SECURITY AND COMMUNICATION NETWORKS

Security Comm. Networks 2015; 8:220–231

Published online 10 March 2014 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.975

RESEARCH ARTICLE

Efficient centralized approach to prevent from

replication attack in wireless sensor networks
Tayeb Kenaza1 *, Othmane Nait Hamoud1 and Nadia Nouali-Taboudjemat2
1
Ecole Militaire Polytechnique, BP 17 Bordj-Elbahri, Algiers, Algeria
2
Centre de Recherche sur l’Information Scientifique et Technique, 05, Rue des 3 frères Aissou, Ben Aknoun, Algiers, Algeria

ABSTRACT
The majority of key management schemes suffer from the physical compromising of nodes. This vulnerability allows an
adversary to reproduce clones and inject them throughout the network to perform other types of attacks. Furthermore,
adding new nodes to the network (for maintenance), which is an inevitable step to prolong its life or to repair voids, is the
best opportunity to carry out the cloning attack. Our contribution in this paper is to perfectly secure network maintenance
against the cloning attack, using a solution based on the digital signature of the base station. Our solution is based on
the agreement that the base station should give to a new node to share a pairwise key with its neighbors. The conducted
simulations under TinyOS SIMulator (TOSSIM) show that, in addition to perfect resilience, our approach is efficient in
terms of time consumption and communication overhead. Copyright © 2014 John Wiley & Sons, Ltd.

KEYWORDS
WSN; key management schemes; cloning attack; WSN maintenance

*Correspondence
Tayeb Kenaza, Ecole Militaire Polytechnique, BP 17 Bordj-Elbahri, Algiers, Algeria.
E-mail: ken.tayeb@gmail.com

1. INTRODUCTION the random deployment of a huge number of sensors ren-

Wireless sensor networks (WSN) present an effective solu-
tion in many areas (military, environment, etc.), thanks
to their low-cost manufacturing, their performed functions
and their ad hoc property. However, their deployment in
open spaces, their transmission medium (wireless) and the
lack of a secure and reliable infrastructure expose them
to serious vulnerabilities, which raises the need to protect
them against attacks.
To protect WSN, several solutions have been proposed
in the literature [1]. The central element of these solutions
is the key management schemes. This latter can be classi-
fied according to the used encryption technique as symmet-
ric, asymmetric or hybrid. Whatever the used encryption
technique, the ultimate objective of these schemes is to
share a secret key between every pair of neighboring nodes.
These keys are then used to ensure the confidentiality of
the exchanged data between nodes. Note that a compro-
mise between cost and performance of a key management
scheme must be considered.
Preloading each pair of neighboring nodes with a sin-
gle shared pairwise key (PK) is the best solution. However,
ders unpredictable the resulting network topology. There-
fore, one can never predict for a sensor its direct neigh-
bors in order to preload it with the adequate PKs; this
makes the design of secure key management solutions a
challenging task.
Another difficulty lies in the authentication mechanism.
This can be achieved through asymmetric cryptography,
which is known for its expensive cost in terms of resource
consumption. Hence, the vast majority of key management
approaches converge to the use of symmetric cryptography,
and the authentication is generally based on the preloading
of the sensors with a master key.
Furthermore, most key management schemes can be
classified either as probabilistic or deterministic. Proba-
bilistic schemes are based on randomly preloading sensors
with different sets of keys, so that there is a high prob-
ability that two neighboring nodes share a common key.
Deterministic schemes guarantee the establishment of PKs
in a centralized or distributed manner. In the first cate-
gory, the base station (BS) acts as a trusted third party that
supervises key establishment between nodes. However,
this approach suffers from poor scalability. In the second

