15.6. Interaction Between Survivability and Security in Wireless Networks

A major area of research that has been neglected is the interaction between survivability and security. Survivability and security have been usually studied separately. A system may be survivable under component failures but may make itself vulnerable to security attacks because of the restoration mechanisms employed. Also, automatic recovery from a security breach in wireless networks is not very well understood. Very few works exist in the literature that consider the two aspects together even for wired networks. Furthermore, in wireless networks, the two aspects are closely related because of the need to secure the broadcast wireless link and also keep a network survivable. Recent activities in Network Reliability and Interoperability Council (NRIC) VI Wireless Network Reliability Focus Group indicate that network interoperability and security are considered to the extent that they can impact network survivability. In addition, access to remote wireless network elements (e.g., cell sites) for restoration of service can often be delayed due to security concerns. The security and survivability and their interoperability in the wireless networks need to be improved [35].

15.6.1. Extending the Framework to Include Interactions between Security and Survivability

The framework for security and survivability in last section can also be used to understand the interaction between security and survivability in wireless networks. A range of issues exists such as the impact of node and link failures and restoration schemes on the security architecture and the impact of attacks on components of the survivability strategies and methods of recovery. Table 15.7 shows some examples of each case at the RNS, ANS, INS, and SenS levels. At each of the levels, possible failure/attack scenarios, the impact of the failure/attack scenarios, survivability measures related to security, and security measures related to survivability are identified.

Table 15.7. Typical survivability and security features and mechanisms that need to be in place.

Subsystem	Failure/Attack Scenario	Impact	Survivability Measures Related to Security	Security Measures Related to Survivability
RNS	Loss of BS/Node B	Service loss requiring MSs to move to neighboring cell	Generate spare keys for failure scenario	Need authentication of failure and reconnect messages
	Compromise of BCCH	Loss of access to cell and potential impact on signal strength measurements	Generate redundant BCCH	Quick detection of compromise, and authenticate the updated BCCH to MS
ANS	Loss of BSC-SGSN link and compromise of SGSN	Partial/full-service loss in a cell or cluster of cells, increased traffic in cells adjacent to failure, and loss of data integrity and exposure of session keys	Hold spare session keys in SGSNs targeted for handoff and in neighboring clusters and reroute traffic to another SGSN from a BSC	Need authentication of messages to MSs asking them to defer new calls and set up of new session keys and authentication of new session between BSC and secondary SGSN
INS	Loss of VLR	Loss of roaming service in a coverage area or network/subnetwork	VLR with physical diversity must have a spare subset of nonces and keys	Need to authenticate the spare VLR and ensure that new nonces and keys replace the spare subset rapidly
	Compromise of HLR-VLR link	Man-in-the-middle attack exposes the session key	Physically separate spare link	Detection of compromise and check integrity of spare link
SenS	Failed sensor node(s) and compromise of sensor nodes	Network partition or impact on data delivery, and false data injected into the network	Wake up sleeping nodes to fill holes, wake up additional nodes to verify sensed data, and rekeying protocols	Woken nodes need to establish secure links (check for nodes that they share keys with), and detection of compromise and check integrity of received data

At the RNS level, an example of a failure/attack scenario is the loss of a BS/Node B or compromise of the BCCH message in a cell. When a BS or Node B fails, several MSs will try to reconnect to nearby Node Bs that may have overlapping coverage. The survivability measures related to security are now required to generate spare keys for the failure scenario, while the security measures related to survivability now need to perform authentication of failure and reconnect messages. When the attack scenario is the compromise of the BCCH, MSs will likely lose access to the cell, and it also has potential impact on signal strength measurements. Now the survivability measures related to security are required to generate a redundant BCCH first, perhaps sending the information through neighboring Node Bs. The security measures related to survivability need to quickly detect the compromise and authenticate the updated BCCH to the MSs.

