- About this Journal ·
- Abstracting and Indexing ·
- Aims and Scope ·
- Annual Issues ·
- Article Processing Charges ·
- Articles in Press ·
- Author Guidelines ·
- Bibliographic Information ·
- Citations to this Journal ·
- Contact Information ·
- Editorial Board ·
- Editorial Workflow ·
- Free eTOC Alerts ·
- Publication Ethics ·
- Reviewers Acknowledgment ·
- Submit a Manuscript ·
- Subscription Information ·
- Table of Contents

International Journal of Distributed Sensor Networks

Volume 2012 (2012), Article ID 821486, 7 pages

http://dx.doi.org/10.1155/2012/821486

## Self-Healing Key-Distribution Scheme with Collusion Attack Resistance Based on One-Way Key Chains and Secret Sharing in Wireless Sensor Networks

^{1}School of Software Technology, Dalian University of Technology, Dalian 116621, China^{2}School of Electronic Science and Technology, Dalian University of Technology, Dalian 116024, China^{3}School of Civil Engineering, Dalian University of Technology, Dalian 116024, China

Received 14 June 2012; Accepted 21 August 2012

Academic Editor: Leonardo B. Oliveira

Copyright © 2012 Dong Jiao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

In wireless sensor networks, self-healing key-distribution schemes are used to ensure that, even if the message packets that are broadcast in some sessions get lost, the group nodes can still recover the lost session keys simply by using their personal secret keys and broadcast messages that have been received without requesting additional transmissions from the group manager. These schemes reduce network traffic, decrease the group manager's workload, and lower the risk of node exposure through traffic analysis. However, most existing schemes have many deficiencies, such as high overhead for storage and communication and collusion attacks. In this paper, we have proposed a modified, self-healing, key-distribution scheme based on one-way key chains and secret sharing. Our scheme has the properties of constant storage, lower communication overhead, long lifespan, forward secrecy, backward secrecy, and resistance to collusion attacks.

#### 1. Introduction

Wireless sensor networks (WSNs) are composed of a large number of sensor nodes with limited power, storage, computation, and communication capabilities. WSNs have wide applications in military operations and scientific exploration [1, 2] in which there may be inadequate support by the infrastructure of the network, allowing adversaries to potentially intercept, modify, or partially interrupt communication. In such applications, security is a critical concern. In addition, in some deployment scenarios, sensor nodes must operate under adversarial conditions. Therefore, determining how to distribute group session keys for secure communication to a large dynamic group over an unreliable network is a serious issue. In WSNs, packet loss occurs frequently. Messages that are broadcast by the group manager (base station) might never reach some authorized nodes (sensor nodes). So, it is important to guarantee the reliable transmission of information for updating the group’s session keys to the authorized nodes. An easy solution is requesting retransmission, but requesting retransmission increases the overhead associated with communication incurs a high risk of revealing the nodes’ physical locations, which is not acceptable in some high-security environments.

A self-healing, key-distribution scheme is proposed to solve the problem described above. The main concept of self-healing, key-distribution schemes is that, even if the message packets that are broadcast in some sessions get lost, the group nodes can still recover the lost session keys simply by using their personal secret keys and broadcast messages that have been received without requesting additional transmissions from the group manager. These schemes reduce network traffic, decrease the group manager’s workload, and lower the risk of node exposure through traffic analysis. Figure 1 shows network topology in a key distribution scheme under adversarial conditions.

In 2002, Staddon et al. [3] proposed the first self-healing, key-distribution scheme with revocation using secret sharing [4]. However, Staddon et al.’s schemes incur high overhead for storage and communication. Later, several other schemes were proposed [5–9] based on Staddon et al.’s schemes. Liu et al. (2003) generalized the definitions and security notions and proposed a new scheme that significantly decreased the overhead for communication by introducing a novel, personal key-distribution [5]. Blundo et al. [10] showed that the first scheme in [3] is insecure. An adversary could recover the group’s session key with just broadcast messages. In [11], Dutta et al. proposed two self-healing, key-distribution schemes with revocation that were secure, but they did not consider collusion attacks. In [12], Dutta et al. proposed a new self-healing key-distribution scheme with a constant storage overhead by using only one secret polynomial. But Xu and He’s scheme [13] and Du and He’s scheme [14] showed that the scheme in [12] was insecure. Any user can recover the manager’s secret polynomial, which should not been known by any user. Xu and He (2009) proposed two schemes in [13], one of which improved the scheme in [12] by using an access polynomial instead of the revocation polynomial with the other, which was based on the scheme in [11], still using an access polynomial. But neither of the two schemes proposed in [13] considered collusion attacks between the revoked user and the newly-joined user. In [14], Du and He proposed a new self-healing, key-distribution scheme with revocation and resistance to collusion attacks. However, Bao and Zhang (2011) showed that the scheme in [14] was vulnerable to collusion attacks [15]. A revoked user and a newly-joined user easily could recover the session keys that they should not know. However, Bao and Zhang (2011) used secret polynomials for sessions and an access polynomial in the broadcast phase, which resulted in an excessive communication overhead.

