Without Base Station

procedure in Figure 4.2 in next page.

4.2 Without Base Station

Different from the forward model, we give a framework without base station. In this model, each node broadcasts pseudorandom bits and receives the bits from its neighbors at the same time. The steps are similar to the forward model. We use Merkle Tree to authenticate the identity, too. The different steps are in the key distribution. This model doesn’t need to find out the collision bits. It just randomly

16

v1 v2

Broadcast r Broadcast r

]}

Figure 4.2. The procedure for Chapter 4.1

selects a part of the pseudorandom bits from the neighbors. And the node can reconstruct the pseudorandom bits and find the bits which be selected by their neighbors. This scheme divides into three phases, too. It is the same with forward scheme: Broadcasting Phase, and Key Establishment Phase. We will give the detail in next sections.

4.2.1 Broadcasting Phase

In this phase, it is different from the Session 4.1.1. This scheme doesn’t have the base station for broadcasting. The base station broadcasting is replaced by the node broadcasting. Each node v generates pseudorandom bits rv and broadcasts them. When the node v₂ receives r_v1 from its neighbor v₁ , it stores the bits

]}

find the common key, so the length of the value u is based on the security parameter of the pair-wise key, such as 32, 64, or 128 bits.

4.2.3 Key Establishment Phase

In this phase, we establish the pair-wise keys. After receives , it will responds its neighbor the index set

v2

v1

r

v1 I_v2 ={I_v21,I_v22,...,I_v2k} . And can reconstructs the pseudorandom bits r

v1 have the common bits and . Finally they can compute the hashing value We have given the one way procedure in Figure 4.3.

v1 v₂

Reconstruct pseudorandom , find

v1 v2

v1

Generate pseudorandom , broadcast r

]}

Figure 4.3. The procedure for Chapter 4.2

18

Chapter 5 Analysis

In this Chapter, we will talk about four parts: (1) analysis the authentication in pervious works and our scheme; (2) compare two models in our scheme; (3) analysis the connectivity, the security, and the overhead for our scheme; (4) discuss the deployment way for the model with base station.

5.1 Authentication for Pervious Works and Our Scheme

In key distribution schemes, the authentication is an important issue. If the scheme doesn’t include the authentication, the adversary maybe forges a legal member to break this system. We will discuss the requirement for the pervious works and our scheme.

In [5], they didn’t consider the authentication for their scheme, but it is necessary.

If the adversary compromised over one node, he can use the keys in those compromised nodes to forge other nodes. In [1] and [8], they have considered this problem, and they added Merkle Tree to authenticate the nodes’ identity. For our scheme, it doesn’t have any authentication in the original key distribution, and we also append Merkle Tree to authenticate the nodes’ identity. If we want to add the authentication, the node must preload some data about Merkle Tree.

But in [3] and [6], the authentication has been included by their key distributions.

For example in [3], the key information is contained by the row of the private matrix, and the identity of the node is related to that row. If the adversary doesn’t compromise the threshold of nodes, he can’t construct the private matrix and can’t get the identity’s row in the private matrix. If he can forge other node, he has broken the key distribution system.

On the other hand, for the schemes about the deployment, the key information contains the geography in the network. If the adversary doesn’t compromise the node in that geography, he can’t get any information about that node. Such as in [2], a node has unique key for other node and communicate through the internal node. If the adversary doesn’t compromise the node in the path, he can’t get any key information about all nodes in this path.

But there is a problem in Merkle Tree. If the adversary stores the authentication data for one node in previous communication, he can use those data to forge this node.

So this authentication system just could be used once. Maybe we can let the node be stable. If this node is authenticated by other node, those preloaded data is unusable.

And they use the agreement session key to establish an authentication system to solve this problem.

5.2 Compare Two Models in Our Scheme

We propose two models to distribute pair-wise key. Which is better? Or what environment does fit the models? We will talk about the difference in this session.

