Secure Walking GPS: A Secure Localization and Key Distribution Scheme for Wireless Sensor Networks

Transcription

1 Secure Walkng GPS: A Secure Localzaton and Key Dstrbuton Scheme for Wreless Sensor Networks Q M, John A. Stankovc, Radu Stoleru 2 Department of Computer Scence, Unversty of Vrgna, USA 2 Department of Computer Scence and Engneerng, Texas A&M Unversty, USA {qm, stankovc}@cs.vrgna.edu, 2 [email protected] ABSTRACT In many applcatons of wreless sensor networks, sensor nodes are manually deployed n hostle envronments where an attacker can dsrupt the localzaton servce and tamper wth legtmate n-network communcaton. In ths paper, we ntroduce Secure Walkng GPS, a secure localzaton and key dstrbuton soluton for manual deployments of WSNs. Usng the locaton nformaton provded by the GPS and nertal gudance modules on a specal master node, Secure Walkng GPS acheves accurate node localzaton and locaton-based key dstrbuton at the same tme. Our analyss and smulaton results ndcate that the Secure Walkng GPS scheme makes a deployed WSN resstant to the Dolev- Yao, the wormhole, and the GPS-denal attacks, has good localzaton and key dstrbuton performance, and s practcal for large-scale WSN deployments. Categores and Subject Descrptors C.2.0 [Computer-Communcaton Networks]: General- Securty and protecton, (e.g., frewalls) General Terms Algorthm, Desgn, Securty Keywords wreless sensor network, secure localzaton, key dstrbuton. INTRODUCTION Wreless sensor networks (WSNs) are wdely used n medcal, mltary, and envronmental montorng applcatons. A future WSN mght consst of hundreds to thousands of deployed sensor nodes whch are expected to self-organze nto an autonomous network, perform desred sensng tasks, and react properly to the envronment or specfc events. Localzaton s one of the most mportant servces provded by a WSN, because n most applcatons we are nterested not only n the types of events that have taken place, Permsson to make dgtal or hard copes of all or part of ths work for personal or classroom use s granted wthout fee provded that copes are not made or dstrbuted for proft or commercal advantage and that copes bear ths notce and the full ctaton on the frst page. To copy otherwse, to republsh, to post on servers or to redstrbute to lsts, requres pror specfc permsson and/or a fee. WSec 0, March 22 24, 200, Hoboken, New Jersey, USA. Copyrght 200 ACM /0/03...$0.00. but also n where the events have taken place. When a WSN s manually deployed n a potentally hostle envronment and left unattended for a long perod of tme, t s vulnerable to varous attacks durng and after ts deployment. For example, an attacker may try to steal senstve data from the legtmate messages, to nject false messages nto the network, or to dsrupt the normal operaton of WSN servces and applcatons. Therefore, to ensure that a WSN operates as expected, t s crucal that WSN desgners consder potental attacks and nclude countermeasures n ther desgns. In ths work, we focus on three typcal types of attacks: the Dolev-Yao, the wormhole, and the GPS-denal attacks, and present an ntegral soluton to secure localzaton and key dstrbuton n manual deployments of large-scale WSNs. The major contrbutons of ths work are: () an extenson to Walkng GPS [5], makng t secure aganst the three aforementoned attacks; (2) an ntegrated localzaton and key dstrbuton protocol that keeps key sets on deployed nodes very small; thereby meetng memory constrants, and ensures network communcaton connectvty and protecton aganst wormhole attacks; (3) a securty analyss demonstratng the correctness of our soluton; and (4) a performance evaluaton usng parameters from a real WSN deployment, whch demonstrates: a hgh localzaton accuracy, that almost all nodes are localzed, the excellent scalng propertes to networks of at least sze 000, the excellent performance even n the presence of realstc rregular communcaton ranges, and low overhead. 