In this paper, we propose a self-healing key-distribution scheme for WSNs based on one-way key chains and secret sharing. In our scheme, only one secret polynomial is used in all sessions, and modified access polynomials are used, which produces a lower communication overhead. Also, our scheme can resist collusion attacks between a newly-joined user and a revoked user.

The rest of the paper is organized as follows. In Section 2, the security model is presented and Bao and Zhang’s scheme [15] is reviewed briefly. In Section 3, our modified, self-healing, key-distribution scheme is proposed. Then, we discuss the security and performance of our scheme in Section 4. Our conclusions are presented in Section 5.

#### 2. Preliminaries

In this section, we briefly introduce Bao and Zhang’s scheme [15] and the security definitions. The following notations will be used in the rest of the paper. is the set of all users (sensor nodes) in wireless sensor networks. is the user in . is the identity of . GM is the group manager (base station). is the total number of users in . is the total number of sessions. is the maximum number of compromised users in all sessions. is a large prime modulus, where . is a large prime divisor of , where and . are generators with order in GF(). is the secret polynomial of degree generated by GM. is the personal secret of user . is the broadcast message generated by GM for session . is the self-healing key generated by GM for session . is the session key in session generated by GM. is the initial key seed generated by GM. is the set of all revoked users in and before session . is the set of nonrevoked users in session . are two cryptographically secure, one-way functions, and . is a symmetric decryption function. is a symmetric encryption function.

##### 2.1. Security Model

*Definition 1 1 (self-healing key-distribution with -revocation capability [11]). *A key-distribution scheme is a self-healing, key-distribution scheme with *t*-revocation capability if the following conditions are true.(a) For any nonrevoked user in session , the group session key is efficiently determined by the broadcast message and the personal secret .(b) The group session key cannot be determined by what the non-revoked users learn from or their own personal secret alone.(c)*t*-revocation capability: for each session , let denote a set of revoked users in and before session , where , the group manager can generate a broadcast message such that all the revoked users in cannot recover the group session key .(d) Self-healing property: any who joins in or before session and is not revoked before session () can recover all the keys ) by the broadcast messages , , and the personal secret .

*Definition 2 2 ( t-wise forward secrecy [11]). *Let denote a set of all revoked users in and before session , where . A key-distribution scheme guarantees forward secrecy if the members in together cannot get any information about , even with the knowledge of group session keys before session .

*Definition 3 ( t-wise backward secrecy [11]). * Let denote a set of users who join the group after session , where . A key-distribution scheme guarantees backward secrecy if the members in together cannot get any information about , even with the knowledge of group session keys after session .

*Definition 4 (resistance to the collusion attack [16]). * Let denote a set of all revoked users in and before session and let denote a set of users who join the group after session , where and . A key-distribution scheme with resistance to collusion attacks means that, even if all users in and cooperate, they cannot get any information about keys , for all .

##### 2.2. Review of Bao and Zhang’s Scheme

In [15], Bao and Zhang proposed an improved key-distribution scheme for [14] that included resistance to collusion attacks. The scheme is divided into the four phases described below.

*Phase 1: Setup*

First, the GM randomly chooses polynomials , each of degree .

Second, the GM randomly chooses numbers for each session.

Third, the GM chooses a random secret value for user and the values are different from each other. Then, the GM sends the personal secret to user in a secure manner. (The term denotes the session number when the user joins the group and .)

Then, the GM randomly chooses a prime, initial key seed , which is kept secret and numbers as the self-healing keys.

