Harald Vogt Protocols for secure communication in wireless sensor networks. PhD thesis No. 18174, ETH Zurich, Zurich, Switzerland, 2009 Abstract Wireless sensor networks are comprised of large numbers of resource-constrained and wirelessly communicating computing devices. Advances in computing and communication technology have made it possible to integrate sensing capabilities, wireless communication interfaces, and microprocessors into tiny devices that allow to embed compuational power in arbitrary environments. The applications of wireless sensor networks range from surveillance and environmental monitoring to healthcare and the provisioning of context information for computing applications. Many of these applications have a direct impact on the welfare of human beings or are of high economic significance. Security breaches might lead to grave consequences, so it is important to protect wireless sensor networks against such threats. The specific characteristics of wireless sensor networks make them vulnerable to attacks on their communication channels and their hardware. Cryptographic mechanisms can be employed to protect against some of the possible attacks: eavesdropping on messages is countered by encryption, and the injection of messages by the attacker is prevented by authentication. Unfortunately, direct physical access to the sensor nodes allows an attacker to manipulate them almost arbitrarily. In particular, nodes could be compromised and then made to execute malicious code injected by the attacker. Tamper resistance mechanisms applied to the nodes. hardware, concealment, surveillance and other techniques may be used to mitigate such attacks. However, they cannot be completely prevented and therefore, any communication security scheme being used must be sufficiently resilient to tolerate a certain amount of compromised nodes. Consequently an important objective is to limit the impact of a set of compromised nodes on the legitimate operation of the network to a minimum. This objective can optimally achieved by cryptographic mechanisms that establish a direct security relationship between communicating end-points. This limits the influence that a single compromised node has to its own resources. Thereby, it cannot tamper with messages that originate at other nodes. However, such mechanisms are overly resource demanding for many sensor nodes in terms of computational or communication complexity, especially due to the often ad hoc and transient nature of communication relationships. Thus, novel mechanisms are required that provide a sufficient level of security while respecting the constraints in wireless sensor networks. Our thesis is that key pre-distribution is an appropriate technique for secret key agreement in wireless sensor networks, and that based on locally shared keys, multi-hop communication can be adequately protected using an interleaved message authentication scheme. We argue that combined key pre-distribution schemes provide a feasible mechanism for key agreement in wireless sensor networks. They require only simple operations on sensor nodes and their memory requirements can be adapted to the required security level and the available resources. Based on keys shared between nodes within a k-hop neighbourhood (with small k), a message authentication scheme is devised that allows for the secure transmission of messages over long distances. In particular, our contributions are: - A key establishment scheme for pairwise key agreement that can be efficiently implemented on resource-constrained wireless sensor nodes and provides resilience against node capture attacks. - A message authentication scheme that relies on locally shared keys and symmetric cryptographic operations only, and provides a level of security approximating that of end-to-end security mechanisms. The foundation of the scheme.s security is the creation of multiple disjoint authentication paths. - An evaluation of this authentication scheme showing that it provides at least the same security level as a general communication scheme that relies on multiple disjoint physical paths. The proposed security mechanisms protect the integrity of messages that are exchanged within a wireless sensor network. The achievable level of security is, given an attacker with moderate strength that is only able to capture a fraction of all nodes, comparable to that provided by end-to-end security mechanisms at a significantly lower cost in terms of computational resources.