## 1 Introduction

Cyber physical systems (CPS) are increasingly deployed in mission-critical systems such as self-driving cars [19]. While most of such systems could be implemented with expensive infrastructure, the better solution is to implement them based on the peer-to-peer network node cooperation [18]. Smart intersections, where the cars never stop at a red light unless there will be actual crossing traffic, is an instance [3]. Vehicle to vehicle communication is another example while it can potentially help to prevent of all traffic accidents including those with drivers impaired by alcohol or drowsiness, as reported by national highway traffic safety administration of the U.S. [30]. To be able to rely on these systems, the security of the underlying multi-hop wireless networks, such as mobile ad hoc networks (MANET), vehicular ad hoc networks (VANET), and wireless sensor networks (WSN), is critical. Alas, the lack of trusted infrastructures and limited node resources make securing communications in such networks challenging. Concretely, while cryptography is a general and powerful approach to improve security, it is not well suited for such networks. This is because cryptography techniques, such as public key infrastructure (PKI), commonly rely on a key management system and most of the key management tasks are assigned to a trusted third party (TTP) or several distributed TTPs that are based on infrastructure. In contrast, multi-hop wireless networks in cyber-physical systems are fully decentralized and lack a fixed infrastructure that can act as the TTP. Plus, nodes in such networks have limited memory, computational, and transmission resources. Consequently, the naive solution of storing all keys in every single node for encrypting and decrypting messages is also not practical in these networks, especially in large-scale ones.

Key pre-distribution schemes [7] seem to be a promising solution due to their distributed and lightweight nature. Key pre-distribution schemes store just keys in each node, where and is the number of network nodes. The set of stored keys in each node is referred to as its *keyring*. Once a node encrypts a message with a key, only those nodes with a shared key are capable of decrypting it. Thus, a pair of nodes can communicate directly and securely if they share a common key. To establish a secure connection between two nodes without a shared key, a *key-path* has to be found. The key-path is an overlay path in which each pair of adjacent nodes have a *secure link* between them^{1}^{1}1Note that this secure overlay link may span multiple physical nodes, in reality., i.e., they share a common key. To exchange messages, the source initially encrypts its message and forwards it to the first hop on the overlay. The message is then routed over the overlay where each intermediate hop, in turn, decrypts the data, encrypts it again with a key shared with the next hop, and forwards it to the next hop toward the destination.

Despite important differences between various classes of key pre-distribution techniques (such as symmetric and asymmetric cryptosystems) in terms of their routing mechanisms and the process of forming secure overlays (§2), they fundamentally share a security vulnerability, known as *intermediate D-E steps* or *per hop key exposure* [32] where the intermediate nodes on the key-path overlay can decrypt and encrypt messages. Since an attacker can compromise an intermediate node, any decryption-encryption (D-E) step raises a security threat. While enhancing the link-level security of the key pre-distribution schemes has been the focus of many recent works [5, 21, 33, 34, 9, 31], the holistic, end-to-end security of these schemes is relatively unexplored. In addition to this security concern, the performance of key pre-distribution schemes is not ideal because their overlay paths are commonly longer than the physical shortest paths. The resulted path stretch leads to performance degradation, e.g., increased latency and network overhead, as we quantify in §4.

In this paper, we propose Key Pre-distribution security (KPsec), a high-performance algorithm to establish end-to-end secure communications in multi-hop wireless networks. Under KPsec, the source and the destination first engage in an initial phase of exchanging public keys via multiple disjoint paths. KPsec leverages a state-of-the-art asymmetric key pre-distribution technique, probabilistic asymmetric key pre-distribution (PAKP) [10], as a building block to initially exchange public keys. This step is followed by constructing shared keys for this communicating pair before they start secure communication over the shortest paths. Despite the initialization cost and delay, we show that the amortized latency overhead is low in our scheme compared to the state-of-the-art. This is because upon constructing a common key, under KPsec, traffic follows the shortest path, in lieu of the longer overlays deployed in key pre-distribution techniques. KPsec is not subject to passive attacks due to exchanging only public keys. Moreover, we show that it has high resiliency against active attacks (§4).

Concretely, the core idea of KPsec is an initial key exchange process that results in a pairwise key agreement^{2}^{2}2We show in §4 the energy efficiency enabled by this approach. between the source and destination. After the completion of the key-exchange phase, messages between these two nodes will be encrypted using this key and can be decrypted only by the source and the destination. Thus, these messages can be routed over the shortest physical paths, avoiding the longer key-path overlays without compromising security. Applied naively, this technique is prone to man-in-the-middle attacks where an intermediate node that participates in the key-exchange process replaces the actual key with its own key. In such a case, the intermediate node can read and potentially alter the message while remaining hidden from the source and the destination. To increase the resiliency against this type of attack, nodes in KPsec exchange keys via multiple, and disjoint, paths using erasure coding (§3).

