<%BANNER%>

Security in Wireless Sensor Networks

Permanent Link: http://ufdc.ufl.edu/UFE0021161/00001

Material Information

Title: Security in Wireless Sensor Networks
Physical Description: 1 online resource (213 p.)
Language: english
Creator: Zhou, Yun
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2007

Subjects

Subjects / Keywords: Electrical and Computer Engineering -- Dissertations, Academic -- UF
Genre: Electrical and Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: Rapid advances in wired/wireless networking technology are gradually expanding the realm of ubiquitous high-speed network access. Such a process also encounters more and more threats and attacks from those who exploit vulnerabilities in networks. This has been motivating research on security in wireless networks. Key establishment is the first step to develop all the other security mechanisms, because most security protocols depend on keys to operate correctly and provide desirable security performance. In my research, a scalable and deterministic key agreement model based on a multivariate polynomial and a multidimensional grid-based network topology was developed to enable key establishment in large scale networks with very low memory cost. I will show that my model can achieve the memory cost of several orders lower than the number of nodes in the network, while traditional models have the memory cost at the same order as the network size. My model has found applications in wireless sensor networks to establish hop-to-hop keys and end-to-end keys. In addition, I also proposed an access control protocol based on elliptic curve cryptography (ECC) for wireless sensor networks, which accomplishes node authentication and key establishment for new nodes. Different from conventional authentication methods, my protocol can defend against most well-recognized attacks in wireless sensor networks, and achieve better computation and communication performance due to the more efficient algorithms based on ECC. Authentication is critical to ensure the origin of a multicast stream in hostile environments. Conventional block-based schemes suffer from drawbacks such as vulnerability to packet loss, authentication latency and Denial of Service (DoS) attacks. In my research, I developed a novel multicast authentication scheme based on batch signatures. In particular, each packet in a stream is attached with a signature. The receiver authenticates multiple packets by checking their signatures through only one verification operation. I proposed three implementations including two novel batch signature schemes. My approach can achieve computational efficiency while avoiding the drawbacks of conventional block-based schemes. I also proposed a broadcast authentication protocol for wireless sensor networks based on symmetric key techniques. Compared with the conventional symmetric key solutions, my scheme does not require time synchronization, eliminates the requirement of key chain, supports broadcast for infinite rounds, and is efficient due to the use of symmetric key techniques. IEEE 802.16 (worldwide interoperability for microwave access, or WiMAX) is seen as a promising technology for next generation broadband wireless access, while security issues also draw the intentions in the literature. In my research, I analyzed the IEEE 802.16 standard and found out that though IEEE 802.16 provides some security measures in conventional one-hop networks, it is very vulnerable to malicious attacks in multihop environments such as wireless mesh networks. In order to strength the defense of IEEE 802.16 in mesh networks, I proposed a mesh-certificate-based access control and authentication scheme for WiMAX-based mesh networks.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Yun Zhou.
Thesis: Thesis (Ph.D.)--University of Florida, 2007.
Local: Adviser: Fang, Yuguang.

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2007
System ID: UFE0021161:00001

Permanent Link: http://ufdc.ufl.edu/UFE0021161/00001

Material Information

Title: Security in Wireless Sensor Networks
Physical Description: 1 online resource (213 p.)
Language: english
Creator: Zhou, Yun
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2007

Subjects

Subjects / Keywords: Electrical and Computer Engineering -- Dissertations, Academic -- UF
Genre: Electrical and Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: Rapid advances in wired/wireless networking technology are gradually expanding the realm of ubiquitous high-speed network access. Such a process also encounters more and more threats and attacks from those who exploit vulnerabilities in networks. This has been motivating research on security in wireless networks. Key establishment is the first step to develop all the other security mechanisms, because most security protocols depend on keys to operate correctly and provide desirable security performance. In my research, a scalable and deterministic key agreement model based on a multivariate polynomial and a multidimensional grid-based network topology was developed to enable key establishment in large scale networks with very low memory cost. I will show that my model can achieve the memory cost of several orders lower than the number of nodes in the network, while traditional models have the memory cost at the same order as the network size. My model has found applications in wireless sensor networks to establish hop-to-hop keys and end-to-end keys. In addition, I also proposed an access control protocol based on elliptic curve cryptography (ECC) for wireless sensor networks, which accomplishes node authentication and key establishment for new nodes. Different from conventional authentication methods, my protocol can defend against most well-recognized attacks in wireless sensor networks, and achieve better computation and communication performance due to the more efficient algorithms based on ECC. Authentication is critical to ensure the origin of a multicast stream in hostile environments. Conventional block-based schemes suffer from drawbacks such as vulnerability to packet loss, authentication latency and Denial of Service (DoS) attacks. In my research, I developed a novel multicast authentication scheme based on batch signatures. In particular, each packet in a stream is attached with a signature. The receiver authenticates multiple packets by checking their signatures through only one verification operation. I proposed three implementations including two novel batch signature schemes. My approach can achieve computational efficiency while avoiding the drawbacks of conventional block-based schemes. I also proposed a broadcast authentication protocol for wireless sensor networks based on symmetric key techniques. Compared with the conventional symmetric key solutions, my scheme does not require time synchronization, eliminates the requirement of key chain, supports broadcast for infinite rounds, and is efficient due to the use of symmetric key techniques. IEEE 802.16 (worldwide interoperability for microwave access, or WiMAX) is seen as a promising technology for next generation broadband wireless access, while security issues also draw the intentions in the literature. In my research, I analyzed the IEEE 802.16 standard and found out that though IEEE 802.16 provides some security measures in conventional one-hop networks, it is very vulnerable to malicious attacks in multihop environments such as wireless mesh networks. In order to strength the defense of IEEE 802.16 in mesh networks, I proposed a mesh-certificate-based access control and authentication scheme for WiMAX-based mesh networks.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Yun Zhou.
Thesis: Thesis (Ph.D.)--University of Florida, 2007.
Local: Adviser: Fang, Yuguang.

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2007
System ID: UFE0021161:00001


This item has the following downloads:


Full Text
xml version 1.0 encoding UTF-8
REPORT xmlns http:www.fcla.edudlsmddaitss xmlns:xsi http:www.w3.org2001XMLSchema-instance xsi:schemaLocation http:www.fcla.edudlsmddaitssdaitssReport.xsd
INGEST IEID E20101207_AAAAAT INGEST_TIME 2010-12-07T07:14:14Z PACKAGE UFE0021161_00001
AGREEMENT_INFO ACCOUNT UF PROJECT UFDC
FILES
FILE SIZE 2676 DFID F20101207_AAALTT ORIGIN DEPOSITOR PATH zhou_y_Page_213thm.jpg GLOBAL false PRESERVATION BIT MESSAGE_DIGEST ALGORITHM MD5
094ef33f5fa378979bb949d1210e0217
SHA-1
61c44e19b6fd2a8ebc48acd362e89620dfaef078
585126 F20101207_AAAKRF zhou_y_Page_145.jp2
bf34c85f1a08ad71c53c5422568d1177
bce156e43fcb231c6b00ef95a6c3894b4ad99d43
71931 F20101207_AAAKQR zhou_y_Page_121.jp2
bcaa36343b644383c806de0f08db477d
9b69be4f664a4c9de5d38d7fb81567451a5b150c
1051933 F20101207_AAAKRG zhou_y_Page_147.jp2
c5b2a3297a0a8ac1480b3b01d940ba65
81320693c3b1f5c09268a3f334c10b0f69351136
11832 F20101207_AAALTU zhou_y_Page_213.QC.jpg
59093bdb33abb1fe4b84545274439756
d95b17fbcefadd2add7878758942ddb385876278
1051974 F20101207_AAAKRH zhou_y_Page_149.jp2
99bf033c210cd0332d1c0eb5983a992d
a2c8609256cb1c4ca6b02fb80d8ad3b0d03baf14
1051969 F20101207_AAAKQS zhou_y_Page_122.jp2
cb92e64f3b50e72444a80df7f514e80e
e9ed30242f42d4da84713bff9b1a790aa473f650
242571 F20101207_AAALTV UFE0021161_00001.mets FULL
918b5b27fc8dfe0256538a768801a0a8
00e2a795c5fe688d2605e66a1088dfbad9c90b18
1051939 F20101207_AAAKRI zhou_y_Page_151.jp2
00307a0e037b6eaf5e86f50944f6f401
2f48edaae19d6a89556cab9b414b8b4ef0806787
1051982 F20101207_AAAKQT zhou_y_Page_123.jp2
2d6d141b541986b0ad90ee026c63cf8a
0d14a6ac9dcbe102894f0febf7bbd8aa14bb36f8
96702 F20101207_AAAKRJ zhou_y_Page_152.jp2
cc25d0a9d94787de4a1f76f6763f7614
437958c00f8cea1d80250bcc8b6cebfed3799cba
1051946 F20101207_AAAKQU zhou_y_Page_126.jp2
e215b3185bc84d549ce868f689f35c24
725ca2fc7b3d757ad99ce166eeff8026ef0858d9
64199 F20101207_AAAJOI zhou_y_Page_039.jpg
aaa691515508b87bf00e26c52c2db3f1
fd68e37da8c554a8e353b48402f4b2a8679f2486
994461 F20101207_AAAKRK zhou_y_Page_153.jp2
b86d31f428edded04c549962961707a2
91f2dec2ed7194d2f5ce7a57911b39a882250e57
1051977 F20101207_AAAKQV zhou_y_Page_128.jp2
441e0d433e820ab9752155ae7709edc3
82753f848dad55bc77a6ca546bf3e61f9e3a70f0
37162 F20101207_AAAJOJ zhou_y_Page_120.QC.jpg
a50b5fd2a6b13094523f3789c509740d
b023201d5196fcf2158ab26e1618bef1d356678d
850399 F20101207_AAAKRL zhou_y_Page_154.jp2
4097d445c40286db9737f1c5d3fc7fb7
07c416778a011b5be2d54f6f7907e5d4550be83c
113014 F20101207_AAAKQW zhou_y_Page_130.jp2
a57ca5c1866e6d6537226cb7129f5c8c
2c0e9fe289e6a031ef460f4b35568c9146e05ddd
8658 F20101207_AAAJOK zhou_y_Page_202thm.jpg
5e2fcf850adec44b8c7c87fb839b4cee
8201f5e4d7b9892b7b386faa3cbfb064daed88e8
108368 F20101207_AAAKRM zhou_y_Page_156.jp2
ba1adc0f35770665b28d6d768dfc4060
26c09c230180d6c6de188ea78f9ab3e55f4e8090
1051959 F20101207_AAAKQX zhou_y_Page_132.jp2
e7c1f3e84064ffaaa0b4a013934ca171
8978ece4a8b400ec44350acbce3e4f17fc76eaae
1051980 F20101207_AAAKSA zhou_y_Page_174.jp2
85502a44fdded3b08bd73a4bf5f603e0
fbacf10ab1922e021920e2a65616e0b8224ac278
1051954 F20101207_AAAJOL zhou_y_Page_131.jp2
5238a4c149956f11aa4334a1edd11ec7
ba6d65e9548ed6590a961bb04bb17edba05df510
1051981 F20101207_AAAKRN zhou_y_Page_157.jp2
dd249699cc952e085c17c662a5c01784
74f589796514d737fb1f56d08eaa8c0d93c0a14c
1051945 F20101207_AAAKQY zhou_y_Page_134.jp2
0506a32035a590e53d70fb1c28b503af
75fc8b5f3e2af6712f8360dd2df0e844ef430c67
1051913 F20101207_AAAKSB zhou_y_Page_176.jp2
0e1ab9f3368490f1b0455aa3458d80d7
21aaed97c23161d47c3b497933057783a3fc5165
30155 F20101207_AAAJOM zhou_y_Page_011.pro
c7278e133701def13841a3754ac08243
a7c68a499c3e573e3544968c15ac0243bb900bc6
57413 F20101207_AAAKRO zhou_y_Page_158.jp2
e6721625c8e008196fc83c91b5694da3
1e6dcf349b17cc3cf2d7b44a705aadc381d03aaf
592825 F20101207_AAAKQZ zhou_y_Page_135.jp2
3b65fb7b4793124506123d8df0441d94
ce6a6db94c16596c6618545953117b063d869d96
F20101207_AAAJPA zhou_y_Page_024.jp2
896bbb136bae34f1f8d9e5c26bd02bfe
c2c260d555ba9df765888aba3a599406719c8f20
936116 F20101207_AAAKSC zhou_y_Page_177.jp2
43c233f43d09258bc3550f85a783dcc3
98e1e10084c8523750feb849b451319fbfffeb63
36384 F20101207_AAAJON zhou_y_Page_074.QC.jpg
2e8319070391ab9c038576f2cd3f5226
de55d94bd91f144995c1f653288e424503af6350
1051983 F20101207_AAAKRP zhou_y_Page_160.jp2
53659cf573ec5e88342c74f9acb44aff
76c54950b328fb241a79ce4f45908d8f31e1115a
59700 F20101207_AAAJPB zhou_y_Page_075.jpg
88790d2b392124aba35c25f1a3b5c539
49d2950c4b1bf8fa102c74cc76db431b2a9eed4a
984183 F20101207_AAAKSD zhou_y_Page_180.jp2
4f9f9c3292f8bb5bd67e2f734f5931a2
849b618a8fb4234affa949fccbd6883c65c85758
34903 F20101207_AAAJOO zhou_y_Page_196.QC.jpg
11bd736c11ee1b7355576d8b94aad344
3211c1c9b96ec12e1bc3c2b73fc301f0439ef371
1051921 F20101207_AAAKRQ zhou_y_Page_161.jp2
cf84703e1582794612651e673b91d3ee
c5993e35b6805a04e4bc476273670abc6b79abca
109969 F20101207_AAAJPC zhou_y_Page_172.jpg
04f7f188c8e471c48afc57d703d9a1cc
eb34b35cad28350117e6970bc0d3fea7d1324132
F20101207_AAAKSE zhou_y_Page_182.jp2
34ff553397650f9fea7147358112a8b2
64c283ec076ba268fdfb248b6e74fdc9eef7bc7f
55131 F20101207_AAAJOP zhou_y_Page_118.pro
4b28e9feb488c5256ce4b33ccd906d78
cf6c1c23296242f65e565b179fbac812b7ca639c
F20101207_AAAKRR zhou_y_Page_162.jp2
3e073b38e2d4d158a14164ccb072a621
dbf8d651c85384aef34d75128478253c4c594017
141605 F20101207_AAAJPD zhou_y_Page_053.jpg
f51ea7ac438d54120a76e947aba041c2
5a74986cd2e90d8a1b0313f6180e53b604c8cfb1
14468 F20101207_AAAKSF zhou_y_Page_183.jp2
4fffb6fe5826ec75d89b8eb14997eecb
57b3ed045af1cce094215b73b7fcb7cb1bc85468
50964 F20101207_AAAJOQ zhou_y_Page_093.pro
616ed994cd0b22868b416b65ef5c4547
4c19e9c85382f54af67b27368e898c7c506ffecd
1045391 F20101207_AAAKRS zhou_y_Page_163.jp2
2c1c77487c677cd046b9c1b0ae90be05
2c085bc2bf61f4f8c77dc2cd89fb2895031e2ea2
7517 F20101207_AAAJPE zhou_y_Page_087thm.jpg
8ed53d842d5de2620d7d82532bf106f1
8cfa56f3c50be6acaeb41738ed5adf42f31527e5
1051935 F20101207_AAAKSG zhou_y_Page_187.jp2
4ad48b0fc9e09533cd54a1be485c57d0
8fe98f9dc7bb611cdf81782d2da19e866bbf6c07
6536 F20101207_AAAJPF zhou_y_Page_012thm.jpg
f7c5cad734ac57ed841027d5b41c9fe3
f40fbd78673a321200f0b169d6d051b3d9afebaf
782985 F20101207_AAAKSH zhou_y_Page_188.jp2
bbe59349fc2dcdd36a182c77989367a9
22d3e8404273ed2cf6fe06c0aa3b64ee0afd26a8
23999 F20101207_AAAJOR zhou_y_Page_033.pro
1991dab6412d2fd527b4650d299f42cf
5f0d638587e4d78c8694f623ed95436756c320ec
1051948 F20101207_AAAKRT zhou_y_Page_165.jp2
f2aa0ed9ef657c1e787f40468a96185d
a32b52524eb7407bea19211b13879a2e91e6c3e4
115443 F20101207_AAAJPG zhou_y_Page_056.jpg
dc51ae6a13f32b7c36f7726d27261161