At the ANS level, an example of a failure/attack scenario is the loss of a BSC-SGSN link or compromise of the SGSN. When a BSC-SGSN link fails, there will be partial- or full-service loss in a cell or cluster of cells, and there will be increased traffic in cells adjacent to the failed link. The survivability measures related to security are required to hold spare session keys in SGSNs targeted for handoff and in neighboring clusters, while the security measures related to survivability need authentication of messages to MSs asking them to defer new calls. When compromise of the SGSN happens, there will be loss of data integrity and exposure of session keys. Now the survivability measures related to security are required to reroute traffic to another SGSN from a BSC, while the security measures related to survivability need the set up of new session keys and authentication of a new session between the affected BSC and secondary SGSN.

At the INS level, an example of a failure/attack scenario is the loss of the VLR or compromise of the HLR-VLR link. When a VLR fails, there will be loss of roaming service in the coverage area of a network/subnetwork. The survivability measures related to security will be required to have a spare subset of nonces and keys for the VLR with physical diversity, while the security measures related to survivability need to authenticate the spare VLR and ensure that new nonces and keys rapidly replace the spare subset. When compromise of the HLR-VLR link happens, the session key could be exposed and man-in-the-middle attacks can be launched. Now the survivability measures related to security are required to physically separate the spare link, while the security measures related to survivability quickly need to detect the compromise and need to check the integrity of the spare link.

At the SenS level, one example of failure is a group of sensor nodes dying due to hardware failures or battery exhaustion. The network may be partitioned unless redundant nodes that are sleeping are woken up by broadcast messages from a BS. However, such nodes may not share keys with neighboring sensor nodes, or they may have to discover those nodes with which they share a key to secure the new links and routes created in the sensor network. Similarly, if some sensor nodes are compromised and they inject fabricated data into the network, upon detection of such compromise, other nodes in their vicinity may have to be queried to send sensed data that may be essential for the application. It may be necessary to have some restoration schemes for rekeying the sensor nodes that are not compromised if keys are revealed by the compromised nodes.

15.6.2. Case Study I: Idle Handoffs

Figure 15.3 shows another example of the interaction between survivability and security. In a UMTS-WCDMA system, an idle handoff occurs upon detecting a stronger pilot (when an MS moves to another cell while it is not making a call). The request from the MS is sent through the new Node B and RNC to a new MSC/VLR if necessary. The VLR contacts the HLR for an authentication request. In response, several authentication vectors (AVs) are sent to the VLR, one of which is used to authenticate the MS as a challenge and obtain the MS response. The others are kept in reserve if necessary. Suppose now a Node B fails and several MSs will try to simultaneously make idle handoffs to nearby Node Bs that may have overlapping coverage. All of these requests will congest the connection to the VLR. If AVs are instead stored in neighboring Node Bs and some time-limited authentication can be done while a traffic restoration protocol can schedule a more rigorous authentication, the performance could be improved significantly.

In a hybrid network scenario, the interaction between survivability and security becomes more complex. In the case of failure of a Node B in a cellular network, MSs may benefit from connecting to an underlay 802.11 WLAN that may be providing coverage in the same geographical area. When the MSs try to connect to the 802.11 AP, the process involved will be similar to a handoff. The only difference is that the handoff is performed to a different type of wireless access network. As part of this handoff, MSs need to be authenticated. Only then can a MS associate itself with an AP and resume communications. Even assuming loose coupling (described earlier), the time taken to authenticate an MS in a 802.11 WLAN can be fairly large, (1) because of the time taken to obtain information about the WLAN availability through the beacon messages [36, 37] and (2) because of the numerous message exchanges and cryptographic functions. In the case of tight coupling, this delay could be worse because of the need to communicate with the GPRS core network. Survivability and security measures will have to carefully interact to ensure that the quality of communications is maintained according to the specified metrics, while adequate security levels are maintained. Moreover, the examples of failure/attack scenarios described above can be more complex in this case.