Despite its security and performance benefits, KPsec causes a few concerns. First, while path redundancy improves security, the communication can still be vulnerable to more sophisticated forms of attack such as distributed, coordinated man-in-the-middle attacks where a group of compromised nodes agrees on a forged key to replace the actual key. We experimentally show that KPsec has strong resiliency against this type of attack: the attacker needs to compromise nodes to be able to get access to the secret data. Second, for the proposed algorithm to work, there must be enough reasonably short overlay vertex disjoint paths for the initial step of exchanging keys. In Section (3), we investigate the expected number and lengths of these paths. Our results show that, although a large number of disjoint paths improves security, KPsec results in high degrees of security even with small number of such paths, e.g., for relatively short paths with 3 D-E steps, KPsec’s use of only 5 disjoint paths leads to 99.9% resiliency against node capture (§3). Third, the initial key-exchange phase causes some control overhead. Our measurements show that the amortized traffic overhead is low. This is because once the key-exchange phase terminates, traffic follows the shortest paths, eliminating the path stretch and compensating for the commencing control overhead. For a network with 100 nodes, for example, KPsec results in almost equal control traffic compared to three state-of-the-art key pre-distribution schemes that we use as baselines and 7.5% enhancement in throughput (§4).

To comprehensively evaluate the performance and security of KPsec, we implement it on a 10-node testbed and a large-scale ns-2 network simulator [1]. In addition to KPsec, we implement three state-of-the-art key pre-distribution schemes: PAKP [10], unital key pre-distribution (UKP) [4], and strong Steiner trade (SST) [26]. Moreover, to make the end-to-end connections in UKP and SST secure, we augment these algorithms using the design presented in [16] (hereafter called augmented UKP and SST), a general remedy for the intermediate D-E steps problem which is applicable to any symmetric key pre-distribution scheme. Our experiments show that, compared to these baselines, KPsec results in throughput improvement, reduces the network latency by , and alleviates the energy consumption up to an order of magnitude.

Although the performance of KPsec and augmented UKP and SST are close, KPsec results in substantial security improvements, as it is the only scheme that is secure against passive attacks. Plus, an active attacker needs to compromise nodes to access data in KPsec, a substantially larger fraction compared to augmented UKP and SST. Moreover, contrary to other schemes that suffer from the secret information leakage, compromising a few nodes in KPsec does not enable an attacker to access any secret information. Finally, while in other schemes, sophisticated attackers such as those carrying out selective node compromise attacks can compromise the entire network communications by capturing only a few nodes, in KPsec, compromising the entire network requires the attacker to capture nodes, e.g., in a network with 100 nodes, to access data, the attacker needs to capture, respectively, 10 and 23 nodes in augmented UKP and SST, compared to 99 nodes in KPsec.

The main contribution of this paper is KPsec, an algorithm to establish end-to-end secure communication in multi-hop wireless networks, and its thorough evaluation. More specifically, this paper proposes an algorithm to address the two key pre-distribution shortcomings, intermediate D-E steps, and the path stretch and studies its security and performance compared to the state-of-the-art algorithms using a real 10-node testbed and large-scale simulations.

## 2 Related Work

Key pre-distribution schemes are categorized into two main categories based on their underlying cryptosystem, symmetric and asymmetric. In this section, we provide a brief comparison of these categories, the state-of-the-art techniques for each, and proposals for secure end-to-end communications using key pre-distribution in turn.

### 2.1 Symmetric vs. Asymmetric Key Pre-distribution

The core idea of symmetric key pre-distribution schemes, which is also known as pairwise key pre-distribution, was first introduced by Eschenauer and Gligor [7]. In this scheme, each keyring is chosen uniformly at random from a key-pool, with replacement. The main security shortcoming of the Eschenauer-Gligor design is that if an attacker compromises several nodes, it can access many keys from the key-pool. Thus, many links inside the network become insecure. Chan et al. [5] propose Q-composite algorithm to mitigate this security shortcoming by establishing secure links only between nodes that have at least common keys.

More recently, the concept of combinatorial block design is used in [4, 26] to build key pre-distribution schemes. Bechkit et al. [4]

propose a key pre-distribution scheme based on unital block design, referred to as naive unital key pre-distribution (NU-KP). The proposed scheme has a low key-sharing probability:

. To improve this probability, they suggest to pre-load each node with disjoint blocks and refer to the new design as t-UKP. Ruj et al. [26] propose a method to construct strong Steiner trade (SST), a form of block design, and use it as a key pre-distribution scheme. SST establishes a unique secret pairwise key between nodes. It is proven that the probability of sharing such a pairwise key does not exceed [4]. In our evaluations, we implement 2-UKP and SST as two well-known baseline schemes.Liu et al. [22] introduce the idea of asymmetric key pre-distribution, relying on some keying material servers. Multi-hop wireless networks, however, do not always have access to keying servers. Probabilistic asymmetric key pre-distribution (PAKP) was subsequently proposed to consider this problem [10]. In this scheme, each node stores public keys chosen uniformly at random with replacement, from a key-pool containing all the public keys. In [10], authors prove that in PAKP, for any , the probability of key-path existence is more than , where the impact of increasing the number of nodes is negligible. They further prove that PAKP reduces the average number of D-E steps to . In comparison, this number is in the order of the physical path length in symmetric key pre-distribution schemes. In contrast to the random key distribution, authors of [11] and [2] propose and analyze several more realistic scenarios for asymmetric key distribution.