7cd4c240d891b97035bd5772be90b3f97d407022
871032 F20101207_AAAKSI zhou_y_Page_189.jp2
b23efb3acca772486866e1d376115d5d
9f003fdb9ade4de128ae1b8d25aef19e77b52eff
6925 F20101207_AAAJOS zhou_y_Page_001.pro
a7b843f0a6fc734dd3bd92db1a5eaf39
8dde81b198ec8c06a94ef53017e38459878bcb32
1017052 F20101207_AAAKRU zhou_y_Page_166.jp2
0f6a3e277947b4bc9f1f1727ca4940ae
1645ea0090f4486a3bc5886054806d2a8ed65fe7
944775 F20101207_AAAJPH zhou_y_Page_070.jp2
e24ef78ab0aeefaaaf348ca915aa27b4
476d8b40d248fa7129a13aebf2347893001acaee
1004257 F20101207_AAAKSJ zhou_y_Page_190.jp2
109ca042f1155dba57d0cf4d9cccc1a3
ce4560dcd67401c495c6b1ccaaecb7bf6e56d689
3813 F20101207_AAAJOT zhou_y_Page_021thm.jpg
5e8976bde94255c7894f57f710d3d77e
9975db4666b5cb1c6352d77cec0af3394f6c42cd
52690 F20101207_AAAKRV zhou_y_Page_169.jp2
535167766db9868d7f9aec1f7f14c8f3
6c53a366c2f84bb4995ff173bd8dcc8010c336ae
69749 F20101207_AAAJPI zhou_y_Page_209.pro
4c15e6bf9c0ef929d7ed757198dab6e8
fb08d8219bea9c18474dee4451bdb5f37cc11fb3
1051978 F20101207_AAAKSK zhou_y_Page_191.jp2
60d339b0883fd02fc4bdc556883e62ba
87bb5b9cd2e7ac04f8e8eb2a9607bb6037b65d7c
7101 F20101207_AAAJOU zhou_y_Page_059thm.jpg
0bcc71573f00200b66c496670a7f6a74
0b806d16c356eef941339f2b932e2ccda968fe01
622118 F20101207_AAAKRW zhou_y_Page_170.jp2
ea7af6c883322843691b6e937ffb2955
a73c2387cb9d1a33fd9c93b1f4ebe5f57e3031e5
25271604 F20101207_AAAJPJ zhou_y_Page_139.tif
8955139a8afb3c746ec8e5a18b5bfebf
07cac70744e986f4a700a46c1abcb1b010822257
923623 F20101207_AAAKSL zhou_y_Page_193.jp2
e9f04e8fceb6f8837f73d6ae3aaee88f
d662761d6a6c45400654468b0967e3e790d0308b
63261 F20101207_AAAKTA zhou_y_Page_212.jp2
be8da67ab815f38c2b631979f104210e
6958d211c852e25a026db2cd7a3e942ef2f1bab8
105199 F20101207_AAAJOV zhou_y_Page_198.jpg
02581be993c5a78a0541bff77668eecb
b4093d8a6578d4075d8f091edff9239530ebfd73
1051972 F20101207_AAAKRX zhou_y_Page_171.jp2
db40d87c0153ffa87996c58947fa19aa
70f041b443013d2d968286d203937a1ccb31d100
1051958 F20101207_AAAJPK zhou_y_Page_022.jp2
a8b001eacc5ad9942bf131d8da061a8d
84f745390afedb80e3ac752496a64c854016b83e
997904 F20101207_AAAKSM zhou_y_Page_195.jp2
af9051b95166ffc359fac257cb81fbdc
bc0cee1ad9c269f22e4cca1c201503c17bea575d
40256 F20101207_AAAKTB zhou_y_Page_213.jp2
f0fba9e4bd852f1811eb58a9c0f762ca
8defdf0e5bd5b70ad6e0955b398b67856ee88c2f
1051979 F20101207_AAAJOW zhou_y_Page_146.jp2
8ca0de82267e6e3204eef37c9b4bc3b4
2141535c6e4b95425749c534e50212dcec9a7e2b
F20101207_AAAKRY zhou_y_Page_172.jp2
70cbe78fad622a659b91740d1d5d4dde
68ca4d587c9b863dbe742138524cba2c858cca0a
1051985 F20101207_AAAJPL zhou_y_Page_143.jp2
e403b9f04976fc08c7d932c559ce4151
db8b79d0508472e91a598509ab5240570526c557
1051916 F20101207_AAAKSN zhou_y_Page_196.jp2
ba1cae17407b8e0ace9f2d4306b1afca
cd1ac9eea31e482a24bfab1235e749c32ed02202
1053954 F20101207_AAAKTC zhou_y_Page_001.tif
bba45348b8b73be55829de766dcc7548
5b566cc0f3e3e607c4d018f5d64d6c9b428e0c71
1051968 F20101207_AAAKSO zhou_y_Page_198.jp2
5c78a9a0eb7bc8bc44b4edd89428328a
c0dd68d26a035a31c32a450e8ebed85a6eddad6f
2146 F20101207_AAAJOX zhou_y_Page_130.txt
d05383ef9ed33338a7406c9d711d5d4a
ef97a24f81ab93474455e392fa2ea4e993e441ec
1051967 F20101207_AAAKRZ zhou_y_Page_173.jp2
339b6159e89ee2cb84f5cc3bccbbedc1
97369071a4c058dfe95504039b94eb68b5dc742a
5322 F20101207_AAAJQA zhou_y_Page_041thm.jpg
7af753327eb3434e1539dee0d951a905
71b221742f396f1d0b8a9c1d4dde8f0e1660ad55
34483 F20101207_AAAJPM zhou_y_Page_047.QC.jpg
0c8ec6cd52b26b64bddb9a54510877be
afd5dc4075b7a541f20def477685f44014b3b658
F20101207_AAAKTD zhou_y_Page_002.tif
f6ba0149fd47bfb2feeb9826e150cbf1
a83b2b447ddb6cb7f7976a15fe728061ea4fece8
143646 F20101207_AAAKSP zhou_y_Page_200.jp2
6f7fbbbfb9514412a90a8076065fbf8d
39c2856d234658a37ad207f14117c6903276a7a1
110511 F20101207_AAAJOY zhou_y_Page_067.jpg
42f29c4748b22508c26bc6800a463ef7
83775ce7afde673bc0b3e82c02a8d182ab63bb17
96274 F20101207_AAAJQB zhou_y_Page_164.jpg
2518fb6c3464a33d4c8315d207f6c82f
ca3bce2cbab74cea3e68c8145380c2cc5fbe07f9
53963 F20101207_AAAJPN zhou_y_Page_122.pro
ecd026627054fe1aa45c1a85baea7e5b
a5b44ce2452660eedb45c6ca7533016ba51dae89
F20101207_AAAKTE zhou_y_Page_003.tif
a3bb5092e432957afb47b8bb608cf647
a10bd64839d7afd6df27980ccaf3f829935032a0
151865 F20101207_AAAKSQ zhou_y_Page_201.jp2
6580c84913935855961a9587ad17da14
4e09dc11b57bbdc38adca64888fcd094260da204
75859 F20101207_AAAJOZ zhou_y_Page_090.jpg
9480a4ed4ea4161b7d168d9ccc6f7f1c
027896bbf9ae1563194dbebf8c87bf4651c1492c
6077 F20101207_AAAJQC zhou_y_Page_005thm.jpg
2c677eb6964ecb087043221c35109589
ec811044346cf231747bb32daf1084648adf3765
2215 F20101207_AAAJPO zhou_y_Page_182.txt
d64c033cf2a3b34cb2e782a599011416
055c2a91b1539fdf68155be1ffef8c1a38a662af
F20101207_AAAKTF zhou_y_Page_005.tif
75a33ec550dcccdef2b0a186c13869e0
cb6d81f078de74633b6f0f93e729a0f82902a0dd
144670 F20101207_AAAKSR zhou_y_Page_203.jp2
a4e785fa95318b783824102f2064f999
85bf696d0d7393cadb534e2a27b300dff4f090c9
23479 F20101207_AAAJQD zhou_y_Page_199.jpg
eeebf9d61ab0633fffa125208bac3af6
dfcdef5c22c487ddd8e720be6fe4c2a4a00d2fc1
34039 F20101207_AAAJPP zhou_y_Page_128.QC.jpg
2dbf77c2c4171d3674ace0fae67b888d
fe47ba3efcd6b37fb0dd97a679d8f401ea510377
F20101207_AAAKTG zhou_y_Page_007.tif
80898c87aa5e9efa969dcb246d9e1db0
ea29154a7b0f244f279426e9d6830dd46df18538
150374 F20101207_AAAKSS zhou_y_Page_204.jp2
67f8052cdd61b4924b2d8b07bd5151a1
c259270634401b8f2cc75cb2ce977b6b83e20a2f
47730 F20101207_AAAJQE zhou_y_Page_168.pro
e65180113b2e24a43024052566e0a925
02c9a89bcac018c481dfcb3b2e6cc0d43288385f
1144 F20101207_AAAJPQ zhou_y_Page_188.txt
929eaab835427b65a91e76b1d7693612
92b379062b725f0323a6ecb0183e2d1bf4983df9
F20101207_AAAKTH zhou_y_Page_009.tif
113158e25e9da982c8ee1f1b72752bb2
2cf1faf1975883a1183c34a6e501f644c04d9118
147176 F20101207_AAAKST zhou_y_Page_205.jp2
df16b4d086387176a22b379913bc8b86
0d771ca5283ee497699c53052e2d5de170e1609d
7948 F20101207_AAAJQF zhou_y_Page_036thm.jpg
de43e056db47926e575b682c682f7909
192c87b1fc38d3e4231bc6fd13f37fd0c988dc98
27965 F20101207_AAAJPR zhou_y_Page_043.QC.jpg
1e74222e88204e460b715f79074aefc7
91f105aa8542b6f368ae74681f707f18b100dea2
F20101207_AAAKTI zhou_y_Page_010.tif
fbd02da63cd9c98c1968d6e5b8852601
154f0fdd529a727ea96cb792cb1f16328250eddf
479 F20101207_AAAJQG zhou_y_Page_003thm.jpg
653254892e29f863cb3c59b45838222c
4aeaa559d01b1b36f32ccf4770771b9e008cf7ae
F20101207_AAAKTJ zhou_y_Page_011.tif
a7116ec8b2da793e91b9a169d75ea0d7
b5430f1e2e484ff99677438428b0f2863aa3a1b2
149474 F20101207_AAAKSU zhou_y_Page_206.jp2
f1f5ea5269da14b56e453ac379606632
1fa4435f4968419465d8d23c97f34cdbc96004fa
8049 F20101207_AAAJQH zhou_y_Page_198thm.jpg
2b2c44fb2e861ca902676e57118bff76
