security - unipi.it · 2008-04-17 · gateway sensor nodes task manager node. 3 ... data mule...
TRANSCRIPT
Securityin
Wireless Sensor Networks
2
Introduction
A Wireless Sensor Network is a network made of many smalldevices consisting of a battery, radio communications, microcontroller, and sensors.
GatewaySensor nodes Task manager
node
3
Introduction
The sensor nodes cooperate to monitor enviromentalphenomena.
detect phenomenon
routing
GatewaySensor nodes Task manager
node
4
Applications
– Military applications
– Enviromental applications
– Home applications
– Health applications
– Automotive applications
– …
5
Military applications
• Monitoring friendly forces, equipment and ammunition
• Reconnaissance of opposing forces and terrain
• Battlefield surveillance
• Nuclear, biological and chemical attack detection and reconnaissance
6
Enviromental applications
Flood / Forest fire detection
Precision agriculture
Ecosystems
NY Times, May 10, 2005
Habitat Monitoring
7
Home automation Structural Monitoring
Kajima-Shizuoka Building – Japan
Home applications
8
Health applications
• Telemonitoring of human physiological data
• Tracking and monitoring patients and doctors
Health Care Monitoring of Mobile Patients. (Source: ISTI & IFC--CNR, Pisa, Italy).
BASUMA (BMWA)-Germany
9
Automotive applications
• Vehicle tracking and detection• Detecting and monitoring car thefts
• Disaster recovery
RUNES
10
Design space
– Distributed and large-scale networks• Hundreds of nodes• Network size and density determined by coverage,
connectivity, task
– Hostile Environment• Nodes may be compromised
– Limited Resources• Energy restrictions• Limited computational power• Storage restrictions• No physical security feasible
11
Design space
– The network topology may change very frequently• Uncontrolled mobility caused by environment factors or
controlled robotic mobility
• Nodes may be randomly deployed
• Nodes are prone to failures
– The network must be reconfigurable• Wireless connections
• Self-reconfiguration
12
Sensor node
Cap
abili
ties
Size, Power Consumption, Cost
PC
Notebook
Smartphone
Mote
13
TI MSP430
–48kB code
–10KB data
Low-power radio: 250 kbps
Integrated sensor
ATmega128
–128kB code
–4kB data
Low-power radio: 40kbps
Simple sensors
ATmega163
–16kB code
–1k B data
Low-power radio: 10kbps
Simple sensors
Small µ-controller
–8kB code
–512 B data
Low-power radio: 10kbps
Simple sensor
Mica2 Mote
Hardware platform: Motes
Evolution
WeC 99“Smart Rock”
Dot 9/01 Telos Mote
14
Mobile platforms
–Autonomous
–Mobile
–Flying
–Wearable
Medusa MK-2 (UCLA)
iBadge(UCLA)
Heliomote(UCLA)
STARGATE
PACKBOT
Data Mule(UCLA)
MOTEData Storage
Path Planning
Helicopter Imager(UCLA)
RagoBot(UCLA)
RAiN (Pisa)
15
Communication architecture
Data Link Layer
Physical Layer
Network Layer
Application Layer
Data Link Layer
Physical Layer
Network Layer
Application Layer
16
Physical layer
The physical layer is responsible for:• Frequency selection• Frequency generation • Signal detection• Modulation
Open research issues:• Modulation schemes• Strategies to overcome signal
propagation effects• Hardware design
Data Link Layer
Physical Layer
Network Layer
Application Layer
17
Data link layer
Data Link Layer
Physical Layer
Network Layer
Application LayerThe data link layer is responsible
for:• Medium access
• Error control
Open research issues:• MAC for mobile sensor networks
• Error control coding schemes
• Power saving modes
18
Network layer
The network layer is responsible for:• Routing• Network reconfiguration in
presence of node failure• Data aggregation• Accessing to other external
networks (i.e. Internet).
