Security in Wireless Sensor Networks Introduction A Wireless - - PDF document

Security

in

Wireless Sensor Networks

2

Introduction

A Wireless Sensor Network is a network made of many small devices consisting of a battery, radio communications, microcontroller, and sensors.

Gateway Sensor nodes Task manager node

3

Introduction

The sensor nodes cooperate to monitor enviromental phenomena.

detect phenomenon routing Gateway Sensor nodes Task manager node

4

Applications

– Military applications – Enviromental applications – Home applications – Health applications – Automotive applications – …

5

Military applications

• Monitoring friendly forces,

equipment and ammunition

• Reconnaissance of opposing

forces and terrain

• Battlefield surveillance
• Nuclear, biological and

chemical attack detection and reconnaissance

6

Enviromental applications

Flood / Forest fire detection Precision agriculture Ecosystems

NY Times, May 10, 2005

Habitat Monitoring

7

Home automation Structural Monitoring

Kajima-Shizuoka Building – Japan

Home applications

8

Health applications

• Telemonitoring of human physiological data
• Tracking and monitoring patients and doctors

Health Care Monitoring of Mobile Patients. (Source: ISTI & IFC--CNR, Pisa, Italy). BASUMA (BMWA)-Germany

9

Automotive applications

• Vehicle tracking and detection
• Detecting and monitoring car thefts
• Disaster recovery

RUNES 10

Design space

– Distributed and large-scale networks

• Hundreds of nodes
• Network size and density determined by coverage,

connectivity, task

– Hostile Environment

• Nodes may be compromised

– Limited Resources

• Energy restrictions
• Limited computational power
• Storage restrictions
• No physical security feasible

11

Design space

– The network topology may change very frequently

• Uncontrolled mobility caused by environment factors or

controlled robotic mobility

• Nodes may be randomly deployed
• Nodes are prone to failures

– The network must be reconfigurable

• Wireless connections
• Self-reconfiguration

12

Sensor node

Capabilities Size, Power Consumption, Cost

PC Notebook Smartphone Mote

13 TI MSP430 –48kB code –10KB data Low-power radio: 250 kbps Integrated sensor ATmega128 –128kB code –4kB data Low-power radio: 40kbps Simple sensors ATmega163 –16kB code –1k B data Low-power radio: 10kbps Simple sensors Small µ-controller –8kB code –512 B data Low-power radio: 10kbps Simple sensor Mica2 Mote

Hardware platform: Motes

Evolution

WeC 99 “Smart Rock” Dot 9/01 Telos Mote 14

Mobile platforms

–Autonomous –Mobile –Flying –Wearable

Medusa MK-2 (UCLA) iBadge (UCLA) Heliomote (UCLA)

STARGATE PACKBOT

Data Mule (UCLA)

MOTE Data Storage Path Planning

Helicopter Imager (UCLA) RagoBot (UCLA)

RAiN (Pisa)

15

Communication architecture

Data Link Layer Physical Layer Network Layer Application Layer Data Link Layer Physical Layer Network Layer Application Layer

16

Physical layer

The physical layer is responsible for:

• Frequency selection
• Frequency generation
• Signal detection
• Modulation

Open research issues:

• Modulation schemes
• Strategies to overcome signal

propagation effects

• Hardware design

Data Link Layer Physical Layer Network Layer Application Layer

17

Data link layer

Data Link Layer Physical Layer Network Layer Application Layer

The data link layer is responsible for:

• Medium access
• Error control

Open research issues:

• MAC for mobile sensor networks
• Error control coding schemes
• Power saving modes

18

Network layer

The network layer is responsible for:

• Routing
• Network reconfiguration in

presence of node failure

• Data aggregation
• Accessing to other external

networks (i.e. Internet).

Open issues:

• Power efficiency
• Addressing
• New routing protocols

Data Link Layer Physical Layer Network Layer Application Layer

19

Application layer

The application layer is responsible for:

• Data management
• Synchronization

Open issues:

• Task assignment and data

advertisement protocol

• Sensor query and data

dissemination

• Localization
• Time Synchronization

Data Link Layer Physical Layer Network Layer Application Layer

20

Cross-layer issue: Security

Security Requirements:

• Confidentiality
• Authentication
• Integrity
• Freshness
• Secure Group Management
• Availability