1c4ad8015bc8f8fa4e21acd7386364cf1a7f002d
7025 F20101207_AAAJPS zhou_y_Page_113thm.jpg
f96703c47693f26e0e878aa0261cec19
f5ebf347380eca1b648e93a1c3180d22a55d3525
F20101207_AAAKTK zhou_y_Page_013.tif
2bb0ef628585859b0fe289c370d56107
92347a634f723192882bb3ee033eeebce802534e
145670 F20101207_AAAKSV zhou_y_Page_207.jp2
fde3f5faeda7129ee0d7a3ede289d15f
8d4d9b7fd078398f78208bf942370f6cc34277cf
F20101207_AAAJQI zhou_y_Page_124.jp2
d71b00be584974037dbcbbece1663955
6630b9f5070317b400fcf09e17f5886660e0a34b
7693 F20101207_AAAJPT zhou_y_Page_110thm.jpg
aad9d60723b1a307381d0560c4ab4ada
e7d6ebfbda1a245bac92bcbc9b24003a39608d90
F20101207_AAAKTL zhou_y_Page_014.tif
8e1f01dd377c5e83528604969f716d86
aeff5e73cbc0496a9a3777470019682c0a57c945
143063 F20101207_AAAKSW zhou_y_Page_208.jp2
1d2ad20bef09c3873727e4a9a4f22003
478b12b6cd6eed9496617e58a91cdb30be974ec5
2117 F20101207_AAAJQJ zhou_y_Page_138.txt
18eb41b1a2a481107a472a422aeca211
d20a2c17db8b090d56634d6084ab8202f4889524
68063 F20101207_AAAJPU zhou_y_Page_133.jpg
648f8f9add69cfa645c250760de516b9
9c76b0e82ec0a768da3e381bc6c04843c8a05ee9
F20101207_AAAKUA zhou_y_Page_034.tif
0e3e4caaf58ad7fb6aa968b1f84d1338
b7497626ae998c7aa2058a2d9192d6f0259b9a69
F20101207_AAAKTM zhou_y_Page_015.tif
924793fe5d308f0b6da2a00f58bf6a01
1ecbfd75a2c0b96d80b17bd8bb43d26003a811ed
147548 F20101207_AAAKSX zhou_y_Page_209.jp2
85bdb269c15c035d1ce8c4a0996554c3
9fc640eab39b2ff82021ffbc27bb39cd29919ee2
2394 F20101207_AAAJQK zhou_y_Page_120.txt
df745d1a330f7abfcb0c55a72eb9e0a0
465d5660736f295048fbb0afa61dbc51693470ca
28531 F20101207_AAAJPV zhou_y_Page_013.pro
7668d54a32db0f2e03d73d65367f078b
962ae8ecd501aa3a7ae3f2d1087a550cee534496
F20101207_AAAKUB zhou_y_Page_036.tif
b22550a8b4e34bd6b5b6c878d30c36f9
d6a3b3a83f362a2d8f6806b8cc572c34d015c9c1
F20101207_AAAKTN zhou_y_Page_016.tif
b7edd0ec89d6b71df30edc173a245a82
8c47bff20512d88ebc39ca1cfa3510af0694f680
148181 F20101207_AAAKSY zhou_y_Page_210.jp2
80547bf2a135c276751fcaeede7adb09
6e4aa49f401206c76fe4e882d4b5422c73a8f851
3295 F20101207_AAAJQL zhou_y_Page_006.txt
1b8053ef742df65e80b054a58cd51e25
113d497cddbcccdcd13141e7897958584a9e9e30
53032 F20101207_AAAJPW zhou_y_Page_049.pro
9607de3e063690381b23dbf38d55c118
a91db6a87f6acf54997aac6896b6ea9206a733f2
F20101207_AAAKUC zhou_y_Page_037.tif
441e70536b1a687d6afb356606714fd7
b8355e0d6527b076ab47624c8b7f756784e181d3
F20101207_AAAKTO zhou_y_Page_017.tif
5d6465d2198b5be67f4dcd587c3efa78
2cc48d8caa1eef339acdc69ede32530d96c97b20
145966 F20101207_AAAKSZ zhou_y_Page_211.jp2
520881ac5e3c3af9114978deb895a473
dafdcc06d9b59bec399c7dd8dcd8b735daceaf98
5856 F20101207_AAAJRA zhou_y_Page_037thm.jpg
153a5495e537c59d90aaa6f45451166a
d3a5f54736a96dfa760cc7ec10165fed2dad9777
1043178 F20101207_AAAJQM zhou_y_Page_081.jp2
a92182db9bd60b5d50eb4631ae975e6d
3a05dfd5ff20e3389bfe569a7a9682db5e8102a7
8484 F20101207_AAAJPX zhou_y_Page_206thm.jpg
7d1e00aaef1ba280880b371b9c7152a2
dd6ac7b348e1e24878a2d854e81bf75eabea959b
F20101207_AAAKUD zhou_y_Page_038.tif
10452c41d652571db0447496640e15f2
9260cd2f9253834ba48c4729077ad0fb4c21989a
F20101207_AAAKTP zhou_y_Page_019.tif
ad820848912065ed6650d5c8a29e9b96
ba315bc5e29691d8a2296efb85b782586872127b
2134 F20101207_AAAJRB zhou_y_Page_147.txt
6c4e601e047bff7c4c3661d6bdf91e68
c9e3b1842ed4ba13b4b23cd6c704b19c866dc2ea
1884 F20101207_AAAJQN zhou_y_Page_095.txt
dbaa8081ddca53de157dae602d9e5f29
cade35fd328486de57542d6ece21fd79521d0c27
30101 F20101207_AAAJPY zhou_y_Page_110.QC.jpg
481233223b823cd0392223ff44c65b44
119afae5c9b581e6dfcbf3eba065f22e4f477cd4
F20101207_AAAKUE zhou_y_Page_039.tif
5f63d0332e311aff57711e0bb9fe1da7
8ce4e1e3f8eb945a889931829bd1711061171c47
F20101207_AAAKTQ zhou_y_Page_020.tif
b6021f7e046fee08a27b8e0b1e02e1cf
5e6509bc2d119f9f34e16a8eb83f2e4e21aeb886
35869 F20101207_AAAJRC zhou_y_Page_031.pro
133264da62ddaeb6d764595ed1439b8e
3a1c356ae7f15ac3a73972cd73abbb3ece387c8a
32138 F20101207_AAAJQO zhou_y_Page_186.QC.jpg
e82dcd3c9bab0cc2a5e249d855f82525
918f09822ebc7d7136d595f889e92c7c2d93412e
F20101207_AAAJPZ zhou_y_Page_140.tif
d8b56097ce07a34a5ae3bec4f4b9ab4e
90bf8bbed36beaa570c0b8c058cec8aae8a054a8
46211 F20101207_AAALAA zhou_y_Page_061.pro
e6fc5ed8b6b4754b6241bf286327a5d0
4d73fad04cbfe691b024f86f63901d27bb67b6f7
F20101207_AAAKUF zhou_y_Page_040.tif
e13f8a8f49d4e08de19151d3ddec5227
2d7061d18426ff6cdb7a7f88dc05aefdca647fa1
F20101207_AAAKTR zhou_y_Page_021.tif
405cf32abb75a5ea50ba2a60bfd20352
f6855d79a04adef973d0ecd162ccb9bf2d83ec88
1665 F20101207_AAAJQP zhou_y_Page_001thm.jpg
d039f5bbce22dddfc45ac557815c1b5f
a27792b3e3277d20266c5c8dddabb52ffccb05db
35824 F20101207_AAAJRD zhou_y_Page_020.QC.jpg
34f584773500c9c60ff8ba7e39a7b499
a88a9d85992f2186bade9f8af4e60439cab40877
F20101207_AAAKUG zhou_y_Page_041.tif
2507fe1d8cd76b2b3af98ab6cd2d5786
e820e3a420bf68455fa4302bd4c49839c557a760
F20101207_AAAKTS zhou_y_Page_023.tif
e7064d40613bc00b2190d85f4ee85c04
f6935dfb4b0ed671c95dd865beffade8c8596153
99410 F20101207_AAAJQQ zhou_y_Page_175.jpg
d358ff81da999901e850b6f4f7b2cb35
e46853e8e9a2cb528b0e5e09e883f441cb442dfe
55065 F20101207_AAAJRE zhou_y_Page_035.jpg
bc7fb189e7bc29572781f07255862067
461a179fa02635de0bcac963bdde3bfa276be53f
58453 F20101207_AAALAB zhou_y_Page_062.pro
5da77bba84d2abb1457b71a49634259b
c80795705ed9f0fba6363e68a774904991fd2a69
F20101207_AAAKUH zhou_y_Page_042.tif
4c09b8f0f3b6e8566ed406411b767721
f18c5475c73c8cfbe264846f9b5d2c7fe9015ebb
F20101207_AAAKTT zhou_y_Page_024.tif
69b10c04ffc0255a3b6186ae7f71edf9
659a4ac225835c901e59913786b88767375dc748
20835 F20101207_AAAJQR zhou_y_Page_001.jp2
099b41e393ad010beaeb08908382a13e
a73c74f22dad7737ef9efb444080deffc43e8905
F20101207_AAAJRF zhou_y_Page_054.tif
fe70ba4110633fc136e79fe39f7b46ec
2f104513958c89145c6ed9e208bf7a02347b6a1a
40406 F20101207_AAALAC zhou_y_Page_065.pro
ef20c4ce68fc638789d3c19e2bdd40cb
a082683088b964daadcd2c3ccfcaec7cfcd7c118
F20101207_AAAKUI zhou_y_Page_043.tif
c11b9d46168a954e843666aa94b7e695
3d6eb3f1dd0b5ac5611f0a3bc6c06ad4de0ea5ce
F20101207_AAAKTU zhou_y_Page_025.tif
d5352cf819b1ba542c4be56a2e826166
4c2b76691c64ec77c2a4227f4728a1cde785564c
34523 F20101207_AAAJQS zhou_y_Page_046.QC.jpg
c93899d8f2eba5f065d1a002173bd07c
57d692c40cda5f15b8e37ff334df2b3d1182d790
2205 F20101207_AAAJRG zhou_y_Page_022.txt
c0ace68d49af57e128b31eb56a3552d7
aa756235300de4757fc85b919a46f76ad3ff640e
56185 F20101207_AAALAD zhou_y_Page_067.pro
e4b3d5177342552f503f58d964e3f2e1
a837576423b22ca6155469be85c32f49fad9e6a0
F20101207_AAAKUJ zhou_y_Page_044.tif
c9baccb4bbfe4b30a386dd248b4ef9dd
9367fe0f82d54872531f3f4b79a912b3f0bb51e0
59063 F20101207_AAAJRH zhou_y_Page_144.pro