Open issues:• Power efficiency • Addressing• New routing protocols
Data Link Layer
Physical Layer
Network Layer
Application Layer
19
Application layer
The application layer is responsible for:• Data management• Synchronization
Open issues:• Task assignment and data
advertisement protocol• Sensor query and data
dissemination• Localization• Time Synchronization
Data Link Layer
Physical Layer
Network Layer
Application Layer
20
Cross-layer issue: Security
Security Requirements:• Confidentiality
• Authentication
• Integrity
• Freshness
• Secure Group Management
• Availability
Data Link Layer
Physical Layer
Network Layer
Application Layer
21
Security issues
– Secure Network Communication• Cryptographic mechanisms
• Key establishment & management
– Group-key management
• Authenticated broadcast
• Routing attacks
– Secure Localization
– Secure Time Synchronization
– Secure Data Processing
22
Cryptographic Mechanisms
23
Cryptographic Mechanisms
– Asymmetric cryptography:• Tiny-PK• Tiny-ECC
– Symmetric cryptography:• RC5 & SkypJack block-ciphers • HMAC SHA-1 message authentication code
– Commercial standards for Motes• TinySec• ZigBee (802.15.4)
24
Asymmetric cryptographic
The amount of computational energy consumed by a security function is determined by:• the processor power consumption• the processor clock frequency• the number of clocks needed to compute the security function
Public key cryptographic algorithms such as RSA are computationally intensive:• thousands or even millions of multiplication instructions to
perform a single security operation
25
Public key cryptography: RSA
Execution times for 2x (mod p) with p prime number (modulus) and x which ranges from 112 to 768 bit on MICA2 mote [Malan04]
As we can see, a single exponentiation could take 5 minutes !
26
TinyPK [TinyPK04]
3.7 s512-bit
14.5 s1024-bit
8.0 s768-bit
Verification time
(Hardware Platform: Mica)Module size n
Tiny Public-Key:Verification operation by using RSA with exponent e=3 and module n
• Verification algorithm: slow but feasible (trick: e=3)
• Sensor nodes can verify but cannot generate a signature.
27
Public key cryptography: ECC
Elliptic curve cryptography (ECC)• Based on the elliptic curve discrete logarithm problem:
– given the equation Q=kG, known G and Q (points), then find the integer k
• No subexponential algorithm to solve it are known• ECC keys are smaller than RSA ones
?51215360256
?3847680192
after 20302563072128
before 20302242048112
before 2010160102480
Secure until..ECC
(Key length in bit)
RSA
(Key lengthin bit)
EQUIVALENT
SECURITY
(bit)
28
ECC on sensor networks
– EccM 2.0 [Malan04] :• implemented for MICA2, written in nesC
– 34 seconds to generate ECC key pairs (Diffie-Hellmann)
– 70 seconds to run the entire Diffie-Hellman protocol
– TinyECC [LiuNing05]:• implemented for MICAz (ATmega128)
– 7 seconds for digital signature of ECDSA
– 14.2 seconds for signature verification of ECDSA
• Different algorithms than EccM and some functions are written in µcontroller’s language
• It uses curve parameters standardized by SEC2 standard [SEC2]
29
Improving ECC performances
Parallelization• N nodes who helps the verifier
– T trusted, U untrusted
– N = 2U + 1: if this condition is met the verifier always picks the correct value
63.71 s50.74 s50.77 sEccM 2.0 withparallelization
101.01 s50.74 s50.77 sEccM 2.0
Signatureverification
DigitalSignature
Public keygeneration
Mode
30
Improving ECC performances
Re-implementation• Assembly implementation of some other functions originally
written in nesC
• Re-implementation of multiplication algorithm, especially forECDSA verification (multiple multiplication)
• Partial improvement of TinyOs random number generator
10.7
8.8
0.015 (200 bytes)
8.5
Time (sec)
Tmote Sky
-Key pair generation
-SHA-1
Time (sec)
MICAzFunction
14.293ECDSA Verification
7.074ECDSA Signature
31
Improvement ECC performances
Hardware suppport
– Hasegawa, Nakajima and Matsui [Hasegawa99]– 0.15 seconds for digital signature of ECDSA
– 0.63 seconds for verification of ECDSA
• Non standard curve parameters but customized
• Modified algorithms according to own parameters
• Hardware support: microcontroller M16C
No multiplication/divisionMultiplication/division as
hardware operation
27 istructions91 instructions
8 Mhz10 MHz
TMote SkyM16C
32
Symmetric cryptography
– RC5 & SkypJack block-ciphers• CBC-mode: break a m bit message into 64 bit chunks (m1,m2,..)