The main difference is network topologic. The base station broadcasts the random bits and other node receive. The model with base station has low communication load because each node doesn’t need to broadcast bits. By this reason,

20

the power consumption for sensor nodes is lower, and the life time of the battery is much longer. But it has some secure problem. The length of the broadcasting bits is limited by bandwidth. And the bandwidth for sensor networks is small (e.g. ZigBee 250kbps). If the adversary has large storage to store all broadcasting bits, he will know all keys between each pair of all nodes. In the other model, each node broadcasts pseudorandom bits to establish the pair-wise keys. Because all nodes broadcast different pseudorandom bits, the total size of the broadcasting bits is very large. Even the adversary has enough storage to store them, and he also has a problem to listen all nodes. The adversary must deploy more nodes to listen all broadcasting bits from the legal nodes. The security in the model without base station is better than the other model. But a major problem is the life time of the battery. Broadcasting data spends high power consumption. Hence it is a trade off for the sensor network. If you want low communication load and long battery life, you can choose the model with base station. If you want more secure, you can choose the model without base station.

5.3 Analysis for Our Scheme

In this session, we will focus on the connectivity and the security. We talk about the connectivity and the security first, and then discuss the overhead in the networks.

5.3.1 Connectivity

First, we talk about the local connectivity. In the model without base station, the key is established by transmitting bits directly. It neither uses the collision nor the randomness way to get the keys. So it must establish keys after running the procedures, and the connectivity is 100%.

In the model with base station, the pair-wise key is established by the collision of the storing data. If we use the parameter |A|=|B|=2 kn that are randomly chosen on , we will get the result that: [n]

4

] /

|

Pr[| A∩B <k =e^−k

By this result, we can construct a system as follow: the length of the broadcasting bits is n, and n is fixed. The length of the key is k bits. And each node stores

kn

u=2 bits randomly from the broadcasting bits. The size of u is depending on the length of k. Then two nodes which are neighbors check the common indexes form storing data. If the size of the collision bits is smaller than k, it mean that it is fail to establish the pair-wise key between two nodes, and this two nodes don’t connect. We consider the relation for the probability of the local connectivity and the length of the key. By the above parameters, the probability of the establishing key is , and we can get a Figure 5.1 by this formula.

4

1−e^−k/

Pr[share at least k bit]

k : The length of the key Figure 5.1 The probability of the connectivity

(bits)

22

From the formula, we can get the result. If the length of the key is longer, the probability of establishing pair-wise keys is higher. Because n is fixed, u is depending on k. If the length of the key is longer, the size of storing string is bigger. So the probability of establishing pair-wise keys is higher when k is bigger. In Figure 5.1, we show the relation between the length of the key and the probability of establishing pair-wise keys. When k = 20, the probability of establishing the key is almost 100%.

The result is much better than previous works. And from Corollary 2 in Session 3.2, the expected size of key is 4k. So the length of the pair-wise key approximates 4k.

On the other hand, we often set the length of the key over 32 bits, and the probability of the local connectivity is 100%. For this result, the globe connectivity is also 100% in the range of one base station. For the total networks, if there is over one node in the overlap range of two base stations’ range, it will connect with two ranges.

So the point is on the deployment of the base stations and nodes. If every overlap range has over one bridge node, the probability of the global connectivity is 100%, too. We will talk about it in Session 5.4.

5.3.2 Security

We discuss the security in this session. In previous works, the security is based on the ratio of the compromised node, because all keys are stored by all nodes. So the adversary compromises more nodes, and he will get more keys. But this discussion isn’t fit on our scheme. The security of our scheme is based on the ratio of the broadcasting bits that is stored by the adversary. We assume that the adversary can store αn bits. α is the ratio of the adversary storing the broadcasting bits, and it is a decimal between 0 and 1, and we express it by α∈

( )

0,1 . n is the size of the

broadcasting bits. The ratio that each bit is stored by the adversary is α. First, we talk about the probability Pr[get full key] that the adversary stores all bits of the key. If the key is k bits, the probability Pr[get full key] is

And we show the figure with the relation for Pr[get full key], α, and k.