While the general paradigm of key pre-distribution is similar for both categories—symmetric and asymmetric cryptosystems—the routing policies of these two categories have significant differences. In symmetric systems, a key-pool containing all the secret keys is formed. Any node is pre-loaded with a keyring chosen from the key-pool. During a shared key discovery process, any two adjacent nodes discover their secure link by checking whether they share a common key or not. Accordingly, to find a secure path from the source node to the destination, a physical path is first found. Subsequently, for any physical hop, if there is no secure link, a key-path is found. The transferred data is then encrypted by the source node, decrypted and encrypted again by each intermediate node until reaching the destination.

In asymmetric key pre-distribution, on the other hand, the routing mechanism follows a reverse process: the key-pool is formed by the public keys of all nodes. Each node is pre-loaded by public keys chosen uniformly at random with replacement from the pool. Initially, a key-path from the source node to the destination has to be found. Subsequently, for any key-path hop, the corresponding physical path is selected. In this case, each key-path hop may contain several physical hops without decryption and encryption steps, since the overlay neighbors may be physically far away. Generally, there are three main differences between symmetric and asymmetric key pre-distribution schemes. First, the routing process follows a reverse routing procedure. Second, the distributed keys are not confidential. Third, the overlay links in asymmetric schemes are directed.

In a key pre-distribution scheme, regardless of the symmetric or asymmetric nature of its relaying cryptosystem, there are some intermediate nodes which decrypt the data, encrypt it again, and forward it toward the destination. Since the adversary node may forge itself as an intermediate node, any D-E step is considered as a security threat. Moreover, the resulted path may also be longer than the shortest physical path, due to the absence of a direct secure link, which leads to performance degradation. We provide more details about these two categories of key pre-distribution techniques below.

### 2.2 End-to-End Communication

While the intermediate D-E steps problem was first introduced in [32], this work does not propose a solution. To the best of our knowledge, the algorithm of [16] is the first well-defined end-to-end solution for intermediate D-E steps. In this solution, the source node chooses a pairwise key, splits it into pieces, and sends each piece via different node-disjoint paths to the destination. In this way, the attacker needs to compromise at least one node from each node-disjoint path to retrieve the entire pairwise key and decrypt the data. To improve the performance of [16], Li et al. [20] suggest using intermediate nodes as proxies, and then use multiple paths, each path with just one proxy, to send the key pieces. Gupta et al. [15] propose their algorithm based on [20] by introducing some proxies as friends. They then use a publicly known function and only the key pieces of the friends to retrieve the pairwise key. Sheu et al. [27] propose using a group-based pairwise key to enhance the security of node-disjoint paths. However, this algorithm requires a group-key agreement. A security shortcoming shared across all these algorithms is their reliance on sending secret values (e.g., private keys) through hop-by-hop D-E steps to establish a pairwise key. The attacker will be able to access these values, and consequently encrypted messages, via compromising the intermediate nodes. Similar to KPsec, [23] strives to establish end-to-end secure communications by providing disjoint overlay paths. Unlike KPsec, however, it relies on a backbone infrastructure.

## 3 KPsec: end-to-end secure communications

KPsec is, in essence, a three-phase algorithm—the source and the destination initially engage in a public key exchange process to build a common key (phases 1 and 2). Their messages are then encoded using this key and routed, securely and efficiently, over shortest paths (phase 3). After presenting an overview of the algorithm, we analyze its key aspects such as the number and the length of disjoint key-paths and its resilience against cooperative attacks in turn.

### 3.1 The Three Phases of KPsec

In the first phase, the goal of the source is to send its public key to the destination efficiently and securely. For this, KPsec leverages multiple vertex-disjoint paths and the notion of erasure coding. Erasure code, a method originally developed for forward error correction code under bit erasures, transforms a message into a longer coded message with redundant data pieces. This coded message is then broken into shares such that the original message can be recovered from any shares. After encoding and splitting its public key, KPsec then sends the shares to the destination over vertex disjoint paths. Splitting the key into shares and sending them over disjoint paths make the system more resilient against the man-in-the-middle attack—the attacker needs to compromise more nodes to be able to forge the public key.

In the second phase, the destination node collects the shares and extracts the public key of the source. It then encrypts its own public key using the public key of the source and sends this encrypted message via the shortest physical path toward the source.

In the third and final phase, both the source and the destination calculate a pairwise key. The source node then encrypts its data using the pairwise key and sends it toward the destination. The destination, in turn, decrypts the data using the same pairwise key. Although we could use any asymmetric cryptography algorithm, we deployed elliptic curve cryptography (ECC) [28] because of its shorter key length and lower computational complexity compared to other asymmetric cryptography algorithms. In the rest of this section, after outlining our assumptions, we describe the details of each phase. Table (1) lists the notations that we will use throughout this paper.

###### Assumption 3.1

The asymmetric cryptosystem security strength is such that, by having the public key and other public parameters, the attacker is unable to compute the private key.

###### Assumption 3.2

When there is more than one path toward the destination and the source node randomly chooses one of them, the attacker cannot guess which path is chosen.