edcafd3cf663416716ed1453dd77b799
84bb53a3c51c24509b2d2c9104ec9d9edb7ed7d0
54541 F20101207_AAALAE zhou_y_Page_068.pro
b6ebe06577185e42823989eb05a4f344
e5213ad98ec8f2a44937af6898e54dd140d48830
F20101207_AAAKUK zhou_y_Page_046.tif
b6cbfc2a2e7ea7870e52ad1733a7d9e1
3e3360096b2be0f31a46a2f5c669c66d23755dc9
F20101207_AAAKTV zhou_y_Page_027.tif
0f361e320b1fe0ab05cafbef1c4a94df
f98c49fc619a64fcc7ac51d8d9d83df70660fbfe
1029 F20101207_AAAJQT zhou_y_Page_003.QC.jpg
26c6e09becc7aee1b43160b824447dbf
58d603ad6d0b136116b47dc69309afd137645c69
53496 F20101207_AAAJRI zhou_y_Page_157.pro
f83920d508582cf6648c2c14e8eb3c4f
9b821738ef4ab261753f456a4d36f1901988e4df
25145 F20101207_AAALAF zhou_y_Page_070.pro
51ce44afa8420b80a2d0fd9a36bb7d84
985afc054f6d093cd35e73d10b9d31395c7969cc
F20101207_AAAKUL zhou_y_Page_047.tif
3a7fbf176bc8ae2fa1cf28b2a947c9a4
939160a77ce760c0db8b6950002ea1095a3a7b8b
F20101207_AAAKTW zhou_y_Page_029.tif
523d281be9d0d6b7c9235016ffab13cd
671bd3342b8e1c9bbef7576c8e01c9c24b04cf91
F20101207_AAAJQU zhou_y_Page_141.tif
7dac47b89cbccee5481ea2c9618ae3b9
aa108b3830a604ac87c59ccc0c94fb69f3cc081f
F20101207_AAAJRJ zhou_y_Page_107.tif
58235404f1063ddf99d8de0249f7f140
2a7354ba1d0eed0960f3702a799a2e729d23e91a
46660 F20101207_AAALAG zhou_y_Page_071.pro
cc6da132bc015a96ededdb395da04ee4
296addfed82702fe4640beca66c09c12dcb757e7
F20101207_AAAKVA zhou_y_Page_066.tif
cb168a380d08c269d73239d14b072388
31d3e94a18751ea0f3c1010d1679b3e5af7cd6db
F20101207_AAAKUM zhou_y_Page_048.tif
f8c6a76c545b01dce7e12231d9f99c2f
dbcc620e547f58750534d717aedcafbb0f6b064a
F20101207_AAAKTX zhou_y_Page_031.tif
c38bf46cc6fda69686ade01cee1dba83
80c477183eb6a4ec08c01c85277b426edf7a0913
80921 F20101207_AAAJQV zhou_y_Page_189.jpg
dcf7fa75c0375f403c8923a8bdf959f5
994f83980d018af4a2aa82e0283400e69a4714fa
7455 F20101207_AAAJRK zhou_y_Page_193thm.jpg
c11c361e47eaa1a521183dee4377da99
22cbded85efea58fc54b7e0f5b1700c605a29226
31987 F20101207_AAALAH zhou_y_Page_072.pro
4ae167b5bdf0b0df6e3b576eb59a5c44
2e43f2b355b99d542cb22b1f1f60961e1eb5048d
F20101207_AAAKVB zhou_y_Page_067.tif
7cd90a1b7697f654486fa46e7d0a11dd
0b904afe9e061d79c85411097135d097d64037a3
F20101207_AAAKUN zhou_y_Page_049.tif
bc25681cf426ded959a59f9e22e22526
d29e894cecd92121a0e8ed692831322dd3423ff6
F20101207_AAAKTY zhou_y_Page_032.tif
d84e79856e15d73c96fa420183131ada
5f1529ffd5b5c8b72013623e4fe6516efb9b3085
7900 F20101207_AAAJQW zhou_y_Page_130thm.jpg
5163dd230fdd5349709b7616e6067d57
34429187d92476d551baeabe7736df6e6d1852d0
77994 F20101207_AAAJRL zhou_y_Page_154.jpg
ca78e3e42a0a73794e06d6ab99990475
4c8919e5117f324f21e4e26ab22dad5cb7174113
46323 F20101207_AAALAI zhou_y_Page_073.pro
06df079fe919248d455c5bf5b79f021f
b8145381dc398da7d5da6237249518d2ff9d8752
F20101207_AAAKVC zhou_y_Page_068.tif
4f2276b42775c8123d0c425641a1ae0f
7004af928b1ceb0e0eb18a66093f5358a10b557f
F20101207_AAAKUO zhou_y_Page_050.tif
d93f54765a6904cd81aa2b0482bef13c
4994ce32c13570ac72dd133f489debf355ea22b0
F20101207_AAAKTZ zhou_y_Page_033.tif
0be580f124b1ca7ded75f046f0604b1d
b4abb86c71c92cb47e56efb17496b97bd86a5b84
F20101207_AAAJQX zhou_y_Page_188.tif
da6ba8cab4f90161a62820cfeb615ad0
6cb2924518ca2c2e15e43d57ac95adc0ddb44baf
384 F20101207_AAAJSA zhou_y_Page_010.txt
9f6ac48c2f782d71e9d993029b637fcc
cdee4dfb0080c7a3edfd40aee7d06e375a54a7ec
132970 F20101207_AAAJRM zhou_y_Page_204.jpg
5d23a7ef48d178f080f9637bd1302906
2e9c7b5f8d939174215d3d1101f97dad6ab250cc
16523 F20101207_AAALAJ zhou_y_Page_075.pro
b6d812c8fb20ebfe67862830709d9a40
fb9c384ff7866dd2c3f983a5ec0c98da8588c4ab
F20101207_AAAKVD zhou_y_Page_069.tif
6a4e43d914bf8f8c68772849ff646354
14ec58979397c405834e9cf6b713f8ca78a93828
F20101207_AAAKUP zhou_y_Page_052.tif
a416910b597e9a031e91d8b4c901ea8a
0f0813a4b56f0dd874e0d2ee5ad35c84813399cc
2570 F20101207_AAAJQY zhou_y_Page_057.txt
debd9df85c7bcae590db85dfadfac845
a6effb592a628aaa6fc3463ae638747749f5c4b3
31771 F20101207_AAAJSB zhou_y_Page_175.QC.jpg
938518f637b6a54fdf3b9a12fc50b560
0eaa30cefe99967b2bcfb338cc7b684632b0de20
41451 F20101207_AAAJRN zhou_y_Page_095.pro
41ef000e78721c5447a60ead45326590
088ec025c8d3024933c0d0f4417e2c5a7969b3aa
9607 F20101207_AAALAK zhou_y_Page_076.pro
28756f525948fdab94b2dce52f6db1e5
6de4fb2aee5d0e251744fecd21c38fd1d72d84f2
F20101207_AAAKVE zhou_y_Page_071.tif
e4f26ad040c659de4cfe4b3e0bf5e2e6
10b720136589d9481ab65837adfa103998116b41
F20101207_AAAKUQ zhou_y_Page_053.tif
a5b991be8f3092e2d4ba4e4a422d124b
98fbd38b09bdc75bfafc21ff787042223c9c846d
134753 F20101207_AAAJQZ zhou_y_Page_009.jpg
80f0611daba67bdb399f8eb323ad0e97
4e3dd3defe8449268b5cfa7e172e417e525773d3
32955 F20101207_AAAJSC zhou_y_Page_056.QC.jpg
c366e79f33a8353fc8f45a7f2aefb486
cdc50b8cc5bc16d1f6a3c7a9ff54f226a0672460
35728 F20101207_AAAJRO zhou_y_Page_202.QC.jpg
9ebf81a14de46777240253ad176ef62e
c9a774b73587d40c68c295c491e6cb595efb609e
24386 F20101207_AAALBA zhou_y_Page_098.pro
907b2d50f31461845d06f21c68585134
b96449d51009029098603b2a02420563071284e3
57365 F20101207_AAALAL zhou_y_Page_077.pro
6e072697eb0e0824f16a52e564322f02
fcedd142bbe70e2221859c8e7ddcef869ccca076
F20101207_AAAKVF zhou_y_Page_072.tif
367217d909fece5fe740f9343c62165b
91fc93cf339bf44cce96273eb5ec15085f1e326a
F20101207_AAAKUR zhou_y_Page_055.tif
0f97e871935d2ec8df42ac8c059ca18d
7be7386aaf383859d15201010a624d371719f5c9
103002 F20101207_AAAJSD zhou_y_Page_197.jp2
a9c3ef882b8bdc35367bc79cbbf0865d
81532db20bd2ee1c4ad995a20cb4efe1689ee3f3
2027 F20101207_AAAJRP zhou_y_Page_012.txt
7ee6ab84104e39f0e889e863d5e1bc63
569701c57246082c1f6b844ad1814952e27dda6c
32653 F20101207_AAALBB zhou_y_Page_099.pro
0c674a524a2fc53e5213caaeb6350942
d654f0d2094bbd9b472c2e55e84b84f9fd640fc0
65087 F20101207_AAALAM zhou_y_Page_078.pro
ba17270b7d61bba5184314f577599387
9703bab1e09bb632a469ebc8f0605cd55b17e6e1
F20101207_AAAKVG zhou_y_Page_074.tif
a83d6a45f153b9d5d34d7ae3d3c038b3
e057142af6175381f11897e68d4c3beb6f5e9fba
F20101207_AAAKUS zhou_y_Page_056.tif
988ba47cd5e9d051e7876302144f99cf
341353c51c7d0beb75b289b444be47deff93bb15
1051953 F20101207_AAAJSE zhou_y_Page_117.jp2
e4db3a4ff06e8455a63ea6af58e3ec40
84ca71069e229e898889014d32b7e1793fc1eec2
2188 F20101207_AAAJRQ zhou_y_Page_115.txt
eb1f09cb9b526aa5a5b9b772d71405eb
ac827b616150ffe33e7bbd675bbdb1c79c5716f5
54503 F20101207_AAALAN zhou_y_Page_079.pro
2e99aa1b555a1303e342cbf9114088e8
19eb1251ad467725d865b6e58395796122245bef
F20101207_AAAKVH zhou_y_Page_075.tif
926eb7e7d31bc09dac539b84a3fe28f9
0d0c75fcbcd2463e2aead50f5edc5fd420b33843
F20101207_AAAKUT zhou_y_Page_057.tif
37063574c8fadc120792f1e335e9d179
00541a137e011f506bba0fdfa17cef961a192df4
7987 F20101207_AAAJSF zhou_y_Page_025thm.jpg