15.6.3. Case Study II: Key Management in Heterogeneous Sensor Networks

To understand the interaction between survivability and security of our WSN security architecture with heterogeneous sensor nodes, we conduct a case study for the key management scheme. Our study shows that the WSN can achieve higher key connectivity and higher resilience with our proposed key management scheme, with a small percentage of heterogeneous nodes that have reasonable storage, processing, and communication capabilities. We can also see the trade-off between the reliability and the security in some examples.

Key management is one of the most important prevention and protection schemes for security mechanisms of WSNs. To provide secure communications for WSNs, all messages should be encrypted and authenticated. Consequently, security solutions for such applications depend on the existence of strong and efficient key distribution mechanisms for uncontrolled environments of WSNs. We illustrate how to design an effective key management framework under the general heterogeneous WSN security architecture. Up to now, almost all the existing key management schemes for distributed WSNs assume that the sensor nodes are homogeneous with the same capabilities for each sensor network. Therefore, it is of significance to investigate how to design a suitable key management scheme for heterogeneous WSNs. Consequently, it is also important to address the reliability issue in the design of a key management scheme. Energy conservation is a critical issue in WSNs since batteries are the only limited-life energy source to power the sensor nodes. The key management schemes designed for WSNs should be energy aware and efficient.

Obviously, using a single shared key in a whole WSN is not a good idea because an adversary can easily obtain the key. Therefore, as a fundamental security service, pair-wise key establishment shall be used, which can enable the sensor nodes to communicate securely with each other using cryptographic techniques. However, due to resource constraints on sensor nodes, it is not feasible for sensors to use traditional pair-wise key establishment techniques such as public key cryptography and key distribution center [38]. Instead, sensor nodes can use pre-distributed keys directly or use keying materials to dynamically generate pair-wise keys. In such a case, the main challenge is to find an efficient way of distributing keys and keying materials to sensor nodes prior to deployment.

In this case study, we assume that there are I classes of sensor nodes in the network, with Class 1 consisting of the least powerful nodes and Class I the most powerful nodes, in terms of communication range, node processing capability, and energy level. Particularly, in terms of communication range, we assume the existence of bidirectional links between any two nodes. Let r_i denote the communication range of Class i nodes; we always have r_m < r_n if m < n. Therefore, if a Class m node is within the range of a direct communication link of a Class n node, the Class m node might need multiple links to reach the Class n node if m < n. The heterogeneity of the sensor nodes are distributed in the WSN, with p_i the percentage of the Class i nodes, and p₁ + p₂ + ... ... + p_I = 1. Here, it is important to notice the fundamental difference between the heterogeneous WSNs assumed in this section and the hierarchical WSNs in Law et al. [39] and Zhu et al. [40]. In the hierarchical WSNs, the base stations (or cluster supervisors) are centralized nodes, and more importantly, they are acting like key distribution centers. In contrast, in the heterogeneous WSNs, except that the higher class nodes are more powerful in terms of communication range, node capability, and energy level, the communications between all different classes of nodes are still peer-to-peer and distributed.

The security requirements and services can be described by the following metrics: scalability, efficiency, resilience, and reliability. Scalability is the ability to support a large number of wireless sensor nodes in a network. The security mechanisms must support a large network and be flexible against a substantial increase in the size of the network even after deployment. Efficiency is the consideration of storage, processing, and communication limitations on sensor nodes. Resilience is about the resistance to node capture. A compromise of security credentials, which are stored on a sensor node or exchanged over radio links, should not reveal information about security of any other links in the WSN. A higher resilience means a lower number of compromised links. Reliability is the capability to keep the functionality of the WSN even if some sensor nodes are failed. The survivability concerns can be provided with the design goals of scalability, efficiency, key connectivity, resilience, and reliability. Key connectivity is the probability that two or more sensor nodes store the same key or keying material. Enough key connectivity must be provided for a WSN to perform its intended functionality.

