligor, A key-managementscheme for distributed sensor networks, in: Proceedings ofACM CCS’02, 2002, pp. 41–47.

[16] Oded Goldreich, Foundations of Cryptography: Basic Tools,Cambridge University Press, 2001.

[17] Donggang Liu, Peng Ning, Efficient distribution of key chaincommitments for broadcast authentication in distributedsensor networks, in: Proceedings of ISOC NDSS’03, 2003,pp. 263–276.

[18] Donggang Liu, Peng Ning, Establishing pairwise keys indistributed sensor networks, in: Proceedings ACM CCS’03,2003, pp. 52–61.

[19] James Newsome, Elaine Shi, Dawn Song, Adrian Perrig, Thesybil attack in sensor networks: analysis and defenses, in:Proceedings of ACM IPSN’04, 2004, pp. 259–268.

[20] Bryan Parno, Adrian Perrig, Virgil D. Gligor, Distributeddetection of node replication attacks in sensor networks, in:Proceedings of IEEE S&P’05, Washington, DC, USA, 2005p. 49–63.

[21] Adrian Perrig, Robert Szewczyk, Victor Wen, David E.Culler, J.D. Tygar, SPINS: security protocols for sensornetworks, in: Proceedings of ACM/IEEE MobiCom’01,2001, pp. 189–199.

[22] D. Sanchez Sanchez, Heribert Baldus, A deterministicpairwise key pre-distribution scheme for mobile sensornetworks, in: Proceedings of the 1st IEEE/CreateNet Inter-national Conference on Security and Privacy for EmergingAreas in Communication Networks (SecureComm’05), pp.277–288.

[23] Adi Shamir, How to share a secret, Communications of theACM 22 (11) (1979) 612–613.

[24] Arvinderpal Wander, Nils Gura, Hans Eberle, Vipul Gupta,Sheueling Chang Shantz, Energy analysis of public-keycryptography for wireless sensor networks, In PerCom, 2005,pp. 324–328.

[25] Sencun Zhu, Sanjeev Setia, Sushil Jajodia, LEAP: efficientsecurity mechanisms for large-scale distributed sensornetworks, in: Proceedings ACM CCS’03, 2003, pp. 62–72.

[26] Sencun Zhu, Shouhoui Xu, Sanjeev Setia, Sushil Jajodia,Establishing pair-wise keys for secure communication in adhoc networks: a probabilistic approach, in: Proceedings ofIEEE ICNP’03, 2003, p. 326.

c Networks 5 (2007) 49–62

Mauro Conti received in 2005 the Laureadegree (equivalent do BS + MS) inComputer Science from the University ofRome ‘‘La Sapienza’’, Italy. He is cur-rently a Ph.D. Student at the ComputerScience Department of the same Uni-versity. His current research interest ison security for wireless constrainedmobile devices.

62 M. Conti et al. / Ad Ho

Roberto Di Pietro received the Ph.D. in
Computer Science from the University ofRoma ‘‘La Sapienza’’, Italy, in 2004. Hereceived the BS. and MS. degree inComputer Science from the University ofPisa, Italy, in 1994. Since 1995 he hasbeen working for the technical branch ofthe Italian Army and the Internal AffairsMinistry. His main research interestsinclude: security for mobile ad hoc andwireless networks, security for distrib-
uted systems, secure multicast, applied cryptography and com-puter forensics.

Luigi V. Mancini received the Ph.D.degree in Computer Science from theUniversity of Newcastle upon Tyne, UK,in 1989, and the Laurea degree in Com-puter Science from the University ofPisa, Italy, in 1983. From 2000, he is afull professor of Computer Science at theDipartimento di Informatica of theUniversity of Rome ‘‘La Sapienza’’.Since 1994, he is a visiting researchprofessor of the Center for Secure

Information Systems, GMU, Virginia, USA. Currently he is theadvisor of six Ph.D students.

His current research interests include: computer network andinformation security, wireless network security, fault-tolerantdistributed systems, large-scale peer-to-peer systems, and hard-real-time distributed systems. He published more than 60 scien-tific papers in international conferences and journals such as:ACM TISSEC, IEEE TKDE, IEEE TPDS, and IEEE TSE. Heserved in the program committees of several international con-ferences which include: ACM Conference on Computer andCommunication Security, ACM Conference on ConceptualModeling, ACM Symposium on Access Control Models andTechnology, ACM Workshop of Security of Ad-hoc and SensorNetworks, IEEE Securecomm, IEEE Conference on ClusterComputing. He is also the program chair of the first two editionsof the IEEE Workshop on Hot Topics in Peer-to-Peer Systemsheld in 2004 (Volendam, Holand) and in 2005 (San Diego,California).

Currently, he is a member of the Scientific Board of the ItalianCommunication Police force, and the director of the Masterdegree program in Computer and Network Security of theUniversity of Rome ‘‘La Sapienza’’, Italy.

ecce: enhanced cooperative channel establishment for secure pair-wise communication in wireless...

Documents