a796bc2a7d16efae7922a082e2017fbf
1b137d388c9cb1e8268c9393987d5e8551d9732c
F20101207_AAAJRR zhou_y_Page_091.tif
b5f7379a77bdf07c884d01916e74ae15
37e1bc56c9e828ceb7921281d83b1461befdea61
43591 F20101207_AAALBC zhou_y_Page_101.pro
8cc3a26ceb17b19cf578f63bd5263c6e
ea292babde5d3a3243824a1b21597f7915297ad6
32516 F20101207_AAALAO zhou_y_Page_080.pro
060031330e715c099f6b24e1c2988b11
580cea66b4afb929197321bc2f8a1aeadefd5cd4
F20101207_AAAKVI zhou_y_Page_078.tif
1e5e2f42451182c27e87bc4bc2d00939
204018e05fca987d2231a846b6f087232b1b850a
F20101207_AAAKUU zhou_y_Page_060.tif
a688eb4e1a715863d4fff17ff201cdf8
ac2b50fda13d4e341e7b176da59602254ac803c0
1263 F20101207_AAAJSG zhou_y_Page_011.txt
7c354e1bffe0b1299734d22090373f9a
4d1cb48aa6cb526545027a000fbe1f1cc2d8cc52
34058 F20101207_AAAJRS zhou_y_Page_037.pro
7e158c9986a5defdd0f86fe159e47d40
c6f28fa5a1413ddb8a155ae63714b12355ff2e5f
52328 F20101207_AAALBD zhou_y_Page_102.pro
65d4df885e13a5785b5ec4d4c6b94200
5f5923cc33e5f62100cc59c977be169bff3460b3
47805 F20101207_AAALAP zhou_y_Page_081.pro
cfd50fd4cd13f60fbcd672a67a8061a0
b130c7aa52414f2e378b3d710ce946be0310d612
F20101207_AAAKVJ zhou_y_Page_079.tif
c7c733309ebb8fd18df4ac012dc95399
8028f488b597b07b4bf9a6815a7d2125fc2e08aa
F20101207_AAAKUV zhou_y_Page_061.tif
0834564a6ba7e5907c3a13a0e065e136
f37f1b51ef99b5c609e709e17e0461cc86abdb1f
1522 F20101207_AAAJSH zhou_y_Page_080.txt
ff45f5fca88a971840e389ea713ff33b
d3bc9e015bc72d53cd714105bc64098fe7f51b2f
55600 F20101207_AAAJRT zhou_y_Page_145.jpg
37e2e37c46a3aee2280bab4fa6302ebe
0af657fb7fa8b390dcb6d69b8ed7ddd278ea003e
31183 F20101207_AAALBE zhou_y_Page_103.pro
28d529ccf20a4bdc1bd3b7ef78601bb0
4c328030cc25d667403d871da9e29410233108a1
48588 F20101207_AAALAQ zhou_y_Page_082.pro
95e8db11ef4d00f7e0a82e22e9c31cb7
eee7864e1fbfbaca33690bdbb454c5f11cf5be87
F20101207_AAAKVK zhou_y_Page_080.tif
3b4db31b470301829bdb041fdad9fa87
926e97e36291c9ef85bba8902a6cc372d5b79049
708 F20101207_AAAJSI zhou_y_Page_213.txt
a2bd22eaa37167a34be1a18ebd36548b
b2dc207927f40e015f0495f76c431cbce4ca41c9
38168 F20101207_AAALBF zhou_y_Page_104.pro
c40bfc59f919cc129271042e1c3a1117
e3462ffff98f820225166a26d5f3bd4d3c8e40e2
53929 F20101207_AAALAR zhou_y_Page_083.pro
5f637bb94945c301bfcf0b5cb658059c
9f1e3cace6ca60a623870872e9b7a3eb66bf364a
F20101207_AAAKVL zhou_y_Page_083.tif
46c2eb38343d3bef83ec675a02094b2e
1c858189499c43de601035eec036ada331aa90b0
F20101207_AAAKUW zhou_y_Page_062.tif
b767c521a143e7a758118987ceeb1977
587414787effb505c9d068e39f96f7896bb47f79
60465 F20101207_AAAJSJ zhou_y_Page_086.pro
662191f8e622988f7e34f316f5818981
865294cc09fc6c7cab955ecdf07d858362960561
15114 F20101207_AAAJRU zhou_y_Page_041.pro
63a9fd5a90755ed73f5b7aac887d71cf
d274434dc5a3aa613392eeaa7fead0558e3f3e99
44988 F20101207_AAALBG zhou_y_Page_108.pro
db398fea4b8f35f871383f2663f310fe
b17ff6ec421921c8ca54e3e456b7a93a3bd2c56f
49086 F20101207_AAALAS zhou_y_Page_087.pro
e5ef4bea02a8574a5ba9e851f4960ed1
308bb80749ba6d6e3ad971be97e66d67ed3929ea
F20101207_AAAKWA zhou_y_Page_112.tif
e0206d0c8df1db3a561a8d8737ca29a9
bfc12dfdc0508ea3c14a82358b32f801cf23155d
F20101207_AAAKVM zhou_y_Page_086.tif
ac37a5bc884e547b5b3e51859eb11cdb
543d9097b31ba18daa5aff3b81c79ab3e131083f
F20101207_AAAKUX zhou_y_Page_063.tif
e670732b14403d534a8b5d50fcc3b9cc
946682ab365baee877001d2ee4bb65e3ec34e4f2
31061 F20101207_AAAJSK zhou_y_Page_176.QC.jpg
9ebaa8c484e5d32cb133f38aa6696a9b
98d83dbf5301496a161556449446e9824f88cd66
11468 F20101207_AAAJRV zhou_y_Page_183.jpg
0677f0e6962d207ec8bee4c0833d668f
82da50b70a0960ec470c9f34b49525f138b4c340
61246 F20101207_AAALBH zhou_y_Page_109.pro
5c5fb20bd29db47893b8cdf67c6c95b3
d2a604811ac93343727d8d7c1173a6cd36fd0f00
44257 F20101207_AAALAT zhou_y_Page_088.pro
60135e647e6f2be60d0b9eaa6186b243
11c32031fe4ba7af70eb4ece8123e2fa48d60325
F20101207_AAAKWB zhou_y_Page_114.tif
f01b187074184addb8a8784662c1f5b1
13abac7b8913f393ad19e0f976b2c937384cde9d
F20101207_AAAKVN zhou_y_Page_087.tif
9073cd51fc599796959734f7192fdcec
4ed342a4b7d4936d9725ccbb881e649a523e9e3e
F20101207_AAAKUY zhou_y_Page_064.tif
f3a703efad73f2c4058fe6cf67417fe5
4a119dbf5afbb8fcf4cf2ce0f871936342747cd2
2211 F20101207_AAAJSL zhou_y_Page_179.txt
975e5f1715224f815cb1d07f46613beb
2b2c52813e77185f05bd6c8f01b1aad9c9d70eb1
25775 F20101207_AAAJRW zhou_y_Page_145.pro
2e93bfb882734530cc6bab95ac0a13d7
1d934175a3f2aa062e7bb49edfea07cdced2b347
49165 F20101207_AAALBI zhou_y_Page_112.pro
841e48dc4ff6a8d1d08130d3796cf944
ddcbe7ede0f019d3d180eeea140f51e9df3cb154
24084 F20101207_AAALAU zhou_y_Page_089.pro
3f99c8e5badc26bfe453c9d7fa2e4c34
41854fbc3a5b4135eb50f6e30e8943e99c5abd57
F20101207_AAAKWC zhou_y_Page_115.tif
307443d161b32b13f923d7f373e8fa78
d4410907e961d14f42d46fe56364a7667809b023
F20101207_AAAKVO zhou_y_Page_088.tif
0e5fcdb7734a3597dbfcfc04573f782e
338d8e9c804cb50b16cdfb2429624b4a50170c33
F20101207_AAAKUZ zhou_y_Page_065.tif
0ed36379244ff8a904967f9dc007a985
6c1f5b60a57e6151aed9486eac1b596625335d5e
54604 F20101207_AAAJTA zhou_y_Page_036.pro
4011231c831e594e5d6db82c4b2eabbe
6c1c6b239ecc9d8a3616967e724348d91481f851
7308 F20101207_AAAJSM zhou_y_Page_088thm.jpg
8426bbd95a8d7768994d693c555cdc86
4cc54c354cd9408b17b1245bf4754897c0f8190f
36521 F20101207_AAAJRX zhou_y_Page_052.pro
fa8705a7f030b44325626174985cdf4c
2e613e8d167b53ca5bd3fa0135147716928acff6
43941 F20101207_AAALBJ zhou_y_Page_113.pro
75c0a50bebe65ed0eab9cb25ad8d12c2
a4868d2d93501b50156fa0ef551729d82ae7a3e3
54131 F20101207_AAALAV zhou_y_Page_091.pro
154f0862bdf74db509de7c35b4d9319d
c2a0209f4eb116be1a396231ccc360a76f8997eb
F20101207_AAAKWD zhou_y_Page_116.tif
9d9f58b01e60859dc46d31f5b6f63ba0
b0e638b84b59e3ba0b4aabe22c7217d924f371f7
F20101207_AAAKVP zhou_y_Page_093.tif
f3d88097c01dd26d1c89169bd826fa64
8ac9b13057aa6b962cf9abe3ed39e1880d536c31
60028 F20101207_AAAJTB zhou_y_Page_063.pro
624edc4269679b42126ab96f473b6294
809117f2426da3073090553bdd250945a58a5ce7
44945 F20101207_AAAJSN zhou_y_Page_064.pro
63bc496ce32e74dee6872ac1a6b31f95
55a6ade802fcaf4e3e0a30c2ce2aa5666acd15c2
7694 F20101207_AAAJRY zhou_y_Page_111thm.jpg
7d69fbacd2a1525951bc33f6c8f89589
8568cd9d991a9c5fd3df2bf2b0db03e31ca70a4e
48504 F20101207_AAALBK zhou_y_Page_114.pro
94df9937e50699be9e441e8996fc7124
346ef2f0ab7448d6739913e1c427c76c056e9b50
57221 F20101207_AAALAW zhou_y_Page_092.pro
41401e51660a5ce80f7a14dd1a8bf918
e5430856545ee4d7dd71d8556d2ad132d3cd34a7
F20101207_AAAKWE zhou_y_Page_117.tif
e9ab780fff772e55133d4939d2384225
da7de82395b07812ff2244cabd430c5933e83c39
F20101207_AAAKVQ zhou_y_Page_094.tif
6dabebee9c2759b262a1632e31e08a77
deca9546d099a8eaff899051c69cc9ed3625efa7
1024 F20101207_AAAJTC zhou_y_Page_145.txt