• Transmit (c1, c2, …) and IV– IV is needed to achieve semantic security
– Same message looks different every time
IV
m2m1
c1 c2
Ek EkEk
CBC-Mode
33
Symmetric cryptography
Mode CBC-CTS (Ciphertext Stealing)• it allows ciphered text to have the same length as the plain text
even though plain text is not a multiple of block size
• Encryption/Decryption performances (32 bytes) on TelosB withTinyOs-1.1.11
– 6.37 ms (RC5)
– 2.40 ms (SkipJack)
34
HMAC: SHA-1
SHA-1 is an hash function required by:• symmetric protocol
• public key cryptography (e.g. digital signature schemes)
It produces a hash value on 160 bit
13.24 128
8.911 64
4.69970 32
4.69970 16
4.66918 8
4.63867 4
Time
(ms)
Dimension
(bytes)
Performance on Tmote Sky
35
TinySec [karlof03]
– Link Layer Security Architecture• Link-to-link authentication
• End-to-end authentication (e.g.,IPSec) is unfeasible in WSN
– Support fine-grained mixed-mode usage• 3 settings
1. no crypto
2. integrity only (TinySec-Auth)
3. integrity+secrecy (TinySec-AE)
• Can select settings on a per-packet basis.
36
TinySec-Auth
– TinySec-Auth• Guaranteed only integrity
Sender Receiver
< m, HMAC >Sm HMAC V
mYes/no
HMAC
– Algorithm used for HMAC: SHA-1
37
TinySec-AE
– TinySec-AE• Guaranteed authenticity and confidentiality
ReceiverSender
< c, IV, HMAC >
c
IV
m2m1
c1 c2
E E
m
E
m
IV
c2c1
m1 m2
D D
c
D
– Algorithm used for encryption: SkipJack in CBC-CTS mode
38
TinySec: communication overhead
TinySec-AE:
IV
•IV is needed to achieve semantic security•To reduce packet overhead, IV is obtained from existing packet header (dest,AM,len,source) + counter (ctr)
TinyOS:
TinySec-Auth:
•Get away with CRC -> MAC provides checksum
39
TinySec: communication overhead
8%28.86844TinySec-AE
1.5%26.66440TinySec-Auth
--26.26339TinyOS
IncreaseTransmission
Time (ms)Total Size
(byte)Overhead
(byte)
40
802.15.4 standards
–AES is available in hardware• Removes the need for software based cryptography such as TinySec
–Design similarities to TinySec:• 3 security modes: off, auth, auth + encryption
• MAC calculation is block cipher based
–Design differences to TinySec• Larger security parameter choices, 16 byte IV
• MAC size variable, 0..16 bytes
• Encryption: CTR mode
41
Key Establishment & Management
42
Key Establishment & Management
Approaches:
– Centralized• Pre-assign a unique key to every node
• Use the base station as central source of trust
– Distributed• Each sensor node is able to authenticate its neighbors or a
subset of them
43
How many keys a node should maintain?
– Globally shared secret key• Safeguard from external attackers.
– Secret key with base station (centralized approach)• Base station should be able to authenticate nodes.
– Pairwise secret key• Nodes should be able to authenticate each other to achieve
collaborative data processing.
Key Establishment & Management
44
General Idea• Pre-assign a unique key to every node.• Use base station as central trust to establish pairwise/global key
Solution I: Pre-assignment
Sink
Node A
KA
KA
KA
KB
KB
KB KB
KB
Node B
KAB
Some existing protocols: SNEP [Perrig 01], [Chen 00], [Undercoffer 02]
45
Evaluation
Wins:• Perfectly resilient to node capture.
– No leak of information.• Safeguards system against external adversaries.• Addition of new nodes.
Neutral:• Pairwise key establishment is expensive.
– Loss for dynamic topologies.
Losses:• Not scalable
46
Solution II: Random Key Assignment
General idea• Each node randomly picks R keys from a key pool S.• Use the common shared key to establish a secure link with its
neighbors.
Key pool
K1,K2,,..,Ks
{K1,K3}
K1 K3
R=2
{K3,K7}{K1,K5}
47
Existing solutions
– Basic Scheme [Eschenauer02]
– Extended to q-composite scheme [Chen03]• Secure link only if nodes share q keys
– Adaptive Random key distribution [Huang03]• Use two dimensional key pools
– Blom scheme [Wenliang03]• Based on public/private matrix
– Polynomial key pools [Liu03]• Assign polynomial generator functions instead of keys
48
Evaluation
Wins:• Pairwise Key establishment
Neutral:• Reasonably scalable• Resiliency to node capture• Addition of new nodes
Losses:• Very sensitive to choice of parameters (R, S)
49
Solution III: Post-deployment assignment
General idea• Pre-assign a single global key KG at every node.