220 Copyright © 2014 John Wiley & Sons, Ltd.

T. Kenaza, O. Nait Hamoud and N. Nouali-Taboudjemat
Figure 1. Direct and indirect cloning attacks.
category, preloading sensors with a master key allows them
to authenticate each other and establish PKs.
One serious problem of the distributed schemes lies in
the physical compromise of sensors and the extraction of
their keys. Indeed, an adversary can easily make malicious
clones and inject them in the network. These clones will
be considered by old nodes as legitimate new nodes [2].
Moreover, the maintenance of networks, which consists
of adding new nodes to the network, represents an appro-
priate time to dissimulate the cloning attack (also called
replication attack). To counter this problem, several works
propose to link the validity of the master key in time and/or
use a one-way hash function [3–6]. However, these works
remain exposed to the cloning attack as we will highlight
in Section 2.
In this paper, we propose a solution to avoid the cloning
attack. Our solution guarantees secure addition of new
nodes to a network without any risk of compromise. It
is based on the mutual authentication between new and
old nodes using the agreement that the BS should give
to new nodes. As we will see in Sections 3 and 4, this
agreement guarantees that the new nodes and all their
neighbors are legitimate. Our solution guarantees secure
node joining without significant communication overhead,
especially as the number of new nodes, deployed for main-
tenance, is usually smaller than the number of nodes of
the first deployment. Thus, our solution ensures perfect
resilience by preventing attackers to compromise any fur-
ther communication links other than those used by the
compromised nodes.
The remainder of this paper is organized as follows.
Section 2 introduces the vulnerability of some distributed
schemes regarding the cloning attack. In Section 3, we
discuss our approach. In Section 4, we present a detailed
security analysis of our approach, emphasizing that it is
essential to involve the BS to ensure perfect resilience
during the maintenance phase. In Section 5, we evaluate
Security Comm. Networks 2015; 8:220–231 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Securing new nodes joining in wireless sensor networks
our solution in terms of time consumption and communi-
cation overhead. Section 6 concludes this paper.
2. THE CLONING ATTACK
IN DISTRIBUTED KEY
MANAGEMENT SCHEMES
The cloning attack consists of physically capturingŽ a sin-
gle sensor, extract the secret information contained in its
memory, reproduce several clones and finally inject them
in several locations of the network [2]. These clones will
be able to legitimately communicate with old nodes (as
new nodes) and to conduct the attack that we call “direct
cloning.” They can also wait for the deployment of new
nodes to present themselves to these latter as old nodes
and so conduct the attack that we call “indirect cloning”
(Figure 1).
The cloning attack exploits the weakness of the authen-
tication mechanism used by existing approaches. The
authentication is generally based on a secret information
(e.g., the master keys) preloaded on sensors. Unfortunately,
this secret information can be avoided by the physical
compromise of sensors. Therefore, if the shared secret is
disclosed, both direct and indirect cloning attacks will be
enabled.
To minimize the impact of the physical compromise of
sensors in distributed schemes, especially those based on a
master key, three solutions have been proposed:
(1) The master key must depend on the geo-
graphic location of new nodes (localization-based
schemes) [7,8]. In this case, the compromise of the
master key will not allow an adversary to inject its
Ž Because of the expensive cost, sensors are not physically
protected against capture.
221
Securing new nodes joining in wireless sensor networks
clones in locations other than those in which he or
she compromised them.
(2) The master key must be checked by a trusted third
party before being assigned to a new node (central-
ized schemes) [9,10].
(3) The master key must be linked to time (time-based
schemes) and/or on the irreversibility of one-way
hash functions [3–6]. In this case, the compromise
of the master key will not allow an adversary to use
it in the future because this master key will expire
immediately after its deployment.
Generally, in localization-based schemes, deployment
is performed in such way that each sensor has the coor-
dinates of its location (known previously or given by a
GPS) or has its relative position regarding its neighbors in
the case of a deterministic deployment (e.g., grid deploy-
ment [11]). Therefore, information about the position of
a sensor can be involved in the process of key establish-
ment, and this prevents (or greatly limits) cloning attack
in this category. In centralized schemes, the centralized
control of maintenance operations can significantly reduce
the impact of the cloning attack. However, these two cat-
egories present several constraints regarding deployment
and scalability, respectively.
Note that we are particularly interested in the third cate-
gory (time-based schemes), which are the most cited in the
literature. These schemes offer a large scalability, a rela-
tively good connectivity and a decentralized management.
Although they claim resistance to cloning attacks,
unfortunately, they resist only direct cloning attacks, as we
will see in the next section. Note that, to our best knowl-
edge, indirect cloning attacks have never been discussed in
the literature.
2.1. Review of some existing schemes
In this section, we will review some distributed key man-
agement schemes. We particularly highlight their weak-
ness regarding the cloning attack and its impact on the
security of the WSN.
2.1.1. Localized Encryption and Authentication
Protocol.
Localized Encryption and Authentication Protocol
(LEAP) [3] is one of the most referenced protocols in
the literature. It presents a comprehensive key manage-
ment scheme based on an initial key, under the assumption
that this key will be erased after the network initialization.
It has been designed to support multiple communication
modes: unicast, broadcast and local and global broadcast.
In order to bypass the use of the BS in each operation
of key establishment or authentication between nodes, the
authors of LEAP have based their scheme on an initial
key KIN that is preloaded on the nodes. They assume that
there is a time limit Tmin needed to compromise a node,
and another time limit Test required by a newly deployed
sensor to discover its immediate neighbors, establish a PK
222
T. Kenaza, O. Nait Hamoud and N. Nouali-Taboudjemat
with each neighbor and finally erase KIN . Authors of LEAP
have proposed two variants of this scheme.
Basic scheme
In this scheme, the authors assume that an attacker can-
not recover KIN before Test (i.e., Test < Tmin ). A node u
is preloaded with the initial key KIN , which is then used to
derive a master key (Ku = fKIN (u)), where f is a pseudo-
random function. Once deployed, the node u broadcasts a
message containing its identity u and initiates a timer with
a value equal to Tmin . The response of a node v includes
its identity and the message authentication code (MAC)
(calculated using Kv ) of u concatenated with v:
u!*:u (1)
ˇ ˇ
v ! u : v ˇMAC(Kv , uˇ v) (2)
The response of v is authenticated with Kv , which is
derived as follows: (Kv = fKIN (v)). As the node u has KIN ,
it can also derive and verify the identity of v. Thus, the PK
will be calculated as follows: (Kuv = fKv (u)). Once Tmin is
expired, the node u erases KIN and all the master keys of
its neighbors, while keeping the Ku .
Extended scheme
In this scheme, the authors deal with the case where an
attacker can recover KIN before Test (i.e., Test > Tmin ).
The basic idea in this case is to remove the dependence
on KIN , which will be replaced by a series of initial keys
corresponding to time intervals (T1 , T2 , : : : , TM ) of new
i is disclosed,
nodes added. In this case, if an initial key KIN
only nodes deployed in the corresponding interval can be
compromised.
Before the deployment, a node u to be added in the inter-
val Ti is preloaded with the initial key KINi , through which
 
it derives its master key Kui = fK i (u) . In addition, the
IN  
j
node u is preloaded with the master keys Ku = f j (u)
KIN
for all i < j  M. Once deployed, the node u starts the
neighborhood discovery phase and the establishment of
PK, which takes less than Tmin seconds, the minimum time
required for an attacker to compromise a sensor. In the
neighborhood discovery phase, a node u begins by send-
ing a message containing its identity u and the current time
interval i:
ˇ
u ! * : uˇ i (3)
As a response, a neighbor v sends an acknowledg-
ment Ack authenticated with the master key of the current
interval i:
 ˇ 
ˇ
v ! u : v| MAC Kvi , uˇ v (4)
i , it can calculate and check
Because u has the key KIN
the Ack. Now, nodes u and v can calculate their PK: (Kuv =
fK i (u)). Once Test is expired, the node u erases all the mas-
v
ter keys of its neighbors, while keeping Kui and all master
keys of future intervals.
Security Comm. Networks 2015; 8:220–231 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
T. Kenaza, O. Nait Hamoud and N. Nouali-Taboudjemat
Discussion
Authors of LEAP address the cloning attack only in the
case where a new node compromise would be made before
Test ; however, the attack can occur even if the compromise
was made after Test . In the basic scheme, the mainte-
nance exposes the key KIN to be compromised, and this
undermines the security of the entire network. Moreover,
even if the key KIN is not disclosed, an indirect cloning
attack is possible against new nodes. Indeed, the master
key of a compromised node can authenticate responses
of neighborhood discovery messages (2) sent by new
nodes (1).
In the extended scheme, if the attacker compromises a
i of a node u and its
node u after Test , the initial key KIN
neighbors’ master keys are deleted, which prevents a direct
cloning attack. However, the attacker can recover the mas-
ter keys of future intervals. Thus, she or he can clone the
node u, and all copies will be able to present themselves
as legitimate old nodes (4) to new nodes to be deployed in
future intervals (indirect cloning).
For example,
 a node u is deployed at T2 , it is preloaded
 Kv = MAC(Hi , v) and calculates Hi–1 = f (Hi ) and then
with KIN 2 through which it derives its master key Ku2
and M-2 master keys Ku3 , : : : , KuM , corresponding to inter-
vals T3 , : : : , TM . After the end of Test , the node u does
not delete master keys Ku2 , Ku3 , : : : , KuM , in order to authen-
ticate nodes deployed in T2 , T3 , : : : , TM . So, the compro-
mise of node u produces clones with all these master
keys. Consequently, any clone u* deployed across the net-
work will be able to authenticate itself as an old node to
all sensors deployed at T2 , T3 : : : , TM . Therefore, clones
can easily establish PK and infiltrate the network (indirect
cloning).
Note that LEAP authors have proposed a solution
against the cloning attack in the case of a compromise
before Test . In this solution, they rely on the broadcast
by the BS of an authenticated list of added nodes, using
Tesla [9]. In this case, even if the network nodes estab-
lish PK with clones, they can revoke them upon receiving
the list of added nodes. Although LEAP uses the BS as a
trusted third party that broadcasts the list of added nodes,
the vulnerability of the cloning attack still exists. The ori-
gin of this vulnerability is the lack of mutual authentication
between nodes. Indeed, when an attacker compromises a
node, all constructed clones will have the same identity
of the compromised node. In addition, the establishment
of PK is based on the identity of nodes; it cannot be car-
ried out with a clone that has an identity x and keys of
node y. Therefore, the broadcast of the list of added nodes
identities eventually brings nothing. In other words, as a
compromised node is legitimate, so are its identity and
keys. The real problem is that the constructed clones can
be deployed everywhere in the network, and the network
will never identify them.
2.1.2. Opaque transitory master key.
Like LEAP, the opaque transitory master key [4] is
based on an initial key. However, the PK established
Security Comm. Networks 2015; 8:220–231 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Securing new nodes joining in wireless sensor networks
between two nodes will not depend on the initial key; it
will be randomly generated by both nodes. This ensures
the security of existing links in case of the compromise
of the initial key. To do this, each node is preloaded with
an initial key KIN , and the PK establishment is carried out
as follows:
ˇ
u ! * : Joinˇ EKIN ( u | nu ) (5)
ˇ  ˇ ˇ 
v ! u : Replyˇ EKIN v ˇnu + 1ˇ Kuv (6)
For the maintenance operation, authors propose a mech-
anism that is also based on the decomposition of the life
of the network into a number of time intervals. Each node
is preloaded with an authentication key H. This key is
obtained by applying a chain of one-way hash function <
HK , HK–1 , : : : , H1 , H0 >, where each key Hi corresponds
to a time interval i. Nodes deployed in the same interval
establish their PK as described previously (5 and 6) where
the authentication key Hi plays the role of the initial key
KIN . Subsequently, each node v calculates its master key
removes Hi .
Let u be a new node and v an old node. The node u
is preloaded with Hj and the node v with Hi (with j > i).
When the node v receives the message JOIN from the node
u, it responds with a message containing its identity v, a
nonce nv , the index i of the authentication key and the
associated MAC:
u ! * : Join |u| nu (7)
ˇ ˇ ˇ  ˇ ˇ ˇ 
v ! u : v ˇnv ˇ i ˇ MAC Kv ˇnu ˇ nv ˇ v (8)
Node u can compute Hi from Hj and the index i. Thus,
it can generate Kv using Hi and check the MAC, and there-
fore authenticate v. Because v is authenticated, node u must
also authenticate itself to v:
ˇ ˇ  ˇ ˇ ˇ 
u ! v : u ˇEKv (Kuv )ˇ MAC Hj ˇnv ˇ u ˇKuv (9)
Once PK is established, u broadcasts its initial key Hj .
Therefore, v can authenticate u:
u ! * : Hj (10)
Discussion
Although an adversary who compromises KIN can-
not compromise already established PK because they are
computed independently to KIN ; however, he or she can
intercept reply messages (6) and then disclose PK when the
KIN is compromised. Concerning the maintenance opera-
tion, this protocol is also not secure because listening to
the traffic allows an adversary to save messages exchanged
during a time interval j (9) and then decrypt them after the
disclosure of the key Hj (10), which will cause the loss of
the confidentiality in the network.
Regarding the cloning attack, the Opaque Transitory
Master Key presents the same weakness as LEAP. Indeed,
223
Securing new nodes joining in wireless sensor networks T. Kenaza, O. Nait Hamoud and N. Nouali-Taboudjemat