2. SECURE WALKING GPS Walkng GPS [5] s a practcal localzaton scheme for manually deployed WSNs. However, t suffers from Dolev- Yao, wormhole and GPS-denal attacks due to lack of adequate securty protecton. Our soluton to ths s Secure Walkng GPS, an extenson to Walkng GPS, that securely localzes sensor nodes and dstrbutes carefully chosen communcaton keys to nodes beng deployed. Secure Walkng GPS also uses a master node durng node deployment, whch obtans ts current locaton and sends t to each newly deployed sensor node wrelessly. However, Secure Walkng GPS s dfferent from Walkng GPS n two key aspects: () Communcaton keys, for neghborhood communcaton, are effcently dstrbuted to sensor nodes durng the node localzaton process. These communcaton keys help the WSN effectvely resst the Dolev-Yao and the wormhole attacks durng and after the deployment. (2) An nertal gudance (IG) module complements the functon of GPS on the master node. The IG module uses

2 moton sensors to contnuously capture the orentaton and velocty of the deployer, and estmates ts locaton va dead reckonng. Snce the IG module does not depend on external resources, t s always avalable and t serves as a backup source of current locaton durng a GPS-denal attack. 2. Attack Model The goal of an attacker s to mslead sensor nodes nto obtanng false locatons and also threaten locaton-dependent servces such as trackng and routng. We explore three types of WSN attacks whch are typcal and the most threatenng to localzaton, namely the Dolev-Yao attack, the wormhole attack and the GPS-denal attack. In a Dolev-Yao attack, an attacker can overhear, ntercept, and synthesze any message and s only lmted by the constrants of the cryptographc methods used [3]. A Dolev-Yao attack compromses the authentcty, legtmacy and confdentalty of messages. In a wormhole attack, an attacker creates a lnk between two dstant locatons, tunnels legtmate messages from one end of the lnk to the other end, and replays them there. A wormhole attacker attempts to make sensor nodes appear closer than they really are, volatng the communcaton range constrant. It can compromse the second phase of Walkng GPS where node collaboraton s nvolved. In a GPS-denal attack, GPS sgnals are ntermttently lost due to physcal obstacles or purposeful jammng. Ths also poses an ssue for Walkng GPS, as the master node derves ts locaton solely based on the GPS sgnals. 2.2 Assumptons We assume that there s an attack-free base staton located behnd the deployment feld, where t s secure to perform any necessary pre-deployment operaton, such as downloadng program code and dstrbutng an ntal key to each sensor node. However, the actual deployment takes place n a two-dmensonal nfrastructure-less feld consstng of open spaces and heavy woods (as physcal obstacles). Sensor nodes do not know whch other nodes would become ther neghbors untl after they are actually deployed. Also, we assume that the GPS sgnals are not always avalable durng the deployment, ether because of temporary lack of Lneof-Sght GPS sgnals due to the surroundng envronment, or because of purposeful GPS-denal attacks. We assume that the master node s a powerful node and t wll not be compromsed by any attack. We assume that the IG module s always avalable and t provdes trustworthy readngs. We also assume that when GPS sgnals are avalable, they are trustworthy. These assumptons are reasonable, because an IG module reles on ts own moton sensors to nfer ts locaton, and a mltary GPS devce usually has ant-spoofng capabltes. 2.3 Desgn Detals 2.3. Pre-Deployment Secure Walkng GPS begns wth a pre-deployment phase n the secure base staton, whose man am s to dstrbute a unque deployment key to every sensor node n order to bootstrap the secure communcaton between the master node and each of the sensor nodes durng the deployment. It s best practce to keep the master node turned on durng the entre pre-deployment, but allow only one sensor node to be turned on at any tme (.e., so that t can obtan Table : Cryptographc Notatons Notaton Meanng M the master node s the -th deployed sensor node A B : msg A sends the msg to B msg msg 2 the concatenaton of msg and msg 2 msg msg n plan text {msg} k the encrypton of msg wth k k D the deployment key dstrbuted to s K C the set of m communcaton keys, (k,l C where l =,m) dstrbuted to s NID(node) the d of node KID(k) the key d of k a deployment key). Ths not only saves the energy of sensor nodes, but also prevents potental nterference between sensor nodes. For management