Phase 1: The source node chooses random numbers and forms the following formula:

(1) |

This polynomial is used for coding where is the public key of the source node. The source node calculates , and then calculates which is the value of signed by the private key of the source node. It could be used to certify the correctness of the shares. The source node then sends each tuple from the vertex-disjoint overlay path.

Phase 2: In this phase, the destination collects shares and forms the set . It then calculates the public key of the source node as

(2) |

where is Lagrange multiplier and could be calculated as

(3) |

Note that the computational complexity of the mentioned erasure code is . If , the Lagrange multipliers become unique and thus each node can simply store them. In this case, the computational complexity of the code reduces to . By calculating the public key of the source node, the destination node can certify the shares by checking the sign of each share. The destination then encrypts its own public key with the public key of the source node and sends it through the shortest physical path. The source node decrypts the destination’s public key. At this point, both ends have exchanged their public keys.

Phase 3: In principle, the source is now able to communicate with the destination directly and securely, using asymmetric encryption. However, asymmetric encryption is known to be computationally complex and energy inefficient. Therefore, it is not an ideal choice for multi-hop wireless networks. KPsec uses symmetric encryption instead: upon receiving each other’s public key, source and destination nodes calculate a pairwise key :

(4) |

Since in ECC the corresponding public key for the private key is calculated as where is the elliptic cure base point, the pairwise key will be identical for both the source and the destination nodes. After this step, the source node can encrypt its data using the pairwise key and then sends it to the destination via the shortest physical path. The destination can also use the same key to decrypt the received data.

KPsec raises a few concerns. Specifically, the first phase of the algorithm relies on a number of disjoint paths. Its operation, security, and performance, therefore, hinges on the existence and lengths of such paths. Moreover, the resilience of the algorithm against cooperative attacks, where the attacker controls a fraction of all nodes, is not known. In the rest of this section, we perform a comprehensive analysis to address these concerns.

### 3.2 Number and length of Vertex-Disjoint Key-Paths

Before calculating the number and the length of vertex-disjoint overlay paths in the KPsec algorithm, we need to know how many vertex-disjoint paths KPsec requires. Equivalently, what is the proper value for parameter ? Furthermore, we need to know how we can find a set of vertex-disjoint paths. To answer the first question, we use the reliability analysis technique of [29], referred to as the reliability of the series-parallel systems. In this technique, the reliability of the system is considered as the probability of system success which is equal to one minus the probability of attacker success.

###### Lemma 1

Consider the probability of each intermediate node to be compromised as , the reliability of multi-path systems is equal to

(5) |

where represents the number of intermediate D-E steps in each path.

###### Proof

In this analysis, each intermediate D-E step is considered as a reliability threat. Hence, for a path to be reliable, it should be empty of any compromised node. Hence, the reliability of each path is equal to . The attacker has to compromise at least an intermediate node from each path to potentially becomes able to perform a successful attack. The probability of attacker success in each path is one minus the reliability of that path, i.e. . For disjoint paths, hence, the total reliability is equal to

Fig. (1) shows the quantitative results of Equation (5) for a network with of nodes being compromised, selected uniformly at random, i.e. . While increasing the number of paths improves security, Fig. (1) shows that after the first several paths, the security improvement of adding extra paths is negligible.

To find the set of vertex-disjoint paths between any pair of source and destination vertices, we use the Ford-Fulkerson max-flow algorithm [17, 8]. We know that the upper bound of the number of vertex-disjoint paths is , because each node stores just keys, i.e. the source node has only neighbors in the overlay. The Ford-Fulkerson max-flow algorithm is known as a greedy algorithm capable of finding the set with the maximum number of edge-disjoint paths. However, our problem is to find the set of vertex-disjoint paths, not edge-disjoint. To find such a set, we modify this algorithm by replacing each vertex in our graph with two vertices which are connected with a directed edge, with a capacity of one.

###### Lemma 2

Consider directed graph , where and denote sets of vertices and edges, respectively, and the capacity of all edges is one. We modify to form a new graph by replacing each vertex with two vertices and and an edge from to with capacity one. Applying the Ford-Fulkerson algorithm on the modified graph results in a set with maximum number of vertex-disjoint paths in the main graph.

###### Proof

Assume, by contradiction, that the result of the Ford-Fulkerson algorithm on graph does not return the maximum number of vertex-disjoint paths in graph . This implies that there is at least a flow in graph which passes through node and then another node instead of passing . This, however, contradicts our assumption about since in , there exists only a single edge with capacity one from each node to . This is a contradiction and hence the results of the Ford-Fulkerson algorithm on the graph returns the maximum number of vertex-disjoint paths in .

Fig. (2) shows the average number of disjoint paths and the distribution of their length. Fig. (2a) that includes the results for different numbers of nodes and different values shows two important facts. First, the number of vertex-disjoint paths is very close to the value of . Second, increasing the number of nodes has a negligible impact on the number of vertex-disjoint paths. Collectively, Fig. (1) and Fig. (2a) indicate that, with high probability, there will be enough number of vertex-disjoint paths for KPsec’s operations.