Pr[ G et full key]

k=64 k=128

k=32

Figure 5.2 The probability getting the full key α: The ratio of the adversary stored

From Figure 5.2, the probability that the adversary stores all bits of the key is very small. The adversary can’t get all bits until α > 0.8. If k is bigger, the probability is smaller. But we can’t limit the times that the adversary tests the correctness of the key. If only one bit wasn’t stored, the adversary just guessed at most two times to get

24

the key. Hence we consider the next analysis. The adversary can compute the key if the unknown bits of the key are less than x bits. When x bits are unknown, the adversary has to test at most 2^x times to compute the key. By this setting, we can get a formula that the adversary finds the key:

∑ ∏ ∏

In this formula, we consider all case that the adversary can find the key and sum up them. The result of the formula limits the adversary’s computational power with 2^x. In the Figure 5.3, we set x = 32, and the length of the key are 64 and 128bit.

x=32

k=64

Pr[Find the key]

k=128

Figure 5.3 The probability getting the enough information for the key α: The ratio of the adversary stored

When the key length is 64 bits and α is less than 0.3, the adversary can’t get any information about the key. If α is larger than 0.6, the adversary will compute all keys in this system. In 128 bits, it is more secure than 64 bits. It is perfect secret when α is

0.6 and discloses all key when α is 0.82. By Session 5.3.1 and 5.3.2, the length of the key is larger, and the connectivity and security are better.

By above discussion, we have ignored one fact. The expected size of collision is 4k, and we use 4k instead of k. For real model, the formula is much like:

∑ ∏ ∏

We use this formula to update the figure as follow.

x=32

Pr[Find the key]

k=64

k=128

α: The ratio of the adversary stored Figure 5.4 The probability for the real model

Form Figure 5.4, the probability is much smaller than the probability in Figure 5.3. If less 80% bits are stored by the adversary, he can’t get any information about keys.

In the model without base station, the key size is chosen by the node. Different with above discussion, we will talk about the length of the key and α. The formula is

26

the same with the above:

But we construct the different figure. We set that α is 0.5, 0.7 and 0.9, and look for the relation the length of the key:

x=32

α=0.9 α=0.5

Pr[Find the key]

α=0.7

(bits) k : The length of the key

Figure 5.5 The probability for the model without base station

We can get the result from Figure 5.5. If the adversary stores 90% broadcasting bits and we want the probability 50% that the adversary can’t compute the key, we must select the length of the key with over 320 bits. We can follow our requirement to select the parameters. And we will talk about the overhead in below session.

5.3.3 Overhead

If the length of the key is large, the system is more secure. But there are some

problems in this setting. The length of the key is larger, and the size of storing bits is larger. By Session 3.2, we choose the storage size u=2 kn. u concerns the length of the key and the broadcasting bits. And each node must store authentication data (O(log v) ) from Merkle Tree. The overhead of the storage for every node is

O + , and the result suites for the model with base station. In the model without base station, the storage overhead is based on the length of the key. So the overhead of the storage for every node is O(k)+O(logv).

Next, we will discuss the communication overhead in the sensor networks. The overhead of the communication in the model with base station is , which the length of broadcasting bits from the base station. And each node exchange the date with the indexes (

n

kn

u =2 ) and the authentication data ( ). So the total communication overhand for the network is

)

number of the nodes. On the other hand, the overhead of the communication in the model without base station is the broadcasting data (n), the indexes (k), and the authentication data ( ). So the total communication overhand for the network is . By above results, the load in model without base station is much larger than the model with base station. But maybe the size of the broadcasting bits n is different.

)

On the computation overhead, two models are different. In the model with base station, the main load is based on finding collision. Because the index is sorted, the load of finding collision for a node is ^O

( )

^{u ≈O}

( )

ⁿ . And the computation overhead of the authentication is computing the root. It costs hashing. In the model without base station, the load is based on generating pseudorandom string. We assume that the computation of one bit pseudorandom generator is

v log

( )

r

O , and the overhead

28

for a node is . In the model without base station, it needs hashing to authenticate node’s identity, too. By above discussion, the overhead in the model with base station is smaller than the other.

