UNCORRECTED PROOF INSENS: Intrusion-tolerant routing for wireless sensor networks Jing Deng * , Richard Han, Shivakant Mishra Computer Science Department University of Colorado at Boulder Boulder, Colorado, USA Received 24 May 2005; accepted 24 May 2005 Abstract This paper describes an INtrusion-tolerant routing protocol for wireless SEnsor NetworkS (INSENS). INSENS securely and efficiently constructs tree-structured routing for wireless sensor networks (WSNs). The key objective of an INSENS network is to tolerate damage caused by an intruder who has compromised deployed sensor nodes and is intent on injecting, modifying, or blocking packets. To limit or localize the damage caused by such an intruder, INSENS incorporates distributed lightweight security mechanisms, including efficient one- way hash chains and nested keyed message authentication codes that defend against wormhole attacks, as well as multipath routing. Adapting to WSN characteristics, the design of INSENS also pushes complexity away from resource-poor sensor nodes towards resource-rich base stations. An enhanced single-phase version of INSENS scales to large networks, integrates bidirectional verification to defend against rushing attacks, accommodates multipath routing to multiple base stations, enables secure joining/leaving, and incorporates a novel pairwise key setup scheme based on transitory global keys that is more resilient than LEAP. Simulation results are presented to demonstrate and assess the tolerance of INSENS to various attacks launched by an adversary. A prototype implementation of INSENS over a network of MICA2 motes is presented to evaluate the cost incurred. q 2005 Published by Elsevier B.V. Keywords: Sensor network; Security; Intrusion tolerance; Fault tolerance; Secure routing 1. Introduction Wireless sensor networks (WSNs) are rapidly growing in their importance and relevance to both the research community and the public at large. WSNs are comprised of many small and highly resource-constrained sensor nodes that are distributed in an environment to collect sensor data and forward that data to interested users. Applications of WSNs are rapidly emerging and have become increasingly diverse, ranging from habitat monitoring [22] to indoor sensor networks [7], and from battlefield surveillance [4] to seismic monitoring of buildings. Security is critical for a variety of sensor network applications, such as home security monitoring and military deployments. In these applications, each sensor node is highly vulnerable to many kinds of attacks, both physical and digital, due to each node’s cost and energy limitations, wireless communication, and exposed location in the field. As a result, mechanisms to achieve both fault tolerance and intrusion tolerance are necessary for sensor networks. Although intrusion tolerance has been studied in the context of wired networks [30,6,28,29,32], wireless sensor networks introduce a combination of threats that are not normally faced by wired networks. First, the broadcast nature of the wireless communication medium significantly enhances the capabilities of an adversary to eavesdrop, tamper with transmitted packets, and inject packets to initiate denial-of-service (DOS) attacks. These suscepti- bilities also apply to wireless LANs such as 802.11 and mobile ad hoc networks. Second, a sensor node is highly resource constrained, with limited energy lifetime, low- power micro-sensors and actuators, slow embedded pro- cessors, limited memory, and low-bandwidth radio com- munication. This limits the ability for sensor nodes to perform computation-intensive public key cryptography such as RSA [27,11], though elliptic curve cryptography offers a promising course of research [23]. Also, the relatively weak defenses of sensor nodes are susceptible to external attacks by much stronger adversaries equipped with more powerful computing and communication equipment. Computer Communications xx (xxxx) 1–15 www.elsevier.com/locate/comcom 0140-3664/$ - see front matter q 2005 Published by Elsevier B.V. doi:10.1016/j.comcom.2005.05.018 * Corresponding author. E-mail addresses: jing@cs.colorado.edu (J. Deng), rhan@cs.colorado. edu (R. Han), mishras@cs.colorado.edu (S. Mishra). COMCOM 2804—8/7/2005—02:45—-[-no entity-]-—155149—XML MODEL 5 – pp. 1–15 DTD 5 ARTICLE IN PRESS 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112