Fig. (2b) shows the distribution function of disjoint path length for different values in a graph with nodes. This parameter is of paramount importance for the KPsec algorithm as a performance as well as a security metric. Although the encrypted data in the proposed algorithm follows the shortest physical path toward the destination, longer key-path length for vertex-disjoint paths leads to more network controlling traffic during the key-exchange process. Plus, longer key-paths mean more intermediate D-E steps and more vulnerability against cooperative attacks. Fig. (2b) shows that the length of the most vertex-disjoint paths is very close to the minimum key-path length reported in [10] and increasing the value of

decreases the average key-path length and its variance which implies that the length of most disjoint key-paths is close to the average length. While not reported here, we investigate the same scenario for a fix

value and different numbers of network nodes. The results are similar to those of Fig. (2b).### 3.3 Resiliency Against Cooperative Attacks

In this part, we investigate the resiliency of the proposed algorithm against the cooperative attacks. In our analysis, we consider the resiliency against the cooperative man-in-the-middle attack, as one of the most known harmful attacks against multi-path solutions. However, our method can be generalized to any cooperative attacks. To model this attack, we introduce adversary nodes to the network and then calculate the number of those vertex-disjoint paths that do not contain any adversary node. We select the adversary nodes uniformly at random in our simulations. Fig. (3

) shows the average and standard deviation of the number of secure vertex-disjoint paths.

Note that this parameter has to be analyzed together with parameter . Recall that represents the number of required shares to rebuild the source node’s public key. Let , i.e., the destination requires all the shares from all the paths to become able to reconstruct the key. Thus, for the attacker to successfully perform its cooperative man-in-the-middle attack, it needs to compromise at least one node from every single path. According to Fig. (3), the attacker needs to compromise more than half of the network nodes to become successful. Decreasing the value of makes the system more resilient to failures, but it increases the probability of successful attacks. Nevertheless, even for , the attacker needs to compromise more than of nodes to perform a successful attack. Considering the results of Fig. (3) for different values of , we can conclude that for , the attacker always needs to compromise nodes to perform a successful attack, where and are scaling constants, i.e. . Hence, the attacker needs to compromise nodes, even for small values.

## 4 Experimental Testbed and Simulation Results

In order to evaluate the performance and security of KPsec in real systems and at scale, we implement it in a 10-node testbed as well as a large-scale ns-2 simulator[1]. We implement KPsec and three state-of-the-art key pre-distribution schemes, PAKP [10], SST [26], and -UKP [4]. We select a combination of both symmetric and asymmetric schemes to make a fair comparison. As we mentioned in §3, PAKP [10] is an asymmetric key pre-distribution scheme with a high probability of connectivity and a logarithmic number of D-E steps. However, it suffers from high energy consumption. Both of 2-UKP [4] and SST[26] are symmetric key pre-distribution schemes. 2-UKP has a high key sharing probability and consequently a shorter key-path. However, compromising a few numbers of nodes in this scheme leads to the compromise of many connections. In contrast, SST has a low key sharing probability that does not exceed which means longer key-path and consequently lower performance.

To make the connections of SST and UKP end-to-end secure, we augment these schemes with the algorithm of [16]. For performance parameters, we measure the average throughput, the overall network routing traffic, the key-exchange routing traffic overhead, the end-to-end latency, the key-exchange delay, and the energy consumed for decryption and encryption. For security metrics, we measure the number of intermediate D-E steps, the resiliency against cooperative attacks, the resiliency against passive attacks, and the resiliency against selective node compromise. The rest of this section is divided into four parts discussing testbed experiments, simulation settings, performance evaluation, and the comparison of the security strengths of different techniques.

### 4.1 Experimental Testbed

In our 10-node testbed experiment, each node stores 3 keys where two disjoint paths are used for the key exchange process. We used 10 laptops to perform the experiment by connecting them in an ad-hoc mode via a 5 Megahertz (MHz) wireless channel, 2.412-2.417 GHz. In each scenario, a 5 Megabytes (MB) file is sent from a specific source node to a specific destination. To make a fair comparison, we considered the same physical arrangement for all scenarios. We measured the time of the key-exchange process and the time between sending the first data packet by the source and receiving the last packet by the destination. The overall end-to-end latency is the summation of these times. We further measured the control traffic required for the key-exchange process in each algorithm. The throughput is also measured as the packet delivery ratio over the bandwidth. Table (2) shows the result of our testbed experiments.

Due to the low key-sharing probability of SST (discussed in §2), the key-path in this scheme is significantly longer than other schemes. This fact leads to longer key exchange delay and higher key exchange traffic. Since, in all cases, the data follows the shortest physical path to reach the destination, the data transmission latency and throughput are expected to yield similar results. However, due to the network traffic and latency caused by the key-exchange process, we observe lower throughput for the augmented SST algorithm.