• Derive pairwise keys at runtime based on properties of the node from the global key.
• Erase the global key KG.
Key-setup phase Normal system
Generate pairwisekey from KG
Erase KG
No valid keys can be generated here
50
Example
• Both node A and node B have KG before deployment.
• They can calculate the pairwise key KAB as follows:
KAB = HKG(idA || PA || idB || PB)
PX is the location [Ye04], physical attributes [Ganeriwal04a] or identity [Anderson 05] of sensor node X.
• A and B can use KAB for securely communicating without ever explicitly telling it to each other.
idA,PA
Node A Node B
idB,PB
51
Security analysis
– External adversary• Cannot generate KAB as it does not have knowledge of KG.
– Internal adversary• Can potentially generate KAB.• Vulnerability window: key-setup phase sensor nodes must
erase KG as soon as possible.
Key-setup phase Normal system
NO compromise during this phase
52
Evaluation
Wins:• Scalable• Deterministic pairwise key establishment• Deterministic unique key establishment• Safeguards from external adversaries
Losses:• Addition of new nodes• Only if key-setup phase is fine, everything is fine.
53
Group-key management
54
Group-key management
Problem
An outsider cannot eavesdrop or inject/modify messages.
SolutionAll sensor nodes share a symmetric group-key used to encrypt/decrypt
messages.
K
Sink
K
K
KK
K : group-key
55
Forward security
Forward securityWhen a member leaves the group at time t* he cannot have
access to communication after time t*.
LEAVING NODE
K
Sink
K
K
KK
K : group-key
New group-key: K*
56
Forward security
The sink must distribute the new group-key to all nodes except the leaving one.
• The sensor nodes must be able to effciently authenticate the new received key
– Chained Key Hash [Lamport81]
• Distribution algorithms:
– Naive solution
– S2RP: Scalable & Secure Rekeying Protocol [Dini05]
57
Authentication of group-key
– Chained key hash• Broadcast of renewed keys
• Authentication by means of hash functions
KN KN-1 KN-2 … K2 K1 K0
Generating Ki+1 =H(Ki)
Revealing
58
Group-key Distribution
– Naive solution• This solution is adopted by µ-Tesla
• Sink unicasts the new key K* to each member O(n) messages
– The new key in encrypted with secret keys of nodes
LEAVING NODE
K
Sink
K
K
KK
K : group-key
New group-key: K*
59
S2RP
Each member stores the current-keys associated to the auxiliary-nodes on the path
K1curr
K2curr
K4curr K5
curr
DCBA
K3curr
K7currK6
curr
E F G H
Leaf-node: correspond to the private key of a group member
KNKN-1KN-2… K2 K1 K0
KNKN-1KN-2… K2 K1 K0
KNKN-1KN-2… K2 K1 K0
Auxiliary-node: associated to a keychain
•Kicurr i-th current-key (last-revealed
key)
•K1curr Network-key
KN KN-1 KN-2 … K2 K1 K0
60
Example: D leaves the group
Path(D)={1,2,5}
If D leave the group its keys are compromised
K1curr
K2curr
K4curr K5
curr
DCBA
K3curr
K7currK6
curr
E F G H
KNKN-1KN-2… K2 K1 K0
KNKN-1KN-2… K2 K1 K0
KNKN-1KN-2… K2 K1 K0
KNKN-1KN-2… K2 K1 K0
The new keys are: K1
next,K2next,K5
next so thatKi
curr=H(Kinext)
61
Example: D leaves the group
Secure distribution
KS C: E(KC,K5next)
KS C: E(K5next,K2
next)
KS A,B: E(K4curr,K5
next)
KS A,B,C: E(K2next,K1
next)
KS E,F,G,H: E(K3curr,K1
next)
E(k,x) encryption of x with K
O(log n) messages SCALABILITYSCALABILITY
Knext1
Knext2
K4curr Knext5
DCBA
K3curr
K7currK6
curr
E F G H
KNKN-1KN-2… K2 K1 K0
KNKN-1KN-2… K2 K1 K0
KNKN-1KN-2… K2 K1 K0
KNKN-1KN-2… K2 K1 K0
62
Authenticated Broadcast
63
Authenticated Broadcast
Node wants to communicate with multiple nodes simultaneously• For example, sink wants to send some control information to all
the nodes
Nodes should be able to verify the identity of the sending node (NO malicious node).• Need for authenticated broadcast.