Data Link Layer Physical Layer Network Layer Application Layer

21

Security issues

– Secure Network Communication

• Cryptographic mechanisms
• Key establishment & management

– Group-key management

• Authenticated broadcast
• Routing attacks

– Secure Localization – Secure Time Synchronization – Secure Data Processing

22

Cryptographic Mechanisms

23

Cryptographic Mechanisms

– Asymmetric cryptography:

• Tiny-PK
• Tiny-ECC

– Symmetric cryptography:

• RC5 & SkypJack block-ciphers
• HMAC SHA-1 message authentication code

– Commercial standards for Motes

• TinySec
• ZigBee (802.15.4)

24

Asymmetric cryptographic

The amount of computational energy consumed by a security function is determined by:

• the processor power consumption
• the processor clock frequency
• the number of clocks needed to compute the security function

Public key cryptographic algorithms such as RSA are computationally intensive:

• thousands or even millions of multiplication instructions to

perform a single security operation

25

Public key cryptography: RSA

Execution times for 2x (mod p) with p prime number (modulus) and x which ranges from 112 to 768 bit on MICA2 mote [Malan04]

As we can see, a single exponentiation could take 5 minutes !

26

TinyPK [TinyPK04]

3.7 s 512-bit 14.5 s 1024-bit 8.0 s 768-bit Verification time (Hardware Platform: Mica) Module size n

Tiny Public-Key:

Verification operation by using RSA with exponent e=3 and module n

• Verification algorithm: slow but feasible (trick: e=3)
• Sensor nodes can verify but cannot generate a signature.

27

Public key cryptography: ECC

Elliptic curve cryptography (ECC)

• Based on the elliptic curve discrete logarithm problem:

– given the equation Q=kG, known G and Q (points), then find the integer k

• No subexponential algorithm to solve it are known
• ECC keys are smaller than RSA ones

? 512 15360 256 ? 384 7680 192 after 2030 256 3072 128 before 2030 224 2048 112 before 2010 160 1024 80 Secure until.. ECC (Key length in bit) RSA (Key length in bit) EQUIVALENT SECURITY (bit) 28

ECC on sensor networks

– EccM 2.0 [Malan04] :

• implemented for MICA2, written in nesC

– 34 seconds to generate ECC key pairs (Diffie-Hellmann) – 70 seconds to run the entire Diffie-Hellman protocol

– TinyECC [LiuNing05]:

• implemented for MICAz (ATmega128)

– 7 seconds for digital signature of ECDSA – 14.2 seconds for signature verification of ECDSA

• Different algorithms than EccM and some functions are written in

µcontroller’s language

• It uses curve parameters standardized by SEC2 standard [SEC2]

29

Improving ECC performances

Parallelization

• N nodes who helps the verifier

– T trusted, U untrusted – N = 2U + 1: if this condition is met the verifier always picks the correct value

63.71 s 50.74 s 50.77 s EccM 2.0 with parallelization 101.01 s 50.74 s 50.77 s EccM 2.0 Signature verification Digital Signature Public key generation Mode

30

Improving ECC performances

Re-implementation

• Assembly implementation of some other functions originally

written in nesC

• Re-implementation of multiplication algorithm, especially for

ECDSA verification (multiple multiplication)

• Partial improvement of TinyOs random number generator

10.7 8.8 0.015 (200 bytes) 8.5 Time (sec) Tmote Sky

• Key pair generation
• SHA-1

Time (sec) MICAz Function 14.293 ECDSA Verification 7.074 ECDSA Signature

31

Improvement ECC performances

Hardware suppport – Hasegawa, Nakajima and Matsui [Hasegawa99]

– 0.15 seconds for digital signature of ECDSA – 0.63 seconds for verification of ECDSA

• Non standard curve parameters but customized
• Modified algorithms according to own parameters
• Hardware support: microcontroller M16C

No multiplication/division Multiplication/division as hardware operation 27 istructions 91 instructions 8 Mhz 10 MHz TMote Sky M16C

32

Symmetric cryptography

– RC5 & SkypJack block-ciphers

• CBC-mode: break a m bit message into 64 bit chunks (m1,m2,..)
• Transmit (c1, c2, …) and IV

– IV is needed to achieve semantic security – Same message looks different every time

IV m2 m1 c1 c2 Ek Ek Ek CBC-Mode

33

Symmetric cryptography

Mode CBC-CTS (Ciphertext Stealing)

• it allows ciphered text to have the same length as the plain text

even though plain text is not a multiple of block size

• Encryption/Decryption performances (32 bytes) on TelosB with

TinyOs-1.1.11 – 6.37 ms (RC5) – 2.40 ms (SkipJack)