07f912f6cea5673a22f6488799e8388d
fa1053e3de587a9f1bb673842af643f3df0c9dbd
2082 F20101207_AAAJSO zhou_y_Page_060.txt
73f52987b38dcf58f755fa3b4f38a315
9350e4f53d0045718f1c7c318b76a0ed9f337ab1
6569 F20101207_AAAJRZ zhou_y_Page_008thm.jpg
8e193cf386554494125b5aa860aee41d
4b13fcbd3a1e8a71b8e24eedc0a28bd10d12a15b
38077 F20101207_AAALCA zhou_y_Page_137.pro
93175d5fefa416069813962be9fd39c6
d89dc053b5ef6547776f3af9de5f8321fb3120eb
54136 F20101207_AAALBL zhou_y_Page_115.pro
95af24c7765e4723ebcd76552fcddb11
e844da7e06b908ceda92119e426a5ecf0c7b39d1
50437 F20101207_AAALAX zhou_y_Page_094.pro
df0c92952b998a4d58fea600a1c0db50
64e46cc7c2e7f38667590db1159e6e8f6ae13002
F20101207_AAAKWF zhou_y_Page_118.tif
57f5fd3c9e31a571da998116e64bb982
bd747719480347905880aa40067706cd33c78334
F20101207_AAAKVR zhou_y_Page_096.tif
e22a494b6bb0871c446cfff3def0f9f2
44738a93d06da9ec331cce20a74165863dfeb71d
90158 F20101207_AAAJTD zhou_y_Page_136.jpg
1dd92a6cb59903a9fb94934835d4b4dc
d046117ac495a1df93e267ed8363bfcbc3a32087
28614 F20101207_AAAJSP zhou_y_Page_152.QC.jpg
2131adbeaa55d1bffc44d5da1f4e35db
0befb8d4f0d68bccc632d9eb2c30f6fb95c80cca
52705 F20101207_AAALCB zhou_y_Page_138.pro
0470b439aa4a45a108972f7db93a6255
25a1582407ac929042c998081737a8c1195867f2
57780 F20101207_AAALBM zhou_y_Page_116.pro
4e88f6e56d14cdb7f97e852174a89fe0
282a049c0ce1d9bfb44ee7b6803565d07f46594e
50704 F20101207_AAALAY zhou_y_Page_096.pro
815969106b6dd800404d528b71fdcef0
d3b39b96dd4fa11b4e9eb2e2484b73cfd2888003
F20101207_AAAKWG zhou_y_Page_120.tif
6d31f76b9c62c8b51fddfe9ca2ebdd4d
1993e01e65ca447710f9b74f7f03e740e488ad33
F20101207_AAAKVS zhou_y_Page_098.tif
32a62c1af6114eb20b7352bb9a75ab32
f8c350e1d87a252354fccd6670df4c618000d2b0
26081 F20101207_AAAJTE zhou_y_Page_199.jp2
a2a0bed0f627bc60a8d6578767cdd20a
a05f7991f08526cf5374188ad8b46bc488167384
27704 F20101207_AAAJSQ zhou_y_Page_167.QC.jpg
6a49b58ee8234824ddac206ead81647e
c7b90762a790e6581b0abbe07292428f00b86a90
56165 F20101207_AAALCC zhou_y_Page_139.pro
e0b9a6b1c5e5ea2972d4777d8288b3e8
396819a93160884301b164abbabbbd5e53efcf8e
56735 F20101207_AAALBN zhou_y_Page_117.pro
acdc646cc6fac8cef13799c5af033713
63d447abd0dbbd4bdefb023c4546c0a95670aadc
50659 F20101207_AAALAZ zhou_y_Page_097.pro
123d04007fe13fd8d13c3c1a27d7c7d3
331ecb104d3826829aea0807e3a1b1f3a9eabc97
F20101207_AAAKWH zhou_y_Page_121.tif
cf6f3ee395d1e64c7283a371237d41ae
21aaca74fac9581a7e1be8f5075287450f66aab2
F20101207_AAAKVT zhou_y_Page_099.tif
4e8acf142cc022a7ca840c94e3bfcbbe
4843b04fb246c3a467f21c886ec249a52602cfd7
114458 F20101207_AAAJTF zhou_y_Page_144.jpg
03e9b40dca446b40675ca840c91ce2cf
87b6dfdd761efdd2dac2cd83e10a68c6d716b0de
F20101207_AAAJSR zhou_y_Page_030.jp2
3cd45122e7dc7a7b6249e15c5bd98a98
f2413a838cff118ef1c4a3b0e96c86a6fc5cf34d
52841 F20101207_AAALBO zhou_y_Page_119.pro
f631e16e48066a1b932de2eb3f592ac2
67b6efc2aedfcd1b12abf6c3f31f4e9ba988de87
F20101207_AAAKWI zhou_y_Page_122.tif
698140ce08654b56305e07172bf7f707
c391f3237d63b4c473ff1843f73687605b443fd4
F20101207_AAAKVU zhou_y_Page_100.tif
f11277d21046aa91305c25d40b543f15
5a7063e782871b14904a7bdb34366bdaddb90a7e
29482 F20101207_AAAJTG zhou_y_Page_071.QC.jpg
269386f8fda8fdde27181670bf7019f6
e232163ba3d98beefbba83e841d03101f4c4c6a8
2140 F20101207_AAAJSS zhou_y_Page_083.txt
9918bb191d636dc09ec9d34305c21c49
b58de7ba3fe86669561940b307d4c878ced8f2b5
57200 F20101207_AAALCD zhou_y_Page_141.pro
96b72ad39ce6d93f92b93c2c1673f3c3
c572d14d508df71f61ca6175a50e3747df030a1f
60119 F20101207_AAALBP zhou_y_Page_120.pro
3edd54898eccbc18880906618fe4f593
73ad746acde6b6d7d084365d353bbdcbe2c53bc6
F20101207_AAAKWJ zhou_y_Page_124.tif
c704ba64b44dceca0497f2a5d7694c06
ee7385091877628f5e6831aa49cdc6c0541a49f8
F20101207_AAAKVV zhou_y_Page_101.tif
fc98b8a6c4d38de0f21159a098877bc5
dd30bb6583327d947ca876c58ae888c073f75836
105494 F20101207_AAAJTH zhou_y_Page_005.jpg
8d4699978a447538609ba9c65b43ceed
e5e69119f7ee17dc380172349ee6e9615ac62450
54152 F20101207_AAAJST zhou_y_Page_128.pro
fb9967b7975336c6fec8c5c8a481fcad
876e6cfba2189c55f07bbc83c1257949d03b21ac
56561 F20101207_AAALCE zhou_y_Page_142.pro
706c33f94e602b02a7fa81e01dd481c3
4ba8d40d21297ecf794292ce1950bd5828ac9252
32844 F20101207_AAALBQ zhou_y_Page_121.pro
5bd9bf0960448fdca3da32f2bf1cc8ce
59332464a6afdc9092d198b5b332aa28f7c3fdee
F20101207_AAAKWK zhou_y_Page_125.tif
84c7c0b14e5b5527d98d86e0915f0b97
f732b89dec2f9f21f6d7e08c054d4c227577a57a
F20101207_AAAKVW zhou_y_Page_102.tif
8a244d0c832615567fe09a2d2e42ec58
173a59bff5a1bc5da4728111aec13a21c5985ba0
1051973 F20101207_AAAJTI zhou_y_Page_150.jp2
838928e533ace2a19d9f8d251e956bec
7319ae73fae666b02b99df0ecdd6efb8f009607a
6443 F20101207_AAAJSU zhou_y_Page_099thm.jpg
9ece477701b0d59cd52196fe66f4a4c9
c43cd682d385f1b5fd4e6282c751850f39ff5fc9
59374 F20101207_AAALCF zhou_y_Page_143.pro
dc742eb6a6a15ba08ab72da1fc629d1f
0c3ea96a471f2f6c8e5d6bd5591afd5437289a55
60580 F20101207_AAALBR zhou_y_Page_123.pro
e56bb3b19ee5bc3514420e6fa5b398b9
584447f228eb0e2c23d65d12adda92eed82127aa
F20101207_AAAKWL zhou_y_Page_126.tif
b549f63dd495d67da340d5168b42c35a
9efc2fd5029297e83c9875b281de930d3889efae
110522 F20101207_AAAJTJ zhou_y_Page_139.jpg
33a401e20c302f118f7357fe6094ae49
010d9eea4dd248e7d6e999b834489438fa48ef58
46325 F20101207_AAALCG zhou_y_Page_149.pro
73c21c9d691ee5a78d2838602b03b320
e0b864d039651c5f121b467032d40ef8b6ae1978
55427 F20101207_AAALBS zhou_y_Page_124.pro
c733ca8c47ecd6574bc6150e14c2934f
5bc34c061b121c78f6bc02299aa348227383b281
F20101207_AAAKXA zhou_y_Page_155.tif
fd6cf9a758018a169e98103b4d8b2445
22ffa85796316fa631d8f75deacd6515cdf30eda
F20101207_AAAKWM zhou_y_Page_129.tif
40ef9aa3037ad319b34f2e2b85fff0a5
11de7eeaf9ecf5c6dd6af7fd55fe2a02bf14609c
F20101207_AAAKVX zhou_y_Page_104.tif
f34c821889cf818fa32ca319b7339834
6c763a9b59d5aa97d03eb3456c50de92f0ec1d74
105885 F20101207_AAAJTK zhou_y_Page_115.jpg
e9715ccdae405706f697499275e62aff
218b5238b06acf16046a1af162800c8b9339168c
8112 F20101207_AAAJSV zhou_y_Page_117thm.jpg
2ce3c64e27ac82ea9a699aa98a6645d0
defdf4606946ca4d84651fedcab16c6e026c748c
54106 F20101207_AAALCH zhou_y_Page_150.pro
d059c8b2f8f8723e53caf48ef9e6a8f2
c38a0070d70a625645ef1a3f516577db543b5ff9
51733 F20101207_AAALBT zhou_y_Page_126.pro
f886094473d6951fd688ef9ffabe5853
3790e63e4c443ab7f9495b7e7bd5b34b116f757c
F20101207_AAAKXB zhou_y_Page_156.tif
ab07daa493ed634fb58ecd6554adadb1
7f7d8fe66e144da7a4772e42eafecc4325cf22c4
F20101207_AAAKWN zhou_y_Page_131.tif
e666d5c30fc2350e4c3ae2168cb07725
40de41696707bcaa803020683862b792ae943b96
F20101207_AAAKVY zhou_y_Page_108.tif
2bd4431527d1295fc5b97bff5e0c2969
594be8d62a4b90cc4f0b177c26a72f8ef474e278