purposes, the master node saves all dstrbuted deployment keys, whch can be ndexed by ther key ds, n a non-volatle memory so that they are retaned even f the master node s turned off. The master node also mantans a lst of <node-d, deployment-key-d> entres, mappng each dstrbuted deployment key to one sensor node to whch ths key has been dstrbuted. In the followng, we use the notatons descrbed n Table. Snce the pre-deployment s done n the secure base staton, deployment keys can be dstrbuted n plan text: s M :NID(s ) REQ PRE DEPLOYMENT M s :NID(M) k D s M :NID(s ) ACK PRE DEPLOYMENT Asensornodes sends a message to the master node M, contanng ts node d and a REQ PRE DEPLOYMENT request to ask for ts deployment key, f t has not successfully obtaned one from M before. When M receves t, M checks whether a deployment key has already been dstrbuted to s earler, by checkng the <node-d, deployment-key-d> entres. If no entry maps to s, M generates a new random deployment key k D and sends t to s. Meanwhle, M adds a correspondng <node-d, deployment-key-d> entry for s. If, on the other hand, M fnds out that a deployment key has been dstrbuted to s earler, M resends that key to s.ths desgn prevents M from generatng and dstrbutng dfferent deployment keys to s when s s nadvertently turned off and on multple tmes durng pre-deployment. Once s obtans k D, t saves t n ts non-volatle memory for later use and reples to M wth an acknowledgement message. Snce each deployment key s unque and s known only by the master node and one sensor node, further messages between the master node and each sensor node can be encrypted, provdng cryptographc protecton for the vulnerable wreless communcaton durng the deployment Deployment A. Secure Localzaton After the preparaton n the pre-deployment phase, the master node and the sensor nodes are taken to the deployment feld. Durng the deployment, the master node remans turned on. Sensor nodes are n the proxmty of the master node and are, n arbtrary order, turned on and deployed one after another. A sensor node s communcates wth the master node M usng the followng protocol to obtan ts

3 locaton and the set of m communcaton keys securely: s M :NID(s ) {REQ DEPLOYMENT} k D M s :NID(M) {locaton} k D { } k C,,k,2, C,k,m C k D s M :NID(s ) {ACK DEPLOYMENT} k D After ntalzaton, s sends a message to M, contanng ts node d and a REQ DEPLOYMENT request. Note that the REQ DEPLOYMENT request s encrypted usng s s deployment key k D,butthesourcedssentnplantextso that the master node can use t to look up k D from ts own memory and decrypt the request message usng t. Then M reples wth messages to s,nwhchm s source d s sent n plan text, but the locaton and the m communcaton keys for s are encrypted usng k D.Ifs receves them, t securely acknowledges success to the master node. In a WSN deployment usng Secure Walkng GPS, sensor nodes are physcally close to the master node at the tme of deployment. Therefore, t s reasonable for a sensor node to take on the master node s current locaton, when the node s deployed. Gven the relatvely hgh accuracy of GPS, locatons provded by the GPS module are preferred. Only when the GPS module fals to work due to ntermttent or temporary loss of GPS sgnals wll the locatons provded by the IG module be used as a backup. Also note that, snce the error of the locaton estmates provded by the IG module alone s lkely to accumulate f no remedal measure s taken, the IG module needs to be calbrated perodcally wth the GPS module, whenever the GPS sgnals are avalable. Through the use of GPS and IG modules, all the sensor nodes can be localzed at the tme of ther deployment. No further collaboraton among neghbors s needed for localzaton. Ths elmnates a potental securty vulnerablty that could occur f collaboraton were needed. B. Locaton-Based Key Dstrbuton In addton to a locaton, a set of m communcaton keys s dstrbuted to each sensor node when t s deployed so that t can have secure communcaton wth neghborng nodes. The choce of communcaton keys to make up the key set s determned by master node at real tme durng deployment, based on the estmated locatons of the current sensor node and all sensor nodes whch have been deployed earler. Our key