The GM computes a key seed and corresponding key chain for each session using two one-way hash functions and numbers . For , the key seed of session is computed as shown:

And the key chain of session of length is computed as shown:
where means applying the hash operation times. Then, is the key chain of session , and the group session key in session is .

*Phase 2: Broadcast*

Let be the set of all active users for session , where is the number of active users in session . Let be the set of all active users’ secret values in session . Then, the GM generates of size as a masking key sequence for session by applying XOR on both , and every key forms the key chain of session , where

In session , the GM broadcasts the following message:
where is an access polynomial. When an active user receives the broadcast message of session , can evaluate by using its secret value , where denotes that has joined the group in session . However, a revoked user can only evaluate a random value.

*Phase 3: Group Session Key and Self-Healing Key Recovery*

When a nonrevoked user in session , who joins in the group in session , receives the broadcast message of session , can recover the group session key as follows.

First, computes from (4), where and . Then, evaluates from (3), where is secret value of .

Then can compute all the future keys in the key chain of session by using the one-way hash function . The group session key of session is .

Then, can decrypt , , …, by using the corresponding keys to get the corresponding self-healing keys .

However, a revoked user can recover neither the group session key nor the self-healing keys of session , since is a random number for any user .

*Phase 4: Add Group Members*

If a new user wants to join the group in session , the GM chooses a never-used identity for . Then, the GM selects a random secret value and sends the personal secret key to using RSA algorithm.

#### 3. The Proposed Scheme

In this section, we propose an improved version of Bao and Zhang’s scheme [15] using secret sharing. In our scheme, we use only one secret polynomial and modified access polynomials, which lower the communication overhead. Our scheme is divided into four phases, as follows.

*Phase 1: Initiation*

First, the GM creates a polynomial of degree as the secret polynomial. Then, the GM chooses as generators with order in GF() and for each session.

Second, the GM selects a unique identity for user and sends to user for as personal secret keys via a secure communication channel, where denotes the session number when the user joined the group. For example, user , who joins the group in session 1, will receive .

Then, the GM randomly chooses a prime initial key seed , which is kept secret, and numbers as the self-healing keys.

In our scheme, as in Du-He’s scheme [14], we still use key chains. The GM computes a key seed and corresponding key chain for each session using two one-way hash functions and numbers . For , the key seed of session is computed by (1): .

And the key chain of session of length is computed by (2): , where means applying the hash operation times. Then, is the key chain of session and the group session key in session is .

*Phase 2: Broadcast*

Assume that and are the sets of all revoked users in and before session , respectively. Let be the set of all nonrevoked users in session . In session , the GM chooses a set of nonzero indices such that , but , where denotes the set of indices of the users in , and represents the indices of users in . Let be the set of indices of the users who join the group in session and are still active in session , where is the number of users of the set and and . Then, the GM computes a sequence using the key chain of session as shown:
where is a modified-access polynomial. and are randomly selected by the GM in , such that is different from all users’ indices. When an active user receives the broadcast message of session , can evaluate by using its secret identity value , where denotes that joined the group in session . However, a revoked user or an active user who does not join in the group in session only can evaluate a random value.

Then, the GM broadcasts the following message :

*Phase 3: Group Session Key Recovery and Self-Healing Key Recovery*

When a non-revoked user , who joins the group in session , receives the broadcast message of session , he or she can recover by Lagrange’s interpolation using and her or his personal secret keys as following:
where

With , user can recover , then he or she can recover by (5) with , as follows:
where denotes the session number when joined the group, and is the secret of user distributed by the GM when he or she joins the group in session .

Then, computes the group session key of session as .

User also can recover the self-healing key using and . First, computes all the keys in the key chain of session by using the one-way hash function . Then, can decrypt by using the keys to get . Then, the user with session key can recover all session keys between session to based on (1) and (2).

A user who was revoked in session cannot recover the current group session key or the self-healing key even with the , since he or she cannot recover based on Lagrange’s interpolation.

*Phase 4: New User Added*

If a user wishes to be added to the group in session *j*, GM chooses a unique and never-used identity for and sends the secret to using the RSA algorithm.

#### 4. Security and Performance Analyses

In this section, we show that our proposed scheme has self-healing property, forward security, backward security, and resistance to collusion attacks. Compared with Bao and Zhang’s scheme [15], our scheme has lower communication overhead.