The key generation in heterogeneous-distributed WSNs here is based on the random key distribution [41] and the polynomial based key predistribution protocol [42], and is inspired by the approaches of Liu and Ning [43]. In a manner similar to the studies in Eschenauer and Gligor [41], we consider that there are three steps in the framework to establish pair-wise keys between the sensor nodes:

1.	Initialization.
2.	Direct key setup.
3.	Path key setup.

The initialization step is performed to initialize the sensors by distributing polynomial shares to them, with the consideration of the heterogeneity of the sensor nodes. The direct key setup step is for any two nodes trying to establish a pair-wise key, in which they always first attempt to do so through direct key establishment. If the second step is successful, there is no need to start the third step. Otherwise, these sensor nodes may start the path key setup step, trying to establish a pair-wise key with the help of other sensors.

Our scheme uses a pool of randomly generated bivariate polynomials to establish pair-wise keys between sensor nodes, with the consideration of I classes of heterogeneity among the wireless sensor nodes. In this manner, existing distributed key management schemes can all be included in the framework. For example, if I = 1, which means that the sensor network is homogeneous, we have the following special cases: when all the polynomials are 0-degree ones and the sensor network is homogeneous, the polynomial pool degenerates into a key pool [41]; and when the polynomial pool has only one polynomial and the sensor network is homogeneous, the key distribution scheme degenerates into the polynomial-based key predistribution [42].

The main challenge in this scheme is how to assign polynomial shares to different classes of nodes. We can clearly observe that the major issue in our scheme is the subset assignment problem, which specifies how to determine the set of polynomials and how to assign the polynomial shared for each sensor node in group j with class i. During the key distribution procedure, a number of factors must be considered, including the probability that adjacent nodes can share a common key, the resilience of the network when it is under attack, and importantly, the nature of the heterogeneity.

The proposed new key generation scheme is essentially different from most existing schemes in that the heterogeneity features can now be taken into account. To illustrate the advantages of the new scheme, we consider a typical heterogeneous WSN that is established to collect data in a distributed scenario. In this scenario, a sensor node shall submit its observation to a sink node (or sink nodes, depending on the configuration of the network) through the sensor network in a hop-by-hop manner, as shown in Figure 15.4, in which there are two classes of sensor nodes in addition to the sink node.

Since the high-class nodes have a larger transmission range, it is nature that a low-class node will tend to utilize the link between itself and a high-class node to submit the observations. For example, in Figure 15.4, class-one node A will tend to use the path “A-X-Sink” (the solid lines) to submit its report, instead of passing the message by all class-one nodes “A-B-C-Sink” (the dash lines). Clearly, a high-class node will more likely be chosen as the next hop neighbor of nearby low-class nodes to forward data. Consequently, in this heterogeneous sensor network, the connectivity between a low-class node and a high-class node will be more important than the connectivity between two low-class nodes.

We now design a special key management scheme within the new framework for the above scenario. Specifically, we consider that there are two classes of the heterogeneous sensor nodes (i.e., I = 2). To simplify the discussion, we also assume that there is only one group, denoted as group 0, in the network.

The special key management scheme is a key-pool-based key distribution scheme. In this scheme, we denote C₁ as the class of the less powerful sensor nodes and C₂ the class of the more powerful sensor nodes. We consider that a C₂ node X is in the neighborhood of a C₁ node A, if A can directly receive the message from X. Since the transmission range of A is less than the transmission range of X, A may need to send messages to X through a multihop path. We define that a C₁ node is connected to the network if it shares at least one key with C₂ nodes in its neighborhood. We then define the key connectivity as the probability that a C₁ node is connected to the network. For simplicity, we only consider the direct key setup between a C₁ node and adjacent C₂ node.

An example of this scheme is illustrated in Figure 15.5, where node A is a C₁ node and nodes X, Y, and Z are C₂ nodes. In this example, nodes X, Y, and Z are the only C₂ neighbor nodes of node A. In addition, node A shares key K₁ with node X, K₂ with node Y, and K₁ and K₃ with node Z, respectively. In this example, node A is connected to the network through three different keys: K₁, K₂, and K₃. In such a case, if node A wants to submit new information to the sink node, it can first randomly select a key from K₁ to K_3; then, it can randomly select a neighbor node that shares the same key with it. For example, in Figure 15.5, if K₁ is chosen as the key, then node X and Z can be randomly selected. In this manner, we can see that the communication is more resilient, while the connectivity can also be maintained.