dstrbuton scheme ensures that every deployed node shares at least one communcaton key wth one or more of ts neghbors, enablng them to communcate securely usng the shared key(s). Note, whle our scheme does not guarantee that a sensor node shares a communcaton key wth every neghbor, t attempts to allow a sensor node to share communcaton keys wth as many dfferent neghbors as possble, makng t better connected wth ts neghbors. We enforce two rules for our locaton-based key dstrbuton and present the algorthms n Algorthms and 2. Dstance Boundng Rule: Two sensor nodes can share a communcaton key only f they are physcal neghbors. Connectvty Rule: Each sensor node needs to share a communcaton key wth at least one of ts already deployed physcal neghbors so as to ensure neghbor connectvty. In Secure Walkng GPS, the master node mantans a large key pool P,fromwhchm communcaton keys are carefully chosen and dstrbuted to each sensor node securely usng Ths means that nodes far apart do not share communcaton keys. Ths s mportant n protectng the WSN aganst the wormhole attack. Algorthm Locaton-based Key Dstrbuton : for all k C j n P do 2: k C j.state never-dstrbuted 3: end for 4: S = φ 5: deploy node s 6: K C {m never-dstrbuted keys from P } 7: M transmts key set K C to node s 8: P K C 9: for all k C j n P do 0: k C j.state dstrbutable : end for 2: for from 2 to n do 3: deploy node s 4: S = S {s } = {s,s 2,,s } 5: K C GET KEYS(S,P,P ) 6: M transmts key set K C to node s 7: P P K C 8: for all k C j n P do 9: k C j.state dstrbutable 20: end for 2: end for ther respectve deployment keys. Each communcaton key n P s randomly generated and unque. It s ndexed by a communcaton key d and can be n one of three possble states: never-dstrbuted, dstrbutable and non-dstrbutable. Intally, all have ther states set to never-dstrbuted. Choosng the set of communcaton keys for the frst sensor node s s trval. The master node smply chooses m keys wth a never-dstrbuted state from P and securely transmts them to s. Then the master node sets the states of these m keys to dstrbutable so that they may be shared by sensor nodes whch are deployed later and become s s neghbors. For each subsequent sensor node s ( = 2,n)deployed,the master node M goes through the followng steps to determne whch communcaton keys should be chosen for t. Step : Fnd s s physcal neghbors from the set of sensor nodes that have already been deployed. M frst calculates d,j, the dstances between s and sensor nodes s j (j =, ) based on ther locatons reported by the GPS or IG modules. Then, M attemps to communcate wth each of them securely usng ther respectve deployment keys. If a sensor node s j s unreachable and does not reply, M updates the correspondng dstance d,j to +. M sorts these dstances n ascendng order and parttons the set of already deployed nodes S = {s,s 2,,s } nto A and B,whereA = {s σ(j) d,σ(j) <r M can communcate wth s j} and B = S A. Note that, due to the actual rregular rado patterns (whch are common n WSNs), some sensor nodes n B may be able to communcate wth M as well. However, we take a conservatve approach and only consder the physcal neghbors that le wthn s s theoretcal communcaton range r. Step 2: Set the states of all the communcaton keys whch have been dstrbuted to the sensor nodes n B to non-dstrbutable, n order to satsfy the Dstance Boundng Rule. Step 3: Determne whch m communcaton keys can be dstrbuted to s. If s s closest physcal neghbor s σ() has only one ds-

4 Algorthm 2 GET KEYS (S,P,P ) : for j from to do 2: Calculate d,j = s s j 3: end for 4: for j from to do 5: f M cannot communcate wth s j then 6: d,j + 7: end f 8: end for 9: {σ (l) l =, } = PERMUTATE{j j =, }, where d,σ(l) d,σ(l+) 0: S = A B, where A = {s σ(j) d,σ(j) < r M can communcate wth s j} and B = S A : for l from ( A +)to ( A + B ) do 2: for n from to m do 3: kσ C (l),n.state non-dstrbutable 4: end for 5: end for 6: num 0 7: K C φ 8: u 9: whle (num < m ) ( dstrbutable keys n P ) (u <) do 20: D = {kσ C (u),v v =,m kσ C (u),v.state = dstrbutable} 2: {δ (w) w =, D } = PERMUTATE{v v =, D }, where kσ C (u),δ (w).freq kσ C (u),δ (w+).freq 22: K C K C {kσ C (u),δ () } 23: num num + 24: f d,σ(u) r/2 then 25: for w from to D do 26: kσ C (u),δ (w).state non-dstrbutable 27: end for 28: else 29: kσ C (u),δ ().state non-dstrbutable 30: end f 3: u u + 32: end whle 33: K C K C {(m num) never-dstrbuted keys from P } 34: return K C trbutable communcaton key, M ncludes t n s s communcaton key set K C and sets ts state to non-dstrbutable. Otherwse, f s σ() has more than one dstrbutable communcaton key, M chooses the one that has been most frequently dstrbuted to s s physcal neghbors n A, ncludes t n K C, and then sets ts state to non-dstrbutable. If the dstance between s σ() and s s greater than or equal to r/2, M also changes the states of s σ() s remanng communcaton keys to non-dstrbutable. If, however, the dstance between s σ() and s s less than r/2, M does not make ths change. Ths ensures that s shares at most one communcaton key wth each of ts physcal neghbors whch are farther than r/2 away,sothats has a better chance to share communcaton keys wth more physcal neghbors. After the communcaton keys of s σ() have been consdered, M consders those of s s second, thrd,,closest physcal neghbors (s σ(2),s σ(3), ) untl (m ) dstrbutable communcaton keys from s s physcal neghbors are ncluded n K C or fewer than (m ) such dstrbutable communcaton keys are avalable to be ncluded. In ether case, remanng communcaton keys for s wll be chosen from the never-dstrbuted keys n P to make up K C. Note that M delberately ncludes at least one never dstrbuted communcaton key n K C so that s may share t wth future neghbors whch have not been deployed yet. The ensures that every node s able to securely communcate wth at least one physcal neghbor usng a common communcaton key wthout volatng the Dstance Boundng Rule. Step 4: Send the set of carefully chosen communcaton keys to s, securely usng ts deployment key. Step 5: Reset the states of all non-dstrbutable communcaton keys to dstrbutable before the next sensor node s deployed. In our key dstrbuton scheme, the total number of communcaton keys whch are dstrbuted to each node s denoted by m, whose value can be specfed by the deployer n the program code. Observe that f m s too small, the Dstance Boundng Rule and the Connectvty Rule may not be satsfed n arbtrary topology and deployment order of the sensor nodes. However, f m s too large, many of the communcaton keys may be redundant and take up much memory on resource-constraned sensor nodes. Therefore, a tradeoff exsts between the sze of a communcaton key set and the performance of the deployment. The followng theorem (proof provded n []) gves a theoretcal lower bound for m. For smplcty, we assume that each node has the same crcular communcaton range. Theorem. Let N be the maxmum number of neghbors of each sensor node, and m be the requred number of communcaton keys dstrbuted to each sensor node. Assumng that each node has the same crcular communcaton range, n order to satsfy the Dstance Boundng Rule and the Connectvty Rule n the arbtrary topology and arbtrary order of deployment, a lower bound of m s gven by: m mn(n) = { N f N 5 5 f N 6 Note that the smplfyng assumpton of crcular communcaton range s used n the theorem only to provde a general feel for how many communcaton keys each sensor node should obtan and whether they ft on resource-constraned sensor nodes. Accordng to ths theorem, 5 (fve) communcaton keys suffce n the deal case. Even n real envronments where the rado pattern s rregular, we don t expect m mn to ncrease much beyond 5. Our emprcal evaluaton results n [] confrm ths concluson Post-Deployment After the deployment, each sensor node has obtaned a locaton and m communcaton keys from the master node. Then the sensor nodes try to dscover ther useful neghbors, whch are wthn ther actual communcaton ranges and share at least one communcaton key. To do so, each sensor node repeatedly broadcasts messages that are encrypted usng each of ts communcaton keys. If s can hear a message from s j and decrypt t usng one of ts own communcaton keys, s reples to s j wth a message encrypted wth the same communcaton key. Ths process allows s and s j to dscover that the other node s a useful neghbor. As a result, subsequent communcaton between useful neghbors can be encrypted usng any of ther shared communcaton keys.