an attacker can carry out a direct cloning attack against
existing nodes through clones obtained by the compromise
of a new node before it erases the initial key Hj . In addition,
even if the compromise would be carried out after clearing
Hj , the attacker can (through the index i and the corre-
sponding authentication key) conduct an indirect cloning
attack against nodes added in the future time intervals Ti
(i > j), by replaying the same authentication (8).
2.1.3. Time-based key management protocol for
wireless sensor networks.
In the probabilistic scheme of time-based key manage-
ment protocol for WSN [5], the authors deal with the case
where the time Test required to establish keys between
nodes is greater than Tmin , the time required to compro-
mise a node. So, to reduce the impact of compromising the
initial key KI , authors have decomposed the lifetime of the
network into P time intervals Ti (corresponding to main-
tenance phases) where for each time interval corresponds
an initial key. In addition, authors used a probabilistic
preloading of master keys as used in [12].
To do this, the BS preloads nodes with an initial key KIK
corresponding to their deployment time interval k and a set
of m random master keys corresponding to the future inter-
vals i (Kui = fKui (i)). After the deployment, like LEAP, the
first key establishment (corresponding to the time interval
T1 ) is carried out through the key KI1 . A node u computes
its key and broadcasts a message containing its identity and
a nonce nu . A node v responds with a message containing
its identity and the MAC of nu |v :
ˇ taining the initial key IKj of the generation j and (Gw–1 )
u ! * : uˇ nu (11)
ˇ  ˇ 
v ! u : v ˇ MAC Kv1 , nu ˇ v (12)
Having the key KI1 , a node u can generate the master
key of v and thus authenticate it. The PK is calculated as
follows: kuv = fKv1 (u).
Concerning the maintenance, new nodes deployed at the
same time will be able to establish PK as they have the
same initial key. They can also establish PK with those
deployed in previous time intervals if old nodes have a
master key derived from the current interval key.
Table I presents an example given in [5] where Nn rep-
resents a group of nodes deployed at the time interval
Tn . The group N1 is preloaded with the initial key KI1
and three randomly selected master keys (Ku2 , Ku5 , Ku7 ).
Table I. Example of mater keys probabilistic preloading.
T1 T2 T3 T4 T5 T6 T7 T8 T9
They can establish PK between them, because they all
have KI1 . They can establish PK with the groups N2 , N5
and N7 because they have Ku2 , Ku5 and Ku7 , respectively.
Groups N2 , N5 and N7 can authenticate nodes belonging
to the group N1 using their respective initial keys KI2 , KI5
and KI7 .
Discussion
Let us discuss this scheme in regard to the cloning
attack through the given example (Table I). The compro-
mise of a sensor that belongs to N4 can recover the initial
key of the current interval KI4 and the master keys Ku6
and Ku9 derived from the initial keys KI6 and KI9 , respec-
tively. Thus, clones can, using the initial key KI4 , establish
PK with nodes deployed during the same time interval (i.e.,
nodes of N4 ) as well as those deployed during the inter-
val T2 (i.e., nodes of N2 ); this represents a direct cloning
attack. Even if the compromise occurs after removing the
initial key KI4 , master keys Ku6 and Ku9 are not erased,
which will allow clones to establish PK with nodes to be
deployed later during the time interval T6 and T9 (i.e.,
nodes of groups N6 and N9 ), and this represents an indirect
cloning attack.
2.1.4. Toward enhanced key management.
Toward enhanced key management [6] is based on the
fact that a node u can live up to Gw generations (generation
window), which correspond to the addition of new nodes.
Before deployment, a node u belonging to the generation j
is preloaded with a set of keys KRj called “KeyRing” con-
hidden master keys Kj,l of the future generations (KRj =
IKj , Kj,l ). The hidden master keys are calculated using a
secure hash function Kj,l = H(IKl |j), such as j + 1  l 
j + Gw – 1.
Once deployed, nodes of generation j have the same ini-
tial key IKj , so they
 will
 use it (before being deleted) to
j
establish the PK Ku,v .
ˇˇ
u ! * : u ˇjˇ nu (13)
ˇ  ˇ 
ˇ j ˇ
v ! u : v ˇMAC Kv , uˇ v (14)
where
j
Kv = fIKj (v),
j j
Kv,u = fu (v) if u < v or
j j
Kv,u = fv (u) if v < u

N1 KI1 Ku2 Ku5 Ku7 For nodes that do not belong to the same generation,
N2 KI2 Ku4 Ku7 Ku9 PK is calculated differently. Indeed, let u and v be two
N3 KI3 Ku5 Ku8 nodes that belong to the generations g and h, respectively
N4 KI4 Ku6 Ku9 (1  g  h  g + Gw – 1). After deploying the generation
N5 KI5 Ku9 h, the PK between u (old) and v (new) will be calcu-
N6 KI6 Ku7 gh
lated as follows: Kuv = fKgh (u|v). The node u is already
N7 KI7 Ku8
preloaded with the key Kgh , as its KeyRing is as follows:

224 Security Comm. Networks 2015; 8:220–231 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
T. Kenaza, O. Nait Hamoud and N. Nouali-Taboudjemat
KRg = IKg , IKg,g+1 , : : : , IKg,h , : : : , IKg,Gw –1 . For the node
v, the key Kgh does not belong to its KeyRing. However, it
can calculate it (Kgh = H(IKh |g)) as it holds the key IKh of
its generation.
Discussion
When the attacker compromises a new node v belong-
ing to the generation h and if she or he recovers the initial
key before it is erased, she or he can use it to calculate the
hidden master key Kxh = H(IKh |x) of a future generation
x and then to calculate PK of nodes belonging to previous
generations. This is a direct cloning. Moreover, even if the
initial key IKh is erased, the attacker can use the hidden
master keys KRh = {Kh,h+1 , : : : , Kh,h+Gw –1 } contained in
its memory to calculate PK of nodes of future generations.
This is an indirect cloning.
2.2. General discussion
The physical compromise of sensors can be exploited in
two ways: (1) by disclosing the shared secret used by nodes
to set up PK, thus compromising the existing links (e.g.,
the KIN in basic LEAP is used to calculate all PK) or (2)
by reproducing clones that will allow an attacker to infil-
trate the network and then to conduct other types of attacks.
Both methods seriously degrade the resilience of a key
management scheme. Recall that perfect resilience refers
to the ability of a key management solution to prevent an
attacker from compromising any further communication
links other than those used by the compromised nodes.
Table II compares the discussed protocols in the previ-
ous section with respect to some security metrics. All these
schemes are vulnerable to the cloning attack, especially
the indirect cloning attack. The problem of time-based
key management schemes, regarding the cloning attack,
lies on the authentication mechanism between nodes. This
mechanism is generally based on some secret information
preloaded on sensors to build trust between nodes. Unfor-
tunately, this is set to fail by the physical compromise of
nodes, allowing the disclosure of the shared secret. Being
aware of this vulnerability and wanting to keep the dis-
tributed aspect of their key management schemes, many
works such as [3–6] have introduced techniques such as
time intervals, hash function and probabilistic preloading
to limit the impact of sensors being compromised. How-
ever, these solutions are still vulnerable to the cloning
attack as shown in the previous section, even if their
assumptions are satisfied.
Moreover, maintaining the link between generations is
needed, especially as the purpose behind the maintenance
is to extend the lifetime of the WSN or to correct voids
that may split the network into subnets. Thus, keeping the
link between generations of sensors is the weakest link in
these mechanisms, which allow an attacker to perform an
indirect cloning attack.
Our approach separates the initial deployment phase
from the maintenance because the latter is more exposed to
the cloning attack.
Security Comm. Networks 2015; 8:220–231 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Securing new nodes joining in wireless sensor networks
3. SECURING NEW NODE JOINING
3.1. Overview
Our objective is to provide mutual authentication between
new and old nodes before establishing PKs. So, we pro-
pose the anticlone key management scheme (ACKM), a
new key management scheme that prevents from both
direct and indirect cloning attacks. ACKM is a secure
mechanism for the maintenance of WSN, capable of dis-
tinguishing between legitimate nodes and clones. More-
over, this mechanism helps the network detect and remove
compromised nodes.
After the neighborhood discovery phase, the network
routes to the BS the contact established between a new
node and its neighbors. The new node sends an agreement
demand containing the list of its neighbors, encrypted with
its individual key. Once the identity of the new node is
verified, the BS sends the agreement (encrypted with its
public key), which allows the new node to authenticate
the network (i.e., the BS and its neighbors). Subsequently,
the new node diffuses this agreement to its neighbors to
authenticate itself. The PKs are calculated by the BS using
the individual key of an existing node and the new node
identity [7] and then transmitted to the latter encrypted
with its individual key. Thus, every existing node will be
able to calculate the same PK because it depends on its
individual key and the identity of the new node. Note that
the BS computes PKs only for neighbors that explicitly
confirm the new node request by a message.
3.2. Notations and assumptions
The notations used in this paper are as follows:
 IKu : symmetric individual key of node u
 u: unique and unpredictable node u identity
 P: BS’s public key
 S: BS’s private key
 fK : pseudo-random function using key K
 nu : nonce randomly generated by node u
 EK : symmetric encryption using key K
 PKuv : PK between u and v (PKuv = fIKv (u))
 | : concatenation
We assume that a static and uniform network is already
deployed and secured using an existing distributed scheme
such as LEAP, where each node u is preloaded with IKu
and P. Communications of each existing node are assumed
secure through PKs it shared with its neighbors. More-
over, the BS is supposed to be protected and has the list
of identities and individual keys of both already deployed
nodes and those to be deployed in future maintenance oper-
ations. Finally, we assume that the compromise of a node
allows an attacker to extract all information contained in
its memory.
225
Securing new nodes joining in wireless sensor networks
Table II. Comparison between the studied schemes.
Authentication
Localized Encryption and Authentication Protocol
Opaque transitory master key
Time-based key management
Toward enhanced key management
* When the initial key is compromised.
3.3. The proposed approach
For a new node u, PK establishment is carried out through
the following steps:
 Neighborhood discovery: A new node u generates a
nonce nu and sends a message containing the pair
(u, nu ) to its neighbors. A neighbor vi responds only
by its identities and saves the pair (u, nu ) in order
to verify the legitimacy of u in step (20). Then, vi
sends, using the existing secure links, the pair (u, nu )
to the BS in order to confirm u’s agreement demand.
This latter step aims to avoid a malicious node being
dissimulated among the legitimate neighbors of u.
ˇ of the new node u.
u ! * : uˇ nu
vi ! u : vi
vi ! BS : (u, nu )
At this stage, no message sent by node u will
be considered by vi , except the agreement demand
addressed to the BS (18). The nonce n is used to
prevent an attacker to replay messages.
 Agreement demand: Node u sends a message to the
BS containing (u, nu ) and a list of its neighbors (i.e.,
vi ) encrypted with its individual key. Note that this
key is shared only with the BS. Thus, no node can
read or alter the agreement demand.
 ˇ ˇ ˇ ˇ ˇ 
u ! BS : EIKu u ˇnu ˇ v1 ˇv2 ˇ : : : ˇvn
 Agreement grant and PK computing: Once BS
receives the agreement demand of u, it checks if u
is among the list of new nodes and checks messages
received from vi to confirm their legitimacy. In a
favorable case, the BS sends the agreement, which is
the encryption of (u, nu ) using its private key S, and
the PKs encrypted with IKu .
ˇ  ˇ ˇ
BS ! u : ES (nu , u)ˇ EIKu PKuv1 ˇPKuv2 ˇ
ˇ 
: : : ˇPKuv n
226
T. Kenaza, O. Nait Hamoud and N. Nouali-Taboudjemat
Master key used Security
Cloning attack
Pairwise key Resilience
Direct Indirect
Yes Yes Good/weak* Yes* /no Yes
Yes Yes Good/weak* Yes* /no Yes
Yes Yes Good/weak* Yes* /no Yes
Yes Yes Good/weak* Yes* /no Yes
 Network authentication: Upon receiving the agree-
ment from the BS, the node u checks the signature
using P. Therefore, node u would authenticate the
network (i.e., its neighbors). After that, it broadcasts
its agreement to its neighbors vi in order to authen-
ticate itself. Then, node u decrypts the PKs using its
IKu (19).
 ˇ 
u ! * : ES nu ˇ u (20)
 New node authentication: By decrypting the agree-
ment using P, neighbors vi can compare the result
with the pair (u, nu ) already stored in step (15). Thus,
they authenticate the node u, and they can compute
PKuvi , as it depends only on their Kvi and the identity
(15)
(16) 4. SECURITY ANALYSIS
In this section, we will discuss the resilience of our
(17)
approach with regard to the cloning attack. We also dis-
cuss some possible denial-of-service attacks, and finally,
we discuss the jamming attack that consists of disturbing
the radio channel with useless information [13].
Our solution avoids the problem of cloning attack by
involving the BS to ensure a mutual authentication between
old and new nodes. Let us consider an example to illus-
trate our approach. Let U = u1 , u2 , : : : , un and V =
v1 , v2 , : : : , vm , two sets of new nodes, be added in the time
intervals T1 and T2 , respectively. We suppose that node u1
is compromised by an attacker and multiple clones u*1 are
deployed on the network. We distinguish whether the com-
(18) promise is performed in either of the two cases: (i) before
establishing PKs or (ii) after establishing PKs.
In the first case (i), the clones u*1 will achieve the first
four steps of our protocol (15–18), and they will have dif-
ferent lists of neighbors. By receiving the first agreement
demand sent by a clone u*1 , the BS executes step (19)
normally. However, upon receiving the second agreement
demand (with a different list of neighbors), the BS real-
izes immediately that it is a clone of the node u1 . In this
situation, the BS can broadcast, by means of an authen-
ticated broadcast protocol (e.g., Tesla [9]), a request to
(19) revoke the node u1 , which is compromised. As a result, the
network loses only the node u1 .
Security Comm. Networks 2015; 8:220–231 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
T. Kenaza, O. Nait Hamoud and N. Nouali-Taboudjemat Securing new nodes joining in wireless sensor networks