34

HMAC: SHA-1

SHA-1 is an hash function required by:

• symmetric protocol
• public key cryptography (e.g. digital

signature schemes)

It produces a hash value on 160 bit

13.24 128 8.911 64 4.69970 32 4.69970 16 4.66918 8 4.63867 4 Time (ms) Dimension (bytes) Performance on Tmote Sky

35

TinySec [karlof03]

– Link Layer Security Architecture

• Link-to-link authentication
• End-to-end authentication (e.g.,IPSec) is unfeasible in WSN

– Support fine-grained mixed-mode usage

• 3 settings
• 1. no crypto
• 2. integrity only (TinySec-Auth)
• 3. integrity+secrecy (TinySec-AE)
• Can select settings on a per-packet basis.

36

TinySec-Auth

– TinySec-Auth

• Guaranteed only integrity

Sender Receiver < m, HMAC >

S m HMAC V m Yes/no HMAC

– Algorithm used for HMAC: SHA-1

37

TinySec-AE

– TinySec-AE

• Guaranteed authenticity and confidentiality

Receiver Sender < c, IV, HMAC >

c IV m2 m1 c1 c2 E E m E m IV c2 c1 m1 m2 D D c D

– Algorithm used for encryption: SkipJack in CBC-CTS mode

38

TinySec: communication overhead

TinySec-AE:

IV

• IV is needed to achieve semantic security
• To reduce packet overhead, IV is obtained from existing

packet header (dest,AM,len,source) + counter (ctr) TinyOS: TinySec-Auth:

• Get away with CRC -> MAC provides checksum

39

TinySec: communication overhead

8% 28.8 68 44 TinySec-AE 1.5% 26.6 64 40 TinySec-Auth

• 26.2

63 39 TinyOS Increase Transmission Time (ms) Total Size (byte) Overhead (byte)

40

802.15.4 standards

–AES is available in hardware

• Removes the need for software based cryptography such as TinySec

–Design similarities to TinySec:

• 3 security modes: off, auth, auth + encryption
• MAC calculation is block cipher based

–Design differences to TinySec

• Larger security parameter choices, 16 byte IV
• MAC size variable, 0..16 bytes
• Encryption: CTR mode

41

Key Establishment & Management

42

Key Establishment & Management

Approaches: – Centralized

• Pre-assign a unique key to every node
• Use the base station as central source of trust

– Distributed

• Each sensor node is able to authenticate its neighbors or a

subset of them

43

How many keys a node should maintain? – Globally shared secret key

• Safeguard from external attackers.

– Secret key with base station (centralized approach)

• Base station should be able to authenticate nodes.

– Pairwise secret key

• Nodes should be able to authenticate each other to achieve

collaborative data processing.

Key Establishment & Management

44

General Idea

• Pre-assign a unique key to every node.
• Use base station as central trust to establish pairwise/global key

Solution I: Pre-assignment

Sink Node A KA KA KA KB KB KB KB KB Node B KAB

Some existing protocols: SNEP [Perrig 01], [Chen 00], [Undercoffer 02]

45

Evaluation

Wins:

• Perfectly resilient to node capture.

– No leak of information.

• Safeguards system against external adversaries.
• Addition of new nodes.

Neutral:

• Pairwise key establishment is expensive.

– Loss for dynamic topologies.

Losses:

• Not scalable

46

Solution II: Random Key Assignment

General idea

• Each node randomly picks R keys from a key pool S.
• Use the common shared key to establish a secure link with its

neighbors.

Key pool K1,K2,,..,Ks {K1,K3} K1 K3 R=2 {K3,K7} {K1,K5}

47

Existing solutions

– Basic Scheme [Eschenauer02] – Extended to q-composite scheme [Chen03]

• Secure link only if nodes share q keys

– Adaptive Random key distribution [Huang03]

• Use two dimensional key pools

– Blom scheme [Wenliang03]

• Based on public/private matrix

– Polynomial key pools [Liu03]

• Assign polynomial generator functions instead of keys

48

Evaluation

Wins:

• Pairwise Key establishment

Neutral:

• Reasonably scalable
• Resiliency to node capture
• Addition of new nodes

Losses:

• Very sensitive to choice of parameters (R, S)

49

Solution III: Post-deployment assignment

General idea

• Pre-assign a single global key KG at every node.
• Derive pairwise keys at runtime based on properties of the

node from the global key.

• Erase the global key KG.