5 3. SECURITY ANALYSIS Resstance to Dolev-Yao Attack Accordng to our assumpton, the secure base staton s attack-free. Therefore, legtmate program code s downloaded and a unque deployment key s dstrbuted to each sensor node. Each unque deployment key s known only by the master node and one of the sensor nodes. Durng the deployment, all the messages transmtted between the master node and the sensor nodes are encrypted usng ther respectve deployment keys. Snce a Dolev-Yao attacker does not have a legtmate key, t s unable to decrypt these messages and steal senstve nformaton from them. It s unable to nject false messages ether, because these false messages are not encrypted usng proper keys and wll, therefore, be smply dropped by sensor nodes. Smlarly, the post-deployment neghbor dscovery process and all subsequent communcaton between neghbors are encrypted usng legtmate communcaton keys. Therefore, a Dolev-Yao attacker s not a sgnfcant threat. Even f an attacker obtans a legtmate deployment or communcaton key by chance, ts mpact s lmted because ether one s shared by only a small number of sensor nodes wthn a local regon accordng to Dstance Boundng Rule. Resstance to Wormhole Attack In Secure Walkng GPS, the master node and each of the sensor nodes are very close durng the deployment. Therefore, a wormhole attack that occurs at ths tme would have lmted effect. For post-deployment nter-node communcaton, the Dstance- Boundng Rule ensures that sensor nodes whch are geographcally located beyond ther communcaton ranges do not share a communcaton key. If a node receves a message from a remote node whch s tunneled through a wormhole lnk, t cannot process ths message snce t does not have a proper shared communcaton key to decrypt t. As a result, ths message wll be smply dropped. Snce the locatons provded by the master node are not perfectly accurate, a locaton estmated by the master node may dffer from the actual locaton. Consequently, the master node may consder two sensor nodes whose dstance s a lttle greater than ther communcaton range to be physcal neghbors and dstrbute shared communcaton keys to them, resultng n a potental wormhole lnk. However, ths vulnerablty s nsgnfcant. Frst, snce prortes are gven to the communcaton keys shared by closer neghbors when the master node determnes each communcaton key set, t s less lkely for two sensor nodes whch are barely neghbors to share a communcaton key. Therefore, the number of potental wormhole lnks s relatvely low, whch means that t s dffcult for a wormhole attacker to explot such vulnerablty. Second, even f an attacker launches a wormhole attack through one of the potental wormhole lnks, the threat s small snce the replayed message s tunneled to some pont that s a lttle farther away from where t can reach. Resstance to GPS-Denal Attack The IG module comes nto play when the GPS module does not work, makng our scheme resstant to the GPS-denal attack. 4. PERFORMANCE EVALUATION In ths secton, we study the robustness of our scheme to a GPS-denal attack and explore how lkely a wormhole attack may succeed, assumng that the rado pattern s regular 2. 2 An evaluaton of our scheme under the rregular rado pattern s provded n []. The average localzaton error s defnedby thecumulatve localzaton error of all the sensor nodes dvded by the total number of deployed sensor nodes n. Ideally, f a sensor node can communcate wth all of ts physcal neghbors usng some communcaton key, the rato of the number of ts useful neghbors to the number of ts physcal neghbors s. In realty, snce two physcal neghbors may not necessarly share a communcaton key and the fact that physcal neghbors may not be able to communcate due to localzaton errors, ths rato s usually less than. The closer ths rato s to, the better a sensor node s connected wth ts neghbors. We defne the average of such ratos for all sensor ( nodes as the average neghbor connectvty: N c = n ). n = #ofs s useful neghbors #ofs s physcal neghbors If two sensor nodes share a communcaton key and ther dstance s smaller than ther actual communcaton ranges (whch may be dfferent n two drectons due to the rregularty and asymmetry of wreless rado patterns), there exsts a legtmate lnk between them. If two sensor nodes share a communcaton key and ther dstance s greater than the theoretcal communcaton range r, there exsts a potental wormhole lnk between them. On the one hand, the total number of legtmate lnks s another ndcator of neghbor connectvty, because the greater t s, the hgher the chance neghborng sensor nodes can communcate. On the other hand, the total number of wormhole lnks and the percentage of the total number of potental wormhole lnks to the total number of legtmate lnks reflect the mpact of a potental wormhole attack. A small percentage suggests that the mpact of a wormhole attack s not severe to the network. To smulate real deployments, we adopt the parameters of VglNet [5], a real WSN survellance system. A network of n sensor nodes s deployed n an outdoor feld where the GPS sgnals are avalable to the master node wth a probablty p. Ths means that about p 00% of the nodes wll be localzed by the GPS module and about ( p) 00% wll be localzed by the IG module. Let the number of communcaton keys that each node obtans from the master node be 5, and assume that these keys can always be receved by each sensor node durng deployment. Let the localzaton error of the GPS module be unformly dstrbuted U(-.5,.5) meters. The localzaton error of the IG module s a combned result of the error of degree estmaton by the rotaton sensors and the error of tmely movement detecton by the acceleraton sensors. Let the rotaton sensor error be unformly dstrbuted U(-0,0) degrees, and the acceleraton sensor error result n a reducton of dstance estmaton of the deployer s path between consecutve sensor nodes whch s unformly dstrbuted U(0,3) meters. Let the regular communcaton range of each sensor node r be 30 meters. Consder three typcal deployment scenaros wth a regular rado pattern: () A lne deployment of 500 nodes where the horzontal spacng between sensor nodes s normally dstrbuted N (0,2) meters, and the vertcal offset of each sensor node from the deployment lne s normally dstrbuted N (0,2) meters. (2) A grd deployment of 500 nodes where the horzontal spacng between sensor nodes s normally dstrbuted N (0,2), and the vertcal offset of each sensor node from each horzontal deployment lne s normally dstrbuted N (0,2). (3) A grd deployment, smlar to the second scenaro, except that n = 000. For each scenaro, we evaluate ts performance at p = 0.75, 0.80, 0.85, 0.90, 0.95,.00. For

6 Average Localzaton Error [meter] lne, n=500 grd, n=500 grd, n= p (a) Average Neghbor Connectvty lne, n=500 grd, n=500 grd, n= p (b) Total Number of Lnks lne, n=500, legtmate lne, n=500, wormhole grd, n=500, legtmate grd, n=500, wormhole grd, n=000, legtmate grd, n=000 wormhole p (c) Fgure : Smulaton Performance wth Regular Rado each p, we performed 30 runs of smulatons and calculated the average localzaton error, average neghbor connectvty, the total number of legtmate lnks, and the total number of potental wormhole lnks. Mean values wth one standard devatons for each of these metrcs are plotted n Fgure. We observed that our scheme rendered consstent performance n all three scenaros. There s a decrease n both the mean and the standard devaton of the average localzaton error as p ncreases. Whle the decrease n mean s because more nodes can be localzed usng the more accurate GPS module, the decrease n the standard devaton s explaned by the fact that the smaller the porton of the nodes whch are localzed usng the IG module, the less the mpact of ts cumulatve errors due to more often calbratons wth the GPS module durng the deployment. The average neghbor connectvtes roughly range between [0.7, 0.96], and they are an ncreasng functon of p, reflectng the mpact of