##### 4.1. Self-Healing Property

Assume that , who join the group in session , are active in session and session , where . And receive session-key broadcast messages and but lose the session key broadcast message , where . Users can still recover all the lost session keys for as follows.(1) When the broadcast message is received, can recover using their personal secrets by (7) and (8). Then, because are active users in session , can recover by (5) and (9), where . Then, compute the group session key of session as .(2) When the broadcast message is received, can recover using their personal secrets by (7) and (8). Then, because are active users in session , can recover by (5) and (9), where . compute all the keys in the key chain of session by using the one-way hash function . Then, can recover using the keys by decryption .(3) With and , can recover all session keys for by (1) and (2).

Therefore, our scheme achieves the self-healing property.

##### 4.2. Forward Secrecy

Let and be the set of all revoked users in and before session , respectively. Then, we show that the coalition cannot get any information about the current session key , even with the previous group session keys before session . To recover the session key , user must recover by (5), where denotes the session number when joined the group. But for revoked users , is a random value that is not known by . Moreover, cannot recover even with all of the information of all revoked users, because, according to Lagrange’s interpolation, to recover , must know at least () number pairs, such as , where is a point on . Since the size of the coalition is, at most, , the coalition cannot recover . In [17], Harn showed that may be able to recover with the previous and when . But in our scheme, the probability is , which is extremely low and can be almost neglected. After all, the coalition cannot get any information about the current session key .

The above analysis shows that our scheme is forward secure.

##### 4.3. Backward Secrecy

Let , where , be the set of all users who join the group after session . We will show that the coalition cannot get any information about any previous session key for , even with the knowledge of group keys after session .

Users in can get only the session keys and self-healing keys . Without loss of generality, one can get and by (1) and (2), where and are two one-way hash functions. It is computationally infeasible for any user in to compute any previous session key with keys and self-healing keys for .

However, users in could attempt to recover the previous session keys by their personal secret keys and the previous broadcast messages. However, by (5) and (6), it is evident that the previous broadcast messages do not have the equations for users in . So users in cannot recover the previous session keys.

The above analysis shows that our scheme is backward secure.

##### 4.4. Resistance to Collusion Attack

Let be the set of all revoked users in and before session and let be the set of all users who join the group from session . We will show that collusion of and cannot recover any session key () with their personal secret keys and the broadcast message and .

To recover session key (), must recover the self-healing keys . Without loss of generality, assume that joins the group in session and that joins the group in session . For the equation, , since user , who joined the group in session , is not active in session , is a random number. Then, cannot recover even with and provided by user . Therefore, users in cannot recover the self-healing keys and session key ().

The above analysis shows that our scheme can resist collusion attacks.

##### 4.5. Constant Storage Overhead and Lower Communication Overhead

Our scheme has a constant storage overhead, which comes only from the user’s personal secret keys . So, the storage overhead is bits.

In our scheme, we use only one secret polynomial and modified access polynomials, which lower the communication overhead. The communication overhead is , where is the maximum number of revoked users, and is the number of active users in session . Table 1 shows the comparison among the different schemes.

#### 5. Conclusions

In this paper, we proposed a modified and an improved version of Bao and Zhang’s scheme. Our scheme uses only one secret polynomial and modified access polynomials, which achieve a lower communication overhead. In addition, our scheme has the properties of constant storage, long lifespan, forward secrecy, backward secrecy, and resistance to collusion attacks. And, compared with the previous schemes, our proposed scheme is an efficient and secure, self-healing, key-distribution scheme for WSNs.

#### Acknowledgments

Financial supports for this study provided by grant from National Natural Science Foundation of China (Project nos. 51108060, 50921001, 90815022), National Key Technology Research and Development Program during the Twelfth Five-Year Plan Period (Project no. 2011BAK02B01), and the Fundamental Research Funds for the Central Universities (Project no. DUT12JR13) are gratefully acknowledged.