Key-setup phase Normal system Generate pairwise key from KG Erase KG No valid keys can be generated here

50

Example

• Both node A and node B have KG before deployment.
• They can calculate the pairwise key KAB as follows:

KAB = HKG(idA || PA || idB || PB) PX is the location [Ye04], physical attributes [Ganeriwal04a]

• r identity [Anderson 05] of sensor node X.
• A and B can use KAB for securely communicating without ever

explicitly telling it to each other.

idA,PA Node A Node B idB,PB

51

Security analysis

– External adversary

• Cannot generate KAB as it does not have knowledge of KG.

– Internal adversary

• Can potentially generate KAB.
• Vulnerability window: key-setup phase sensor nodes must

erase KG as soon as possible.

Key-setup phase Normal system NO compromise during this phase

52

Evaluation

Wins:

• Scalable
• Deterministic pairwise key establishment
• Deterministic unique key establishment
• Safeguards from external adversaries

Losses:

• Addition of new nodes
• Only if key-setup phase is fine, everything is fine.

53

Group-key management

54

Group-key management

Problem

An outsider cannot eavesdrop or inject/modify messages.

Solution

All sensor nodes share a symmetric group-key used to encrypt/decrypt messages.

K

Sink

K K K K

K : group-key

55

Forward security

Forward security

When a member leaves the group at time t* he cannot have access to communication after time t*.

LEAVING NODE

K

Sink

K K K K

K : group-key New group-key: K*

56

Forward security

The sink must distribute the new group-key to all nodes except the leaving one.

• The sensor nodes must be able to effciently authenticate the new

received key – Chained Key Hash [Lamport81]

• Distribution algorithms:

– Naive solution – S2RP: Scalable & Secure Rekeying Protocol [Dini05]

57

Authentication of group-key

– Chained key hash

• Broadcast of renewed keys
• Authentication by means of hash functions

KN KN-1 KN-2 … K2 K1 K0 Generating Ki+1 =H(Ki) Revealing

58

Group-key Distribution

– Naive solution

• This solution is adopted by µ-Tesla
• Sink unicasts the new key K* to each member O(n)

messages – The new key in encrypted with secret keys of nodes

LEAVING NODE

K

Sink

K K K K

K : group-key New group-key: K*

59

S2RP

Each member stores the current-keys associated to the auxiliary-nodes on the path

K1

curr

K2

curr

K4

curr

K5

curr

D C B A K3

curr

K7

curr

K6

curr

E F G H

Leaf-node: correspond to the private key of a group member

KNKN-1 KN-2… K2 K1 K0 KNKN-1 KN-2… K2 K1 K0 KNKN-1 KN-2… K2 K1 K0

Auxiliary-node: associated to a key chain

• Ki

curr i-th current-key (last-revealed

key)

• K1

curr Network-key

KN KN-1 KN-2 … K2 K1 K0

60

Example: D leaves the group

Path(D)={1,2,5} If D leave the group its keys are compromised

K1

curr

K2

curr

K4

curr

K5

curr

D C B A K3

curr

K7

curr

K6

curr

E F G H

KNKN-1 KN-2… K2 K1 K0 KNKN-1 KN-2… K2 K1 K0 KNKN-1 KN-2… K2 K1 K0 KNKN-1 KN-2… K2 K1 K0

The new keys are: K1

next,K2 next,K5 next so that

Ki

curr=H(Ki

next)

61

Example: D leaves the group

Secure distribution

KS C: E(KC,K5

next)

KS C: E(K5

next,K2 next)

KS A,B: E(K4

curr,K5

next)

KS A,B,C: E(K2

next,K1 next)

KS E,F,G,H: E(K3

curr,K1

next)

E(k,x) encryption of x with K

O(log n) messages SCALABILITY SCALABILITY

Knext1 Knext2 K4

curr

Knext5 D C B A K3

curr

K7

curr

K6

curr

E F G H

KNKN-1 KN-2… K2 K1 K0 KNKN-1 KN-2… K2 K1 K0 KNKN-1 KN-2… K2 K1 K0 KNKN-1 KN-2… K2 K1 K0

62

Authenticated Broadcast

63

Authenticated Broadcast

Node wants to communicate with multiple nodes simultaneously

• For example, sink wants to send some control information to all

the nodes

Nodes should be able to verify the identity of the sending node (NO malicious node).

• Need for authenticated broadcast.

What is the problem?