### 4.2 Simulation Setting

To evaluate the algorithm at scale, we use the ns-2 simulator. In each scenario, a network with a number of nodes (ranging from to ) is simulated in a

square meter area. Network nodes are initiated in random positions, using a uniform distribution in the network area. The nodes are assumed to be mobile and follow Random walk mobility model of ns-2, with zero pause time and varying speed in the interval

meter per second. The distance model is chosen for sending and receiving with the communication range of meters for each node. The channel bandwidth is set to . All simulations are performed using AODV routing protocol to find the shortest physical path. For two-layer routing in PAKP, the algorithm of [12] is used to find the optimal path with the smallest number of D-E steps and shortest physical lengths. Different scenarios are simulated with different numbers of connections between and . To keep the comparisons fair, all connections are chosen randomly but once selected, the same connections are used for comparing different schemes. The generated traffic is FTP running on TCP Tahoe. In each connection, the source node sends a file with a size of MB to its destination. All simulations are repeated times, and figures show average values calculated over all runs. For the key pre-distribution phase, the keyring size is set to , and for end-to-end algorithms, we use five disjoint paths in each scenario.### 4.3 Performance Evaluation

We choose the network throughput measured for successful packet delivery, the average end-to-end latency per connection, the average key-exchange delay, the average routing traffic per connection, the key-exchange routing traffic, and the consumed energy as performance evaluation metrics. Fig. (

4) compares the throughput of different scenarios. While Fig. (4a) shows the average throughput for fixed connections and the different number of nodes, Fig. (4b) shows the results for different numbers of connections in a -nodes setting. Since increasing the number of connections increases congestion, the network throughput is slightly decreased as the number of connections increases. We observe that the factor that impacts the network throughput the most is the physical path length. Since, in end-to-end solutions, the data traffic follows the shortest physical path, KPsec’s throughput is higher in comparison with SST, 2-UKP, and simple PAKP, as shown in Fig. (4). It is worth noting that augmented SST and augmented UKP have similar throughput as KPsec. Since -UKP has a significantly higher number of overlay edges, it has the shortest physical path among the compared schemes. This fact leads to -UKP outperforming other key pre-distribution schemes. An improvement of more than is also notable for KPsec compared to PAKP.We next measure the average end-to-end latency per connection. Each connection starts at a time randomly chosen within the interval seconds. The end-to-end latency for each connection ends when the destination receives the last packet of the file. The average latency per connection is shown in Fig. (5) for different numbers of nodes and connections. Consistent with our testbed results, all the end-to-end solutions exhibit similar performance. KPsec shows significant improvement of more than compared to SST, -UKP, and PAKP. While PAKP slightly improves the performance compared to SST, -UKP outperforms both of them.

We also measure the key-exchange delay. Fig. (6) shows the results for different numbers of nodes and connections. Recall that the key-exchange process in KPsec has one additional step in comparison with the algorithm of [16]. In KPsec, after receiving key shares, the destination node encrypts its public key and sends it to the source node. This extra step imposes some delay which leads to augmented UKP outperforming KPsec for this metric. However, the longer key-path in SST increases the augmented SST key-exchange’s delay.

We next measure the routing traffic overhead generated for sending the encrypted MB files. Fig. (7) shows this parameter measured in MB. Again, a longer physical path degrades this parameter for both SST and augmented SST. Fig. (8) shows the key-exchange traffic for end-to-end algorithms. This figure shows that KPsec and augmented UKP generate almost similar volumes of key-exchange traffic which is lower than augmented SST. While not shown here, a network with stationary nodes is also simulated. The results show the same pattern for all the mentioned parameters. However, for routing traffic, the network with stationary node shows an average of 9% less overall routing traffic and 11.5% less key-exchange traffic overhead. We have used the setting of [24] to calculate the consumed energy for encryption and decryption processes in our simulations. Fig. (9) shows the results for a network with different numbers of nodes. Since PAKP encrypts data asymmetrically, it consumes an order of magnitude more energy in comparison with other algorithms. Thus, we remove its curve for better representation. The SST scheme has more intermediate D-E steps in comparison with -UKP. Thus, it consumes energy at a rate almost twice as large as that of -UKP. KPsec, in turn, outperforms the key pre-distribution schemes by more than . Since the data transmission process in all end-to-end algorithms follows the shortest physical path and all of them use symmetric encryption, their performance with respect to this metric is similar.

Overall, our results show that despite the fact that end-to-end solutions including KPsec add some delay and traffic overhead, they remove the path stretch and consequently result in better overall performance. They also show that, while the performance of [16] depends on its underlying key pre-distribution scheme, generally it is close to KPsec, performance-wise. However, in the following part, we show that KPsec has significant security advantages over [16].

### 4.4 KPsec Improves Security

We first measure the average intermediate D-E steps in each disjoint path, as a basic security metric. Fig. (10a) shows this parameter for different schemes. This figure shows that the number of intermediate D-E steps in the KPsec algorithm is significantly lower than those of augmented SST and augmented UKP. While we represented a general analysis for resiliency against cooperative attacks in Fig. (1), we combine the results of Fig. (10a) with the mentioned analysis to show the resiliency of different algorithms. Fig. (10b) shows the results for a network with 100 nodes, of them being compromised, and different numbers of disjoint paths. As Fig. (10b) shows, KPsec approaches to perfect resiliency with only three disjoint paths, while this number is 5 and 8 for augmented UKP and augmented SST, respectively. That is, KPsec can use a lower number of disjoint paths to achieve higher performance for the same level of resiliency against cooperative attacks.