#### References

- Y. Yu, J. Ou, J. Zhang, C. Zhang, and L. Li, “Development of wireless MEMS inclination sensor system for swing monitoring of large-scale hook structures,”
*IEEE Transactions on Industrial Electronics*, vol. 56, no. 4, pp. 1072–1078, 2009. View at Publisher · View at Google Scholar · View at Scopus - Y. Yu and J. Ou, “Wireless collection and data fusion method of strain signal in civil engineering structures,”
*Sensor Review*, vol. 29, no. 1, pp. 63–69, 2009. View at Publisher · View at Google Scholar · View at Scopus - J. Staddon, S. Miner, M. Franklin, D. Balfanz, M. Malkin, and D. Dean, “Self-healing key distribution with revocation,” in
*Proceedings of the IEEE Symposium on Security and Privacy*, pp. 241–257, May 2002. View at Scopus - A. Shamir, “How to share a secret,”
*Communications of the ACM*, vol. 22, no. 11, pp. 612–613, 1979. View at Publisher · View at Google Scholar · View at Scopus - D. Liu, P. Ning, and K. Sun, “Efficient self-healing group key distribution with revocation capability,” in
*Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS'03)*, pp. 231–240, New York, NY, USA, October 2003. View at Scopus - S. M. More, M. Malkin, J. Staddon, and D. Balfanz, “Sliding-window self-healing key distribution,” in
*Proceedings of the ACM Workshop on Survivable and Self-Regenerative Systems (In Association with 10th ACM Conference on Computer Communications Security)*, pp. 82–90, October 2003. View at Scopus - C. Blundo, P. D'Arco, A. Santis, and M. Listo, “Definitions and bounds for self-healing key distribution,” in
*31st International Colloquium on Automata, Languages, and Programming (ICALP 2004)*, J. Díaz, J. Karhumaki, A. Lepistö, and D. Sannella, Eds., vol. 3142 of*Lecture Notes in Computer Science*, pp. 234–246, Springer, NewYork, NY, USA, 2004. - D. Hong and J. S. Kang, “An efficient key distribution scheme with self-healing property,”
*IEEE Communications Letters*, vol. 9, no. 8, pp. 759–761, 2005. View at Publisher · View at Google Scholar · View at Scopus - T. Biming and H. Mingxing, “A Self-healing key distribution scheme with novel properties,”
*International Journal of Network Security*, vol. 7, no. 1, pp. 115–120, 2008. - C. Blundo, P. D'Arco, and M. Listo, “A flaw in a self-healing key distribution scheme,” in
*Proceedings of the Information Theory Workshop*, pp. 163–166, Paris, France, 2003. View at Publisher · View at Google Scholar - R. Dutta, E. Chang, and S. Mukhopadhyay, “Efficient self-healing key distribution with revocation for wireless sensor networks using one way hash chains,” in
*Proceedings of the 5th International Conference on Applied Cryptography and Network Security (ACNS'07)*, J. Katz and M. Yung, Eds., vol. 4521 of*Lecture Notes in Computer Science*, pp. 385–400, Springer, Heidelberg, Germany, 2007. - R. Dutta, Y. D. Wu, and S. Mukhopadhyay, “Constant storage self-healing key distribution with revocation in wireless sensor network,” in
*Proceedings of the IEEE International Conference on Communications (ICC'07)*, pp. 1323–1328, Glasgow, UK, June 2007. View at Publisher · View at Google Scholar · View at Scopus - Q. Y. Xu and M. X. He, “Improved constant storage self-healing key distribution with revocation in wireless sensor network,” in
*Information Security Applications (WISA 2008)*, vol. 5379 of*Lecture Notes in Computer Science*, pp. 41–55, Springer, Heidelberg, Germany, 2009. - W. Du and M. X. He, “Self-healing key distribution with revocation and resistance to the collusion attack in wireless sensor networks,” in
*Provable Security (ProvSec 2008)*, vol. 5324 of*Lecture Notes in Computer Science*, pp. 345–359, Springer, Heidelberg, Germany, 2008. - K. H. Bao and Z. F. Zhang, “Collusion attack on a self-healing key distribution with revocation in wireless sensor networks,” in
*Information Security Applications (WISA 2010)*, vol. 6513 of*Lecture Notes in Computer Science*, pp. 221–233, Springer, Heidelberg, Germany, 2011. - C. Blundo, P. D'Arco, A. de Santis, and M. Listo, “Design of self-healing key distribution schemes,”
*Designs, Codes, and Cryptography*, vol. 32, no. 1–3, pp. 15–44, 2004. View at Publisher · View at Google Scholar · View at Scopus - L. Harn, “Efficient sharing (broadcasting) of multiple secrets,”
*IEE Proceedings: Computers and Digital Techniques*, vol. 142, no. 3, pp. 237–240, 1995. View at Publisher · View at Google Scholar · View at Scopus