What is the problem?• Pairwise keys cannot be used
• Can’t the sender just attach a MAC
64
µTESLA [Perrig01]
Abstract asymmetric nature using symmetric cryptography• The sink creates a key-chain [Lamport78] • Divide time into slots
– Use a different key in every slot.
KN KN-1 KN-2 … K2 K1 K0
Ki+1 =H(Ki)
KNKN-1KN-2K2K1K0
slot 0 slot 1 slot 2 slot N-2 slot N-1 slot N
65
µTESLA [Perrig01]
• The sink uses Ki in slot i.– The nodes stores only Ki-1: Ki is not yet known.
• The nodes simply store the packet on receiving it.• The sink reveals Ki in slot i+δ
– Nodes, on receiving the key, authenticate key Ki and authenticate packet received in slot i
As Ki was only known to the base station in slot i, nobody could have impersonated the base station in slot i.
m HMAC(Ki, m)
message
66
Evaluation
Wins:• Based on cheaper symmetric primitives
Neutral:• Nodes must buffer broadcasts until key is disclosed
• Require time synchronization.
Losses:• Authenticated broadcasts by the sink
67
Routing Attacks
68
Attackers
– Mote-class attackers• Control a few ordinary sensor nodes
– Laptop-class attackers• Access more powerful devices (i.e., laptops)
– Greater battery and processing power, memory
– High-power radio transmitter, high bandwidth links to eavesdrop on the entire network
69
Attackers
– Outsider attackers• Attacker has no special access to the sensor network
• Disable sensor nodes (i.e., physically destroy nodes)
– Insider attackers• Node compromization running malicious code
• Attackers have stolen data (i.e., cryptographic keys) from legitimate nodes
70
Attacks on Sensor Network Routing
– Bogus routing information
– Selective forward
– Sinkhole attack
– Sybil attack
– Wormholes
– HELLO flood attack
71
Bogus routing information
– Spoofed, altered, replayed routing info• Routing loops
• Attract or repel network traffic
• Extend or shorten routes
• Network partition
– Ack spoofing• replay link layer acks to misrepresent link quality between nodes
72
Selective forward
– Malicious nodes selectively forwards packets• drop subset of packets without being detected
1 32 4
Node A Node B
1 32 4
Node A
1 32 4
Node B
73
Sinkhole attack
– Attacker tries to attract all traffic destined for the sink fromnodes several hops away from itself• Anyone can spoof routing beacons and claim to be sink
Solution: Authenticate routing info
sink
74
Sybil attack
– A single node presents multiple identities to the other nodes
Solution: Verify identities
Node has 5 neighbors
75
Wormholes
– The attacker tunnels msgs received in one part of the network and replays them in a different part • use out-of-band fast channel to route msgs faster than regular
network
– This attack can be launched by insiders and outsiders
76
Wormholes
sink
Example:– Attacker A tunnels hello packets received from the sink and
replay them to attacker B– Conseguence: many nodes cannot reach the sink
Solution: avoid routing race conditions
77
HELLO flood attack
– Nodes broadcast HELLO packets to announce themselves to their neighbors• broadcast msg to all nodes (laptop-class)
• disrupt topology construction
Solution: Verify the bidirectionality of links
78
Attacks on specific routing protocol
TinyOS beaconing• Sink constructs depth first spanning tree with itself as root
Attacks• Any node can claim to be a base station & become the destination of
all traffic in the network – HELLO attack
• If authenticated, a powerful laptop-class attacker can still mount a wormhole / sinkhole attacks
Hello packets
79
Attacks on specific routing protocol
GeoRouting• Routing based on receiver geographical position
Attacks• Misrepresent location data for sinkhole attack
• Sybil Attacks
Broadcast messages:•A at (0,1)•A1 at (1,0)•A2 at (1,3)•A3 at (2,1)
1 2
2
1
0
Sensor node has 4 false neighbors
80
Attacks on specific routing protocol
Minimum Cost Forwarding• Forwards a packet based on the cost of each node (to reach the
base station)
• Cost : hop count, energy, latency, loss etc
Attacks• Can launch a sinkhole attack by advertising zero cost
• Advertise low cost path (can also use HELLO)
81
Attacks on specific routing protocol
LEACH: Low-Energy Adaptive Clustering Hierarchy• Cluster-head gathers data from sensors within its cluster and sends
to base station
• Probabilistic selection of cluster-head to evenly distribute energy consumption
• Nodes choose a cluster-head based on received signal strength
Attacks• HELLO flood attack
82
Protocols analyzed [Karlof03b]
Bogus routing information, Sybil, HELLO floodsEnergy conserving topology maintenance
Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes
Rumor routing
Selective forwarding, HELLO floodsClustering based protocols (LEACH,TEEN,PEGASIS)
Bogus routing information, selective forwarding, sinkholes, wormholes, HELLO floods
Minimum cost forwarding
Bogus routing information, selective forwarding, SybilGeographic routing (GPSR,GEAR)
Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods
Directed diffusion and multipathvariant
Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods
TinyOS beaconing
Relevant attacksProtocol
All insecure!!!