• Pairwise keys cannot be used
• Can’t the sender just attach a MAC

64

µTESLA [Perrig01]

Abstract asymmetric nature using symmetric cryptography

• The sink creates a key-chain [Lamport78]
• Divide time into slots

– Use a different key in every slot.

KN KN-1 KN-2 … K2 K1 K0 Ki+1 =H(Ki) KN KN-1 KN-2 K2 K1 K0

slot 0 slot 1 slot 2 slot N-2 slot N-1 slot N

65

µTESLA [Perrig01]

• The sink uses Ki in slot i.

– The nodes stores only Ki-1: Ki is not yet known.

• The nodes simply store the packet on receiving it.
• The sink reveals Ki in slot i+δ

– Nodes, on receiving the key, authenticate key Ki and authenticate packet received in slot i As Ki was only known to the base station in slot i, nobody could have impersonated the base station in slot i.

m HMAC(Ki, m) message

66

Evaluation

Wins:

• Based on cheaper symmetric primitives

Neutral:

• Nodes must buffer broadcasts until key is disclosed
• Require time synchronization.

Losses:

• Authenticated broadcasts by the sink

67

Routing Attacks

68

Attackers

– Mote-class attackers

• Control a few ordinary sensor nodes

– Laptop-class attackers

• Access more powerful devices (i.e., laptops)

– Greater battery and processing power, memory – High-power radio transmitter, high bandwidth links to eavesdrop

• n the entire network

69

Attackers

– Outsider attackers

• Attacker has no special access to the sensor network
• Disable sensor nodes (i.e., physically destroy nodes)

– Insider attackers

• Node compromization running malicious code
• Attackers have stolen data (i.e., cryptographic keys) from legitimate

nodes

70

Attacks on Sensor Network Routing

– Bogus routing information – Selective forward – Sinkhole attack – Sybil attack – Wormholes – HELLO flood attack

71

Bogus routing information

– Spoofed, altered, replayed routing info

• Routing loops
• Attract or repel network traffic
• Extend or shorten routes
• Network partition

– Ack spoofing

• replay link layer acks to misrepresent link quality between nodes

72

Selective forward

– Malicious nodes selectively forwards packets

• drop subset of packets without being detected

1 3 2 4

Node A Node B

1 3 2 4

Node A

1 3 2 4

Node B

73

Sinkhole attack

– Attacker tries to attract all traffic destined for the sink from nodes several hops away from itself

• Anyone can spoof routing beacons and claim to be sink

Solution: Authenticate routing info

sink

74

Sybil attack

– A single node presents multiple identities to the other nodes Solution: Verify identities

Node has 5 neighbors

75

Wormholes

– The attacker tunnels msgs received in one part of the network and replays them in a different part

• use out-of-band fast channel to route msgs faster than regular

network

– This attack can be launched by insiders and outsiders

76

Wormholes

sink

Example: – Attacker A tunnels hello packets received from the sink and replay them to attacker B – Conseguence: many nodes cannot reach the sink Solution: avoid routing race conditions

77

HELLO flood attack

– Nodes broadcast HELLO packets to announce themselves to their neighbors

• broadcast msg to all nodes (laptop-class)
• disrupt topology construction

Solution: Verify the bidirectionality of links

78

Attacks on specific routing protocol

TinyOS beaconing

• Sink constructs depth first spanning tree with itself as root

Attacks

• Any node can claim to be a base station & become the destination of

all traffic in the network – HELLO attack

• If authenticated, a powerful laptop-class attacker can still mount a

wormhole / sinkhole attacks

Hello packets

79

Attacks on specific routing protocol

GeoRouting

• Routing based on receiver geographical position

Attacks

• Misrepresent location data for sinkhole attack
• Sybil Attacks

Broadcast messages:

• A at (0,1)
• A1 at (1,0)
• A2 at (1,3)
• A3 at (2,1)

1 2 2 1

Sensor node has 4 false neighbors

80

Attacks on specific routing protocol

Minimum Cost Forwarding

• Forwards a packet based on the cost of each node (to reach the

base station)

• Cost : hop count, energy, latency, loss etc

Attacks

• Can launch a sinkhole attack by advertising zero cost
• Advertise low cost path (can also use HELLO)

81

Attacks on specific routing protocol

LEACH: Low-Energy Adaptive Clustering Hierarchy

• Cluster-head gathers data from sensors within its cluster and sends

to base station

• Probabilistic selection of cluster-head to evenly distribute energy

consumption

• Nodes choose a cluster-head based on received signal strength

Attacks

• HELLO flood attack

82

Protocols analyzed [Karlof03b]

Bogus routing information, Sybil, HELLO floods Energy conserving topology maintenance Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes Rumor routing Selective forwarding, HELLO floods Clustering based protocols (LEACH,TEEN,PEGASIS) Bogus routing information, selective forwarding, sinkholes, wormholes, HELLO floods Minimum cost forwarding Bogus routing information, selective forwarding, Sybil Geographic routing (GPSR,GEAR) Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods Directed diffusion and multipath variant Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods TinyOS beaconing

Relevant attacks Protocol

All insecure!!!