One of the main advantages of KPsec is its resiliency against passive attacks such as eavesdropping. Since all transferred keys in KPsec are public, an attacker cannot degrade the computational hardness of the cryptosystem and consequently cannot compromise the secrecy of data transmission, by eavesdropping. In contrast, a large enough number of compromised nodes in augmented SST and augmented UKP enable the attacker to access the pairwise key only by eavesdropping. Even if the attacker cannot eavesdrop all the key pieces in the algorithm of [16], it can access some key pieces and generate other parts by a brute-force search. By considering the fact that the computational hardness of symmetric cryptosystems exponentially increases by the increment of key length [25], knowing any portion of the key is equivalent to the shorter key length, and hence, it logarithmically decreases the computational complexity of the brute-force attack [6]. In other words, the algorithm of [16] suffers from secure information leakage. The next advantage of KPsec over symmetric end-to-end solutions is the geographical distance of its overlay neighbors. In symmetric solutions, the attacker can perform a jamming attack and force the source node to establish its connection through a specific neighbor that the attacker desires (i.e., a compromised node). In KPsec, by contrast, since the overlay neighbors are, in most cases, physically far away and the physical neighbors carry only encrypted messages, this attack becomes ineffective.

The next important security metric is the number of nodes that an attacker needs to capture in order to compromise the security of the network as a whole. This metric is sometimes referred to as the resiliency against selective node capture (SNC) attacks. In symmetric key pre-distribution schemes, the key-pool includes a limited number of secret keys. Hence, if the attacker knows about the keyring arrangement, it can selectively capture nodes to get access to the entire key-pool. In -UKP and SST, this number is and nodes, respectively [14]. Under PAKP, by capturing each node, the attacker accesses only several public keys and only one private key. Hence, the attacker needs to capture nodes to access all private keys. Table (3) summarizes and compares the security of these schemes for a network with 100 nodes and three disjoint paths.

## 5 Conclusion

In this paper, we propose KPsec to address two main shortcomings of existing key pre-distribution schemes: the intermediate D-E steps and path stretch. KPsec establishes a pairwise key and makes end-to-end connections secure by deploying a key-exchange process using overlay disjoint paths. We evaluate the performance and security of KPsec as well as three state-of-the-art key pre-distribution schemes using real testbed and large-scale simulations. Our results show improvements in network throughput, end-to-end latency, and energy consumption. This is because the overhead of deploying multiple overlay disjoint paths is negligible in comparison with the performance benefits gained by removing the path stretch. We show that KPsec requires fewer number of disjoint paths to achieve the same level of resiliency against cooperative attack compared to other multi-path solutions. Furthermore, contrary to other algorithms, KPsec is resilient against passive attacks and does not suffer from the secure information leakage. KPsec’s main goal is to protect the confidentiality of communications. We leave the availability analysis for future work.