localzaton errors on the key dstrbuton decsons. Also, the number of potental wormhole lnks s qute low, compared to that of legtmate lnks n the same scenaro (the rato ranges from 2.5% to 0%), meanng that a wormhole attacker has a low chance of explotng a potental wormhole lnk and creatng an attack. Even f such an attack occurs, ts mpact would be small, due to the Dstance Boundng Rule. In Fgure, the error and connectvty curves correspondng to n = 500 and 000 n grd deployment are qute close to each other. The total number of legtmate lnks and the total number of potental wormhole lnks ncrease proportonally wth n, the sze of the WSN. They ndcate that our scheme s scalable for large-scale WSN deployments. 5. RELATED WORK WSNs are nherently vulnerable to varous attacks due to the nsecure nature of wreless communcaton and the severe resource constrants on sensor nodes. As a result, determnng node locatons n a hostle envronment s challengng. A lot of work has been done on secure localzaton for wreless sensor networks [2], [2], [7], [8], [3], [0], [4]. However, they ether make strong assumptons about the deployments or requre sophstcated and costly hardware support. Smlarly, there s sgnfcant work on key dstrbuton whch s the bass for secure communcaton between legtmate nodes [4], [], [9], [6]. They ether are non-determnstc, or requre the total number of nodes or nodes locatons be known n advance. Therefore, many of them are not practcal for real WSN deployments. 6. CONCLUSION In ths paper, we presented the desgn and evaluaton of Secure Walkng GPS, an ntegral soluton for secure localzaton and locaton-based key dstrbuton n large-scale and manually deployed WSNs. Secure Walkng GPS s practcal and low-cost, requres mnmal human nteracton durng the deployment, and makes the deployed WSN resstant to the Dolev-Yao, the wormhole, and the GPS-denal attacks. 7. ACKNOWLEDGMENT Ths work was supported, n part, by grants ARO W9NF , and NSF CNS REFERENCES [] S. Camtepe and B. Yener. Combnatoral desgn of key dstrbuton mechansms for wreless sensor networks. IEEE/ACM Transactons on Networkng, 5(2), [2] S. Capkun, M. Cagalj, and M. Srvastava. Securng localzaton wth hdden and moble base statons. In INFOCOM, [3] D. Dolev and A. Yao. On the securty of publc key protocols. IEEE Trans. Inf. Theory, 29(2), 983. [4] L. Eschenauer and V. Glgor. A key-management scheme for dstrbuted sensor networks. In CCS, [5] T. He, P. Vcare, T. Yan, L. Luo, L. Gu, G. Zhou, R. Stoleru, Q. Cao, J. Stankovc, and T. Abdelzaher. Achevng real-tme target trackng usng wreless sensor networks. In RTAS, [6] C.Kuo,M.Luk,R.Neg,andA.Perrg. Message-n-a-bottle: User-frendly and secure key deployment for sensor nodes. In SenSys, [7] L. Lazos and R. Poovendran. Serloc: Secure range-ndependent localzaton for wreless sensor networks. WSe, [8] L. Lazos and R. Poovendran. Hrloc: Hgh-resoluton robust localzaton for wreless sensor networks. IEEE Journal on Selected Areas n Communcatons, 24(2), [9] D. Lu and P. Nng. Locaton-based parwse key establshments for statc sensor networks. In SASN, [0] D. Lu, P. Nng, and W. K. Du. Attack-resstant locaton estmaton n sensor networks. In IPSN, [] Q. M, J. Stankovc, and R. Stoleru. Secure walkng gps: A secure localzaton and key dstrbuton scheme for wreless sensor networks. In Techncal Report, qm8e/papers/swgps-full.pdf. [2] T. Park and K. G. Shn. Attack-tolerant localzaton va teratve verfcaton of locatons n sensor networks. ACM Trans. on Embedded Computng Systems, 8(), Dec [3] R. Poovendran and L. Lazos. A graph theoretc framework for preventng the wormhole attack n wreless ad hoc networks. Wreless Networks, 3():27 59, January [4] R. Shokr, M. Poturalsk, G. Ravot, P. Papadmtratos, and J.-P. Hubaux. A practcal secure neghbor verfcaton protocol for wreless sensor networks. In WSec, [5] R. Stoleru, T. He, and J. Stankovc. Walkng GPS: A practcal soluton for localzaton n manually deployed wreless sensor networks. In LCN, 2004.