83

Countermeasures

– Encryption & Authentication

• Globally shared key (outsiders)
• Per link keys (insiders)

– Verify neighbors’ identities

• Prevents Sybil attacks

– Probabilistic routing

• Limits effects of selective forwarding

– Wormholes are hard to detect – Sinkholes are difficult to defend against in protocols that use advertise information (i.e. remaining energy)

84

References

Crypthographic mechanisms [Malan04] “A Public-Key Infrastructure for Key Distribution in TinyOS Based on Elliptic Curve Cryptography”. David J. Malan, Matt Welsh, and Michael D.

• Smith. First IEEE International Conference on Sensor and Ad Hoc

Communications and Networks. Santa Clara, California. October 2004. (http://www.eecs.harvard.edu/~malan/ ) [LiuNing05] An Liu, Peng Ning, "TinyECC: Elliptic Curve Cryptography for Sensor Networks (Version 0.1)", September , 2005http://discovery.csc.ncsu.edu/software/TinyECC/ . [Hasegawa05] “A Small and Fast Software Implementation of Elliptic Curve Cryptosystems over GF(p) on a 16-Bit Microcomputer”. TIEICE:IEICE Transactions on Communications/Electronics/Information and Systems, 1999. [SEC2] Certicom Research, “Sec 2: Recommended Elliptic Curve Domain Parameters” (Standard for efficient cryptography version 1.0), September 2002 (http://www.secg.org/download/aid-386/sec2_final.pdf ) [[TinyPK04] BBN Corporation. TinyPK Project. http://www.is.bbn.com/projects/lws-nest/

85

References

Key establishment & management [Chen00] M. Chen, W. Cui, V. Wen, A. Woo, “Secutiy and deployment issues in a sensor network” [Karlof03] Chris Karlof, Naveen Sastry and David Wagner, "TinySec: A Link Layer Security Architecture for Wireless Sensor Networks", Second ACM Conference on Embedded Networked Sensor Systems (SenSys 2004) [Undercoffer 02] Jeffery Undercoffer and Sasikanth Avancha and Anupam Joshi and John Pinkston (2002): “Security for Sensor Networks,” CADIP Research Symposium, 2002 [Perrig01] Adrian Perrig and Robert Szewczyk and J. D. Tygar and Victor Wen and David E. Culler (2001): “SPINS: Security Protocols for Sensor Networks,” Proceedings of Seventh Annual International Conference on Mobile Computing and Networks MOBICOM 2001, July 2001

86

References

[Eschenauerr02] Laurent Eschenauer and Virgil D. Gligor (2002): “A Key- Management Scheme for Distributed Sensor Networks,” Conference on Computer and Communications Security. Proceedings of the 9th ACM conference on Computer and communications security, Washington, DC, USA, 2002. [Chen03] H. Chan, A. Perrig, D. Song, “Random Key Predistribution Schemes for Sensor Networks”, IEEE Synposium on Security and Privacy, 2003. [Huang03] Adaptive random key distribution schemes for wireless sensor networks, WADIS 2003. [Wenliang03] W. Du, J. Deng, Y. Han, P. Varshney, “A pairwise key pre- distribution scheme for wireless sensor networks” [Liu03] D. Liu and P. Ning. Establishing pairwise keys in distributed sensor

• networks. In 10th ACM Conference on Computer and Communications

Security, October 2003. [Lamport81] L. Lamport. Password authentication with insecure

• communication. Communications of the ACM, 24(11):770/772, November

1981.

87

References

[Dini05] G. Dini and I. Savino. Scalable and secure group rekeying in wireless sensor networks. Routing attacks [Karlof03b] C. Karlof, D. Wagner, “Secure routing in sensor networks: Attacks and countermeasures”, Elsevier AdHoc Networks journal, special issue on sensor network applications and protocols, May 2003