In the second case (ii), clones u*1 cannot communicate Table III. Simulation parameters.
using PKs stored in their memories because they depend on Parameter Value
the neighbors of the node u1 . However, they can commu-
nicate to new nodes vi of the set V (to be deployed within Sensor MicaZ
T2 ) in order to conduct an indirect cloning attack. In this Radio chip CC2420
case, after receiving the agreement demands sent by a new Surface 200  200
node vi (step 18), the BS checks its neighbor list. If illegit- Number of nodes 1–255
Communication protocol IEEE 802.15.4/Zigbee
imate identities appear in this list, the BS may revoke them
Communication range (m) 45
by broadcasting their identities. However, if clones appear
Routing protocol Ad Hoc On-demand
in this list, the BS cannot distinguish between the clones u*1
Distance Vector
and the legitimate node u1 . Step (17) solves this problem,
Number of maximum hops 50
as neighbors of vi have to send securely to the BS the pair
(vi , nvi ). At this stage, clones u*1 cannot carry on step (17)
because they do not have secure links. Therefore, the BS
We used a Timer component to ensure a certain execu-
can verify if clones are among the list of neighbors. Indeed,
tion timeline. This will allow our protocol, on the one hand,
after waiting for some time, the BS carries on step (19) and
to avoid collisions and packet loss during the maintenance
sends to the new node vi the PKs of only neighbors that
phase and also decrease the communication overhead,
had accomplished step (17).
which may submerge the BS. On the other hand, it allows
In steps 15, 16 and 17, the new node sends a nonce to its
a gradual deployment of new nodes. For this, a time inter-
neighbors without encryption, which will be forwarded to
val is assigned for each new node, which is associated to
the BS directly without any verification. This may cause a
its unique identity. For example, if {101, 102, 103, 104 and
denial-of-service attack when facing a lot of broadcasting
105} is the identity list of new nodes to be deployed in
nonce. Note that denial of service is a common problem for
the next maintenance operation, each node will start join-
all schemes. To limit the impact of such an attack, two solu-
ing at (id – id0 + 1)*t, where t is the joining time interval
tions are possible. The first solution consists of controlling
and id0 is the id of the first node.
the amount of message sending to the BS by old nodes. An
We also used the Advanced Encryption Standard (AES)
old node can separate the sending of two successive mes-
[16] and Elliptic Curve Cryptography (ECC) [17] crypto-
sages by a specific delay. Moreover, it can limit the number
graphic components in symmetric encryption operations
of agreement demands to three for each new node. After
(for confidentiality) and digital signatures (for authenti-
that, the new node will be considered malicious.
cation), respectively. The Ad Hoc On-demand Distance
The second solution comes from the BS. If the mali-
Vector (AODV) routing protocol [18] is used to route
cious node will continually change its identity in order to
agreement demands sent by the new nodes to the BS and
avoid the limitation of agreement demands (the first coun-
the responses of the latter to the new nodes.
termeasure), the BS will detect this, because it has the
Simulations are conducted using one topology and sev-
list of all new nodes. In this case, the BS will notify the
eral maintenance operations (by varying the number of
old node to stop sending messages, to avoid the denial-of-
added nodes). Indeed, the size of the network, the neigh-
service attack.
boring average and the maintenance rate are the most
In randomizing LEAP+ [14], authors have raised a seri-
influential parameters on the simulation results. Simulation
ous weakness of LEAP+ against the jamming attack. The
parameters are given in Table III.
Test condition represents the best opportunity to conduct
Note that in these simulations, we noted the failure of
this attack. Indeed, just jamming the network during Test (a
key establishment of some nodes. These failures can be
few seconds) prevents nodes from establishing the required
explained by the amount of traffic generated by the net-
keys. After Test , nodes delete the initial key, and they will
work maintenance. This leads to feedback implosion (as
never join the network. For this attack, our solution is well
explained in LEAP+), especially when the neighboring
protected because the agreement demand can be sent by a
average is high. Therefore, nodes are likely to miss many
node at any time.
messages because of packet collisions. So, we addressed
these failures by introducing a callback mechanism that
involves sending the agreement demand to the BS as many
5. PERFORMANCE EVALUATION
times as necessary. This callback mechanism is necessary
if we seek a success rate of 100%, at whatever level of
We have implemented our approach using the TOSSIM
maintenance.
[15] simulator, this will allow us in the future to deploy
In the following section, we present the evaluation of
it easily on real sensors. The purpose behind this simula-
our protocol. Notations used in this evaluation are given
tion is to evaluate the following: (1) the time a new node
in Table IV.
takes to establish PKs with its neighbors; (2) the overall
maintenance time for a group of new nodes; and (3) the
performance of our solution in terms of communication  The id of new nodes has to be successive.
overhead, energy consumption and scalability.  In our simulations, t = 2.5 s.

Security Comm. Networks 2015; 8:220–231 © 2014 John Wiley & Sons, Ltd. 227
DOI: 10.1002/sec
Securing new nodes joining in wireless sensor networks T. Kenaza, O. Nait Hamoud and N. Nouali-Taboudjemat

Table IV. Evaluation metrics.