83
Countermeasures
– Encryption & Authentication• Globally shared key (outsiders)
• Per link keys (insiders)
– Verify neighbors’ identities• Prevents Sybil attacks
– Probabilistic routing• Limits effects of selective forwarding
– Wormholes are hard to detect
– Sinkholes are difficult to defend against in protocols that use advertise information (i.e. remaining energy)
84
References
Crypthographic mechanisms[Malan04] “A Public-Key Infrastructure for Key Distribution in TinyOS Based on
Elliptic Curve Cryptography”. David J. Malan, Matt Welsh, and Michael D. Smith. First IEEE International Conference on Sensor and Ad Hoc Communications and Networks. Santa Clara, California. October 2004. (http://www.eecs.harvard.edu/~malan/ )
[LiuNing05] An Liu, Peng Ning, "TinyECC: Elliptic Curve Cryptography forSensor Networks (Version 0.1)", September , 2005http://discovery.csc.ncsu.edu/software/TinyECC/ .
[Hasegawa05] “A Small and Fast Software Implementation of Elliptic Curve Cryptosystems over GF(p) on a 16-Bit Microcomputer”. TIEICE:IEICE Transactions on Communications/Electronics/Information and Systems, 1999.
[SEC2] Certicom Research, “Sec 2: Recommended Elliptic Curve DomainParameters” (Standard for efficient cryptography version 1.0), September2002 (http://www.secg.org/download/aid-386/sec2_final.pdf )
[[TinyPK04] BBN Corporation. TinyPK Project. http://www.is.bbn.com/projects/lws-nest/
85
References
Key establishment & management
[Chen00] M. Chen, W. Cui, V. Wen, A. Woo, “Secutiy and deployment issues in a sensor network”
[Karlof03] Chris Karlof, Naveen Sastry and David Wagner, "TinySec: A Link Layer Security Architecture for Wireless Sensor Networks", Second ACM Conference on Embedded Networked Sensor Systems (SenSys2004)
[Undercoffer 02] Jeffery Undercoffer and Sasikanth Avancha and AnupamJoshi and John Pinkston (2002): “Security for Sensor Networks,” CADIP Research Symposium, 2002
[Perrig01] Adrian Perrig and Robert Szewczyk and J. D. Tygar and Victor Wen and David E. Culler (2001): “SPINS: Security Protocols for Sensor Networks,” Proceedings of Seventh Annual International Conference on Mobile Computing and Networks MOBICOM 2001, July 2001
86
References[Eschenauerr02] Laurent Eschenauer and Virgil D. Gligor (2002): “A Key-
Management Scheme for Distributed Sensor Networks,” Conference on Computer and Communications Security. Proceedings of the 9th ACMconference on Computer and communications security, Washington, DC, USA, 2002.
[Chen03] H. Chan, A. Perrig, D. Song, “Random Key Predistribution Schemes for Sensor Networks”, IEEE Synposium on Security and Privacy, 2003.
[Huang03] Adaptive random key distribution schemes for wireless sensor networks, WADIS 2003.
[Wenliang03] W. Du, J. Deng, Y. Han, P. Varshney, “A pairwise key pre-distribution scheme for wireless sensor networks”
[Liu03] D. Liu and P. Ning. Establishing pairwise keys in distributed sensor networks. In 10th ACM Conference on Computer and Communications Security, October 2003.
[Lamport81] L. Lamport. Password authentication with insecurecommunication. Communications of the ACM, 24(11):770/772, November
1981.
87
References[Dini05] G. Dini and I. Savino. Scalable and secure group rekeying in wireless
sensor networks.
Routing attacks[Karlof03b] C. Karlof, D. Wagner, “Secure routing in sensor networks: Attacks
and countermeasures”, Elsevier AdHoc Networks journal, special issue on sensor network applications and protocols, May 2003