( )

rn

O logv

5.4 Deployment for the Model with Base Station

In the model with base station, there are several base stations in the network. We call the coverage of a base station broadcasting range. The communication between different broadcasting ranges is through the node within two broadcasting ranges. In Session 4.1, we call that node bridge node. If we want that there is at least one node in the overlap of the broadcasting ranges, how do we deploy the base stations and all nodes? How many neighbors are there for a node? We will give the discussion in next paragraph.

We assume the radius of a broadcast rang is r, the radius of the communication range for a node is βr, 10<β < , and there are v nodes in a broadcasting range. The area for a broadcasting range is , and the average of the area for a node in a broadcasting range is

r2

π

r²v

π . And we know the area of the communication range for a node is πβ²r². We can estimate the number of the neighbors as bellow:

β is the number of nodes in a communication range of a node, and we subtract a node for the center of a circle.

And the overlap area between two broadcasting ranges must contain at least one bridge node. It means that the overlap area is bigger than the average of the area for a node in a broadcasting range. We use the above setting. We set that the weight of the

overlap area is equal to the diameter of the average of the area for a node in a broadcasting range. We draw the figure in the Figure 5.6. By this setting, we can compute that the weight of the overlap area is

r v

2 .

r

r v

Figure 5.6 The deployment for the model with base station

30

Chapter 6 Simulation

For our scheme, we write a program to simulate the connectivity and security. By the result of this simulation, there are some differences with the analysis in Chapter 5.

We will discuss it in next paragraph.

We don’t use the simulation tools for networks, such like NS2 or NCTUNS.

Because we just discuss the local connectivity and security, it doesn’t need the complex program. We use C#.NET to write a simple program. We can input some parameters to set the system. Those setting include the length of the broadcasting string and the pair-wise key, the number of nodes and neighbors, the ratio of the broadcasting string which the adversary can store, and the limit for the adversary. And we can get the number of all links and connected links, the size of the storing bits for each node, and the number of the broken links. In Figure 6.1, it is the interface of the simulation program.

In this simulation, the size of the broadcasting string is 2Mbytes, and we test 1~64 bits key to simulate the local connectivity. On the other hand, we test α= 0.5, α= 0.9, and x = 32 to find the probability of the security.

By this simulation, we get some results that are different with the analysis. First is about the connectivity. In Session 5.3.1, the formula is . If k is equal to 1, the probability of connectivity is . But by the result of the

4

] /

|

Pr[|A∩B <k <e^−k

4 /

−1

e

simulation, the probability is 98%. In fact, the probability is almost 100% whatever k is. This result is better than the analysis. The connectivity isn’t an issue in our scheme.

It means that the node and its neighbors will clearly establish the keys.

On the other hand, the result of the security is closed to the formula

in Session 5.3.2. It means that our assumption is correct in

Session 5.3.2. It is much secret in real model.

∑

⎟⎟⎠ ^{− −}

⎜⎜ ⎞

⎝

⎛

x i k i

i

k ₄

) 1 4 (

α α

= i 0

The number of the nodes in a broadcasting range

The number of the neighbors for a node

The number of all probable links and the links of establishing key

The ratio of broadcasting bits which are stored by the adversary

Limited unknown bits which the adversary can compute

The number of the links which are broken by the adversary

Figure 6.1 The user interface for the simulation

32

Chapter 7 Conclusion

We propose a novel scheme with two models to distribute the pair-wise keys.

This scheme is based on Bounded Storage Model. We assume that the adversary can’t

This scheme is based on Bounded Storage Model. We assume that the adversary can’t

在文檔中 無線感測網路中基於儲存限制模型下的金鑰分配系統 (頁 22-0)