Metrics Definition

MR Maintenance rate = (number of new nodes)/(number of existing nodes)  100

NA Neighboring average
T–CB Pairwise key establishment time without callback
T+CB Pairwise key establishment time with callback
SR Success rate = (1 – (number of failures)/(number of new nodes))  100

5.1. Time and connectivity
Figure 2(a) shows the PK establishment time (with and
without callback mechanism) taken by a set of new nodes
joined to an existing network. We proceed by adding sev-
eral groups of nodes (x-axis), where we gradually increase
the number of added nodes relative to the existing ones
(i.e., increasing the maintenance rate). The size and the
surface of the simulated network are set to 100 sensors
(including both old and new nodes) and 200  200 m2 ,
respectively.
As shown in Figure 2(a), the establishment time
increases proportionally with the number of added new
nodes in maintenance operations. Note that the time spent
by a single sensor is about 2.5 s, regardless of the number
of neighbors. This time includes the neighborhood discov-
ery phase, the agreement demand sent to the BS and the
response sent to the new node.
The connectivity is shown in Figure 2(b). By con-
nectivity, we refer to the percentage of new nodes that
successfully joined the network. It is 100% until the num-
ber of new nodes exceeds 10, which corresponds to 11.11%
of maintenance (10 new nodes added to 90 existing nodes).
Beyond that, we start recording packet loss and therefore
key establishment failures. The failure rate when we added
50 nodes to existing 50 nodes (maintenance rate = 100%)
reaches 22%.
Note that the proposed callback mechanism guaran-
tees a connectivity of 100%. However, the callback needs
a little more time, which is relatively low as shown
in Figure 2(a).
5.2. Communication overhead and
energy consumption
Figure 3(a and b) presents the communication overhead
and the corresponding energy consumption during the

Figure 2. (a) Time establishment of pairwise keys within a Figure 3. (a) Communication overhead for different main-
network of 100 nodes. (b) Corresponding success rate. CB, tenance operations. (b) Corresponding energy consumption
callback. (mAh). CB, callback.

228 Security Comm. Networks 2015; 8:220–231 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
T. Kenaza, O. Nait Hamoud and N. Nouali-Taboudjemat
Figure 4. Time establishment of pairwise keys within several topologies (with and without recall). CB, callback.
network maintenance, respectively. Results are in con-
cordance with those of Figure 2(a), where the number
of packets and energy consumption increase substantially
with the number of new nodes. Note that these simula-
tions were made without a prior knowledge of different
routes to the BS for all nodes (new and existing ones).
Therefore, results may be revised down significantly if
such routes are established beforehand. For example, the
difference between the number of packets with and with-
out callback mechanism is 34 packets for the group of 15
new nodes (Figure 3(a)). This difference corresponds to
the recovery of a single failure of PK establishment. More-
over, the number of packets corresponding to a single new
node (without callback mechanism) is 217 packets. This
allows us to conclude that 84.4% of traffic in this case
is generated by AODV during the discovery of different
routes to the BS. So, added nodes to an existing network
where most of its nodes have already established routes
to the BS will significantly decrease the communication
overhead.
Concerning the energy consumption (15 new nodes,
Figure 3(b)), the difference between the total energy con-
sumption with and without callback mechanism is 1.71
mAh, which corresponds to the recovery of one new
node failure. However, the energy consumed for the addi-
tion of a single node is 3.4 mAh. This confirms that
most consumed energy is due to the routing protocol.
Note that the capacity of a pair of AA battery (suit-
able for MicaZ sensors) is approximately 2000–3000 mAh
[19]. By comparing the average consumption per node
(which is about 1.4 mAh for the group of 50 nodes) with
the initial battery capacity, we can say that these results
are reasonable.
Security Comm. Networks 2015; 8:220–231 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Securing new nodes joining in wireless sensor networks
5.3. Scalability
The same simulations were performed in several network
topologies (Figure 4) in which we set the total number
of sensors to 225 and we vary the surface. Therefore,
we obtain several neighboring averages that allow us to
study the impact of network density on our protocol. We
repeat this simulation with a set of four groups of new
nodes: 10, 20, 30 and 40, which correspond to maintenance
rates of 4.65, 9.75, 15.38 and 21.62, respectively. Note
that for a given topology, if we increase the maintenance
rate beyond a certain limit, then we start losing signifi-
cantly the connectivity. This limit is closely related to the
network density.
As shown in Figure 4, all curves are almost a straight
line, which means that our protocol is not affected by
the change of the neighboring average (i.e., network den-
sity). A second observation is that the time substantially
increases with the increase of the number of added new
nodes in a maintenance operation. In fact, this time is pre-
dictable because the time taken by a single sensor is around
2.5 s (Figure 1(a)), which gives a T–CB around 56 s and a
T+CB around 64 s for 20 new nodes.
In Figure 4, we give a comparison between T–CB and
T+CB. The difference (some few seconds) represents the
time that sensors, having failed their first PK establish-
ment, make in order to send as much as possible other
agreement demands until establishing their PKs. There-
fore, connectivity is theoretically always 100%. However,
we see in the graph that the T+CB, for the group of 40
nodes, is not defined in the first and last topologies. This
is caused by the cyclical failures of PK establishment for
some nodes due to packet loss, more precisely feedback
229
Securing new nodes joining in wireless sensor networks T. Kenaza, O. Nait Hamoud and N. Nouali-Taboudjemat

Table V. Comparison between ACKM and the studied approaches.

Master key used Security Performance

Cloning attack
Authen- Pairwise
tication key Resilience Direct Indirect MAC Memory Communication

2 loc. trans. * NA
LEAP Yes Yes Good/weak* No/yes* Yes Yes 1 key (KIN )
+ 1 broad. to the SB
OTMK Yes Yes Good/weak* No/yes* Yes Yes 1 key (Hi ) 4 loc. trans. * NA
TBKM Yes Yes Good/weak* No/yes* Yes Yes i ) + M keys
1 key (KIN 2 loc. trans. * NA
TEKM Yes Yes Good/weak* No/yes* Yes Yes Gw keys 2 loc. trans. *NA
3 loc. trans. + (NA + 1)
ACKM No No Perfect No No No 2 keys (IK u and P) trans. to the SB * NS +
response of the SB * NS
NA, neighboring average; NS, number of hops to the SB; loc. trans., local transmission; broad., broadcast; LEAP, Localized Encryption and Authentication
Protocol; OTMK, opaque transitory master key; TBKM, time-based key management; TEKM, toward enhanced key management; ACKM, anticlone key
management scheme.
* When the initial key is compromised.