## References

- [1] (2014-07)(Website) External Links: Link Cited by: §1, §4.
- [2] (2015-03) Probabilistic key pre-distribution for heterogeneous mobile ad hoc networks using subjective logic. In 2015 IEEE 29th International Conference on Advanced Information Networking and Applications, Vol. , pp. 185–192. External Links: ISSN 1550-445X Cited by: §2.1.
- [3] (2016) Autonomous intersection management for semi-autonomous vehicles. In Handbook of Transportation, D. Teodorovi’c (Ed.), pp. 88–104. Cited by: §1.
- [4] (2013-02) A highly scalable key pre-distribution scheme for wireless sensor networks. Wireless Communications, IEEE Transactions on 12 (2), pp. 948–959. External Links: ISSN 1536-1276 Cited by: §1, §2.1, §4.
- [5] (2003-05) Random key predistribution schemes for sensor networks. In Security and Privacy, 2003. Proceedings. 2003 Symposium on, pp. 197–213. Cited by: §1, §2.1.
- [6] (2005) Brute force cracking the data encryption standard. Springer. Cited by: §4.4.
- [7] (2002) A key-management scheme for distributed sensor networks. In Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS ’02, New York, NY, USA, pp. 41–47. External Links: ISBN 1-58113-612-9 Cited by: §1, §2.1.
- [8] (1956) Maximal flow through a network. Canadian Journal of Mathematics 8 (1), pp. 399–404. Cited by: §3.2.
- [9] (2017-01) A key distribution scheme for mobile wireless sensor networks: - -composite. IEEE Transactions on Information Forensics and Security 12 (1), pp. 34–47. External Links: ISSN 1556-6013 Cited by: §1.
- [10] (2013-03) A novel probabilistic key management algorithm for large-scale manets. In 2013 27th International Conference on Advanced Information Networking and Applications Workshops, Vol. , pp. 349–356. External Links: ISSN Cited by: §1, §1, §2.1, §3.2, §4.
- [11] (2013) Expert key selection impact on the manets’ performance using probabilistic key management algorithm. In Proceedings of the 6th International Conference on Security of Information and Networks, SIN ’13, New York, NY, USA, pp. 347–351. External Links: ISBN 978-1-4503-2498-4 Cited by: §2.1.
- [12] (2019-07) Secure overlay routing for large scale networks. IEEE Transactions on Network Science and Engineering 6 (3), pp. 501–511. External Links: Document, ISSN Cited by: §4.2.
- [13] (2017) Fully distributed ecc-based key management for mobile ad hoc networks. Computer Networks 113, pp. 269 – 283. External Links: ISSN 1389-1286, Document
- [14] (2016-09) Secure overlay routing using key pre-distribution: a linear distance optimization approach. IEEE Transactions on Mobile Computing 15 (9), pp. 2333–2344. Cited by: §4.4.
- [15] (2006) A new scheme for establishing pairwise keys for wireless sensor networks. In Distributed Computing and Networking, S. Chaudhuri, S. R. Das, H. S. Paul, and S. Tirthapura (Eds.), Berlin, Heidelberg, pp. 522–533. External Links: ISBN 978-3-540-68140-3 Cited by: §2.2.
- [16] (2005-11) End-to-end pairwise key establishment using multi-path in wireless sensor network. In GLOBECOM ’05. IEEE Global Telecommunications Conference, 2005., Vol. 3, pp. 5 pp.–. External Links: Document, ISSN 1930-529X Cited by: §1, §2.2, §4.3, §4.3, §4.4, §4.
- [17] (2010) Flows in networks. PRINCETON UNIVERCITY PRESS. Cited by: §3.2.
- [18] (2011) Introduction to embedded systems, a cyber-physical systems approach. LeeSeshia.org. Cited by: §1.
- [19] (2008-05) Cyber physical systems: design challenges. In 2008 11th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing (ISORC), Vol. , pp. 363–369. External Links: Document, ISSN 1555-0885 Cited by: §1.
- [20] (2005) Path key establishment using multiple secured paths in wireless sensor networks. In Proceedings of the 2005 ACM Conference on Emerging Network Experiment and Technology, CoNEXT ’05, New York, NY, USA, pp. 43–49. External Links: ISBN 1-59593-197-X, Document Cited by: §2.2.
- [21] (2003) Establishing pairwise keys in distributed sensor networks. In Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS ’03, New York, NY, USA, pp. 52–61. External Links: ISBN 1-58113-738-9 Cited by: §1.
- [22] (2009-03) Asymmetric key pre-distribution scheme for sensor networks. IEEE Transactions on Wireless Communications 8 (3), pp. 1366–1372. External Links: Document, ISSN 1536-1276 Cited by: §2.1.
- [23] (2016-06) Practical intrusion-tolerant networks. In 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), Vol. , pp. 45–56. External Links: Document, ISSN 1063-6927 Cited by: §2.2.
- [24] (2006-02) A study of the energy consumption characteristics of cryptographic algorithms and security protocols. Mobile Computing, IEEE Transactions on 5 (2), pp. 128–143. External Links: ISSN 1536-1233 Cited by: §4.3.
- [25] (2016) Recommendation for key management part 1: general. NIST Special Publication 800-57 Part 1 Revision 4. External Links: ISSN 0304-3975 Cited by: §4.4.
- [26] (2011-04) Fully secure pairwise and triple key distribution in wireless sensor networks using combinatorial designs. In INFOCOM, 2011 Proceedings IEEE, pp. 326–330. External Links: ISSN 0743-166X Cited by: §1, §2.1, §4.
- [27] (2007) Pair-wise path key establishment in wireless sensor networks. Computer Communications 30 (11), pp. 2365 – 2374. Note: Special issue on security on wireless ad hoc and sensor networks External Links: ISSN 0140-3664 Cited by: §2.2.
- [28] (2009) Standards for efficient cryptography, sec 1: elliptic curve cryptography. Certicom Research. Cited by: §3.1.
- [29] (2002) Probability and statistics with reliability, queuitgo and computer science applications. Wiley-Interscience Publication. Cited by: §3.2.
- [30] (2010) Frequency of target crashes for intellidrive safety systems. US Department of Administration. External Links: ISSN 0304-3975 Cited by: §1.
- [31] (2016-12) Wireless sensor networks under the random pairwise key predistribution scheme: can resiliency be achieved with small key rings?. IEEE/ACM Transactions on Networking 24 (6), pp. 3383–3396. External Links: ISSN 1063-6692 Cited by: §1.
- [32] (2005-03) LLK: a link-layer key establishment scheme for wireless sensor networks. In IEEE Wireless Communications and Networking Conference, 2005, Vol. 4, pp. 1921–1926 Vol. 4. External Links: ISSN 1525-3511 Cited by: §1, §2.2.
- [33] (2017-03) On resilience and connectivity of secure wireless sensor networks under node capture attacks. IEEE Transactions on Information Forensics and Security 12 (3), pp. 557–571. External Links: Document, ISSN 1556-6013 Cited by: §1.
- [34] (2017-06) Topological properties of secure wireless sensor networks under the -composite key predistribution scheme with unreliable links. IEEE/ACM Transactions on Networking 25 (3), pp. 1789–1802. External Links: ISSN 1063-6692 Cited by: §1.