To understand the behavior of the key management scheme above, we have conducted extensive quantitative studies to evaluate the performance, in terms of key connectivity, reliability, and resilience. In our experiments, we consider a small area of WSN that consists of 200 C₁ nodes and a number of C₂ nodes, denoted as N₂. We also assume that the size of key pool is 50,000 and the number of keys in any C₂ node is fixed to 2,000.

Reliability of the New Schemes: Key Connectivity of the New Schemes in Normal Conditions

According to the definition, key connectivity is the probability that two or more sensor nodes store the same key. Clearly, enough key connectivity must be provided for a WSN to perform its intended functionality. Figure 15.6 shows the connectivity of the proposed scheme versus the number of keys in a C₁ node with a different number of C₂ nodes. We can first observe that the connectivity can increase with the increase of the number of keys. For a fixed number of keys in each C₁ node, we can see that a small increase of the number of C₂ nodes can significantly increase the connectivity, especially when the number of keys in C₁ node is small and medium. From another perspective, we can see that, to achieve a specific connectivity, the number of keys that must be stored in each C₁ node can be decreased with the increase of N₂. For instance, if the connectivity is 0.99, then about 113 keys are required for N₂ = 1, about 57 keys are required for N₂ = 2, about 38 keys are required for N₂ = 3, and about 29 keys are needed for N₂ = 4.

To highlight the impact of the number of C₂ nodes, we demonstrate in Figure 15.7 the probability distribution of the number of shared keys with different N₂. In this example, we assume the number of keys in each C₁ node is 60. We can observe that, with the increase of N₂, the shape of the distribution tends to shift to the right-hand side, which implies that a C₁ node can share more keys with neighboring C₂ nodes. With the increase of shared keys, the network becomes more reliable.

Resilience of the New Schemes: Key Connectivity of the New Schemes in Attack Conditions

To evaluate the resilience of the new schemes, we study the performance of the sensor network when some C₁ nodes are compromised. Here we assume that C₂ nodes are more tamper resistant. In Figure 15.8, we consider the scenario in which the keys per C₁ node will be selected in a manner such that the network connectivity is 99% under normal conditions. We also assume that the compromised C₁ nodes cannot be detected. In such a scenario, the data transmission from an unaffected C₁ node may be eavesdropped by a nearby compromised node. Therefore, it is important to study the percentage of communications that are not affected. From Figure 15.5, we can see that with our schemes, a C₁ node can still securely transmit data to C₂ nodes even if some of the keys are compromised. For example, if K₁ is the only key that is compromised, then we can see that node A still has a 66% chance to forward the data to any one of the C₂ nodes (with K₂ or K₃). This phenomenon can be clearly observed from Figure 15.8, where we find that a high percentage of secured communications can still be maintained even if a large number of C₁ nodes have been compromised. Moreover, we can see that more C₂ nodes can help to increase the fraction of unaffected communications, given the same number of compromised C₁ nodes.

In Figure 15.9, we consider scenarios in which we fix N₂ = 4 and let M₁ be 29, 38, 57, and 113, where M₁ is the number of keys that can be stored in a C₁ node. In this case, M₁ = 29 can represent the lowest reliability because the connectivity of the network will be less than 99% if one C₂ node is failed. On the other extreme, we notice that M₁ = 113 can represent the situation with the highest reliability because the connectivity of the network will be greater than 99% even if three C₂ nodes are failed. Clearly, we can first observe the trade-off between the reliability and resilience from this example. For example, if the number of compromised nodes is larger than 5, M₁ = 29 can have better resilience than that of M₁ = 113. Moreover, we also notice that, given a certain number of compromised nodes, an optimum configuration may exist that can lead to the highest resilience. For instance, if the number of compromised nodes is 20, than M₁ = 38 has the best performance in terms of unaffected ratio.