implosion. These failures can be justified by the density
of the network that AODV parameters (size of the routing
table, the frequency of Route REQuest (RREQ) retrans-
missions, etc.) cannot support. We note that these problems
are not confined only to our protocol. Several security
protocols in WSN are facing the same problems [3].
In Table V, we compare our solution with the stud-
ied approaches based on security and performance criteria.
All these schemes use master keys in the authentication
of nodes and the establishment of PKs, which presents a
serious vulnerability if nodes are compromised. However,
in ACKM, authentication and PK establishment are super-
vised by the BS. In addition, ACKM does not use MAC.
Thus, it preserves a lot of energy because each neighbor
node does not need to authenticate itself using MAC as it
is used in the other schemes. Regarding the communica-
tion overhead, we note that ACKM requires a little more
communication compared with the other approaches.
6. CONCLUSION
In this paper, we present a centralized approach that allows
us to securely add nodes to an existing network without any
risk of compromise. Our solution is based on an agreement
that the BS should give a PK to a new node to share with its
neighbors. The mutual authentication is guaranteed using
the digital signature of the BS and the individual key of the
new node. To avoid the dissimulation of malicious nodes
among the new node neighbors, these latter are implied
in the joining process by sending an encrypted notifica-
tion to the BS. Our solution, like any centralized approach,
suffers from the lack of scalability. To avoid this prob-
lem, we can use a distributed solution (such as LEAP+ or
R-LEAP+ [3,14]) in the first deployment of a large WSN.
However, the maintenance operations must be carried out
by our approach if we want to eliminate the cloning attack.
Furthermore, with the technological advances in recent
years, the capacities of sensors have intensively improved.
This leads us to spend a little more in terms of commu-
nication and energy to gain more in terms of security. On
the other hand, the number of nodes to be added in mainte-
nance operations represents a small percentage compared
with the network size.
Finally, we can say that our solution, ensures perfect
resilience, since the compromising of a node does not
allow an attacker to compromise further communication
links other than those directly used by the compromised
node. In addition, our solution contributes significantly to
detect identities hijacking.
As a future work, we are currently working to enhance
the scalability of our approach by adopting some hierarchi-
cal architecture. In this new scheme, nodes can be grouped
into clusters, and the BS can delegate its authority to clus-
ter heads. Therefore, all cluster heads can play the role of
the BS, and so the amount of maintenance operations will
significantly decrease.
REFERENCES
1. Zhang J, Varadharajan V. Wireless sensor network
key management survey and taxonomy. Journal of
Network and Computer Applications 2010; 33 (2):
63–75.
2. Parno B, Perrig A, Gligor V. Distributed detection
of node replication attacks in sensor networks, 2005
IEEE Symposium on Security and Privacy, IEEE,
2005; 49–63.
3. Zhu S, Setia S, Jajodia S. LEAP+: efficient secu-
rity mechanisms for large-scale distributed sensor net-
works. ACM Transactions on Sensor Networks (TOSN)
2006; 2(4): 500–528.

230 Security Comm. Networks 2015; 8:220–231 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
T. Kenaza, O. Nait Hamoud and N. Nouali-Taboudjemat
4. Deng J, Hartung C, Han R, Mishra S. A practical study
of transitory master key establishment for-wireless
sensor networks. Security and Privacy for Emerging
Areas in Communications Networks, 2005, First Inter-
national Conference on SecureComm 2005, IEEE,
2005; 289–302.
5. Jang J, Kwon T, Song J. A time-based key manage-
ment protocol for wireless sensor networks. In Infor-
mation Security Practice and Experience. Springer:
Berlin Heidelberg, 2007; 314–328.
6. Tian B, Han S, Liu L, Khadem S, Parvin S. Towards
enhanced key management in multi-phase Zigbee net-
work architecture. Computer Communications 2012;
35(5): 579–588.
7. Fanian A, Berenjkoub M, Saidi H, Aaron Gulliver T.
A high performance and intrinsically secure key estab-
lishment protocol for wireless sensor networks. Com-
puter Networks 2011; 55(8): 1849–1863.
8. Du W, Deng J, Han YS, Varshney PK, Katz J,
Khalili A. A pairwise key predistribution scheme for
wireless sensor networks. ACM Transactions on Infor-
mation and System Security (TISSEC) 2005; 8 (2):
228–258.
9. Perrig A, Szewczyk R, Tygar J, Wen V, Culler DE.
Spins: security protocols for sensor networks. Wireless
Networks 2002; 8(5): 521–534.
10. Manivannan D. WSN: key issues in key manage-
ment schemes—a review. Research Journal of Applied
Sciences, Engineering and Technology 2012; 4 (18):
3188–3200.
11. Du W, Deng J, Han YS, Chen S, Varshney PK. A
key management scheme for wireless sensor net-
Security Comm. Networks 2015; 8:220–231 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Securing new nodes joining in wireless sensor networks
works using deployment knowledge, INFOCOM 2004.
Twenty-third Annual Joint Conference of the IEEE
Computer and Communications Societies, vol. 1,
IEEE, 2004.
12. Eschenauer L, Gligor VD. A key-management scheme
for distributed sensor networks, Proceedings of the 9th
ACM Conference on Computer and Communications
Security, ACM, 2002; 41–47.
13. Shorey R, Anandab A, Chan MC, Ooi WT. Mobile,
Wireless, and Sensor Networks: Technology, Appli-
cations, and Future Directions. Wiley & Sons, Inc.:
Hoboken, New Jersey, 2006.
14. Blackshear S, Verma RM. R-LEAP+: randomizing
LEAP+ key distribution to resist replay and jamming
attacks, Proceedings of the 2010 ACM Symposium on
Applied Computing, ACM, 2010; 1985–1992.
15. Levis P, Lee N, Welsh M, Culler D. TOSSIM: accurate
and scalable simulation of entire tinyOS applications,
Proceedings of the 1st International Conference on
Embedded Networked Sensor Systems, ACM, 2003;
126–137.
16. Toldo P, Saloni M, Manica N. AES implementation in
tinyOS 2008.
17. Liu A, Tinyecc NP. A configurable library for ellip-
tic curve cryptography in wireless sensor networks,
International Conference on Information Processing
in Sensor Networks, 2008. IPSN08, IEEE, 2008;
245–256.
18. Das SR, Belding-Royer EM, Perkins CE. Ad hoc on-
demand distance vector (AODV) routing 2003.
19. Khemapech I. Environmental monitoring WSN, envi-
ronmental monitoring. InTech, 2011.
231