2259 F20101207_AAAJTL zhou_y_Page_161.txt
6d478b741a784452915c992fc66398eb
62862bebd927878236640bdf22a93dad2c673dd3
F20101207_AAAJSW zhou_y_Page_006.tif
ec40a23ab35bfc803ca37bfae762dc7b
be8171a54c68640ee3250b451465edf81b1bae66
28618 F20101207_AAALCI zhou_y_Page_154.pro
93816a63e9b6e6e87d9199e6c9b40f54
ee6221bd4565b01ab6a439d928ad055629583390
18429 F20101207_AAALBU zhou_y_Page_127.pro
8b45b8655f9d78b9304edd7cb75ee6fd
96b1789d0099bf9bddf7964f1dff9e580be67c64
F20101207_AAAKXC zhou_y_Page_157.tif
caa2dada365c7182f0999b77acc5d23d
1b19485ac719a9b122cad96cba1fc657d7afca29
F20101207_AAAKWO zhou_y_Page_133.tif
a0487ad21a175f469210a5559783c8bf
7097f412040f7e51492f92cd5f7da6e4832e50b9
F20101207_AAAKVZ zhou_y_Page_110.tif
15f2a90bb5a17234483e4f221d9fd1ea
f119b4444d0c454cc65a6fd30b3f14e709156919
7583 F20101207_AAAJTM zhou_y_Page_195thm.jpg
6f6f5e4e0d129be9cf6ff3ed799d1b32
e662eb169cbd9306dce7097cbd6d2ab548d9727b
17261 F20101207_AAAJSX zhou_y_Page_158.QC.jpg
e53dc81b6dd90072c86e10eee5883dc0
ed960a2c0de514a52063644abc3ca658a1f0db9a
29131 F20101207_AAAJUA zhou_y_Page_027.QC.jpg
c7d1136698131023d33ef851ec80071d
b7d76ce72d8d69cfca5fcba01ce19a07d1736705
54947 F20101207_AAALCJ zhou_y_Page_159.pro
dca48cf0145da1276497605e00066db3
37325ce5e309cf56b6342df9ee7e9a9c160229eb
54539 F20101207_AAALBV zhou_y_Page_130.pro
60de7f6a69d2f7f085c0234f42bda3be
d206f72798ce8c7ce602fdbb050ebdef24de80f3
F20101207_AAAKXD zhou_y_Page_159.tif
67a104716e0db1d418fa3d38795d0b15
d53992334134bd5efca1930478c4e6114944a675
F20101207_AAAKWP zhou_y_Page_134.tif
456705cb47958ec63d78e030eae8475f
55e62bc8e283ee2b6b1d845f99342c0cae7d58aa
F20101207_AAAJTN zhou_y_Page_184.jp2
fbd71cbbb8339f80842e5668f5d209c8
fc54a833129078025a9ef7bfc4e31e8569181ff7
2293 F20101207_AAAJSY zhou_y_Page_105.txt
7951dedd8a2637b923c4e0c5172bc2f5
11ada5186f842f89500c2ae8f9d09e9e91a983cf
F20101207_AAAJUB zhou_y_Page_198.tif
35974003cad632f9c4593b7070392a44
467faec8462431fe670a56571c18c3b33e36a5c7
59327 F20101207_AAALCK zhou_y_Page_160.pro
83269939a15018b41016ad005819c550
3714543a2b39bb6b8802d56d1f72fc982c40c674
53861 F20101207_AAALBW zhou_y_Page_131.pro
9986b53e3a16fe235aa3fab1cf49fa23
0481caa14c053e55ad7659c34cbdafac9350ded1
F20101207_AAAKXE zhou_y_Page_160.tif
78d849b75f080131d3eb9555161d78a8
769104faaf3d99abe5a6385fe9478693c6e151b5
F20101207_AAAKWQ zhou_y_Page_137.tif
d45e4067c6464a5745ce814239a52df3
abc78803188ab54fe25772ce60ade3f360ca33b2
547160 F20101207_AAAJTO zhou_y_Page_021.jp2
ecd0dca217e9a0efd9115fe00b1a06c2
9210c11bb4705478f29112774bd4281a90f17065
1021398 F20101207_AAAJSZ zhou_y_Page_026.jp2
d7b609241117978050d6acc3f7c87040
b7d4e04a8a244bced2dc51abecdcd6790ffeb00b
F20101207_AAAJUC zhou_y_Page_008.tif
9539118c012dcf6093976972dd2d6e8f
cc79c07a474e067aa19cf74bf9afbe23e7160abd
56022 F20101207_AAALDA zhou_y_Page_179.pro
31870ed1904197b1b6faad8c1073a142
a73595204dd0c0c3aef88a8687af0830ccae00bf
56325 F20101207_AAALCL zhou_y_Page_161.pro
5c6f20131eb3aef27c74f77a75bb1bb0
fb82be169b15fa16dad56335d70e79b8740b1423
51314 F20101207_AAALBX zhou_y_Page_134.pro
0012670f8da010417b4bcfe6e71e8ff7
84db39a0bf20ea3b0893b30ccafa249aa1362ffb
F20101207_AAAKXF zhou_y_Page_162.tif
d3e2563142f92272a57efd821fbf819b
0f2310c188a4c10aeafbf3d739d3fec5864db9f7
F20101207_AAAKWR zhou_y_Page_142.tif
715c5c503acc6ee8d38654c5171858c3
c02f717430cd820ed6912318302c32e4caab6561
81389 F20101207_AAAJTP zhou_y_Page_028.jpg
714d8959860ef24a5212697e7c7c6335
e6a1747b0754e430c1f2ffdc20e84e5cf9129cc2
1657 F20101207_AAAJUD zhou_y_Page_104.txt
df375e6f0e337cfff354d726b88e9b59
9040dbd91b7c0d3967140ec0c42a776f9b14cbe1
41174 F20101207_AAALDB zhou_y_Page_180.pro
02698d415a1b41aa3cbee2d8527286ab
5c4750d30072f2c1552e2af1f17cad580b29ddd6
53179 F20101207_AAALCM zhou_y_Page_162.pro
2252afaa61f8170fcc255da64d2acdb9
657a73b710165e21a905b4939560c741568c824a
30340 F20101207_AAALBY zhou_y_Page_135.pro
16bef9bd314dcfb6b158dcc40a1fb4b7
cc4a7d45e121776d1d021610e1ae6906ca122725
F20101207_AAAKXG zhou_y_Page_163.tif
bb09f2f61bdd0907f413e698473a4779
a6a6764440093054d0b086e13feaab2f539feb4e
F20101207_AAAKWS zhou_y_Page_144.tif
1d43f0f8f3df650aa82f883648e7c743
0d1288edf94ea690a721aa57afa87c14c2cf7c4c
59320 F20101207_AAAJTQ zhou_y_Page_004.jpg
981280ef89e828b8986e5fd0f20f1cf9
16388ada39398daccb6273efec60a85a4cc8f713
524973 F20101207_AAAJUE zhou_y_Page_035.jp2
75968e6ba56e3bd7795e45904cc62d11
e82b491dee0ff4e9d3d49132142c0f5939b75549
36325 F20101207_AAALDC zhou_y_Page_181.pro
205d6485a799c24456780e574ca5c35d
ba7ffa61d01b9e354f632216ad6c81fa2a5877bb
46729 F20101207_AAALCN zhou_y_Page_163.pro
1ba63067c2f7ff9241d7c2c2bf131a41
4c1e83b2827cbb8aae2141dab9603e22ba5024c0
51350 F20101207_AAALBZ zhou_y_Page_136.pro
4741fd75352939df3cdcfccbc34eccc7
caf7ac58f89a53f21e33e40e7f6ed5123b361fcd
F20101207_AAAKXH zhou_y_Page_164.tif
b41c9f77b29f7fd38bcd1c3a554223e4
17bf8ba26fc779885fc9d488fddaf89c9f2041d4
F20101207_AAAKWT zhou_y_Page_145.tif
23203ff1fa4337b0f222bca0f57633b6
ec6ccdba1575d793dd5c500688742db736fc5e9b
29370 F20101207_AAAJTR zhou_y_Page_016.QC.jpg
7420fd4bdc5c1fc0af40199a07cc65e0
2e6c09f9f36823c6b4e0dd5e8bb3d78dcb12a5f0
79473 F20101207_AAAKAA zhou_y_Page_029.jp2
78762ee1ffa15c41eefb24628b1ca526
db48295f296c94b09390ef844284e008cc90aadd
F20101207_AAAJUF zhou_y_Page_059.tif
92310bb474fa3aef32355ca592f06efa
315b8a5f8ec74866d09316c9534eea5d69b4c98f
54179 F20101207_AAALDD zhou_y_Page_182.pro
1d961de5c03d06a7536239e0313fc2da
ffa752d3631f2f4b40b92ba209a1276de2bdb05c
53435 F20101207_AAALCO zhou_y_Page_165.pro
58d4b79e83a3e4f4128b9dd4fb018db8
f50cba6590d9c4782db851f3f69167bd08091684
F20101207_AAAKXI zhou_y_Page_165.tif
c03599321722618644a579fee6ecbfb6
dfa84b879b5121098aa969ac39ecc2bdbaeb4dd5
F20101207_AAAKWU zhou_y_Page_147.tif
8a2d89a391103eb50f08c4453a04f23d
2130bf0747b1e757c46f7814fc49c127660096d3
F20101207_AAAJTS zhou_y_Page_149.tif
6455e165797bd5ef9a30a4bfccf3643d
5794974a5d0098a3a1d37536962dbc5f6722e169
8563 F20101207_AAAKAB zhou_y_Page_201thm.jpg
8a9e1ebb27e841844895b7f1ef5661fc
fbff401f3416c33b8c08a04ffc90a94e9d2c69b9
5121 F20101207_AAAJUG zhou_y_Page_044thm.jpg
95fa7af0807b81f1771cf1b49304483b
9d752c3f38d913309684ae7df016884187d53157
46947 F20101207_AAALCP zhou_y_Page_166.pro
f48e756097337fa9b2078bfa1ffe7ea7
14e8b481cca51fe843ee1484edea3310b131e6a5
F20101207_AAAKXJ zhou_y_Page_166.tif
427cf7da7a7d9de8fb8ecf304c434375
5f6874f51efb8f9d6b0c01d70903f66991154be5
F20101207_AAAKWV zhou_y_Page_148.tif
404d2519dab820946663af4e42f2f8ef
98470c746d31e0b0ddcaae2fa8343d611e75ed56
46305 F20101207_AAAJTT zhou_y_Page_152.pro
6704a0ed933cdb04a6216c6a79379667
d853d00fdd0bdc9a67614134bd4c8dd77090655f
18195 F20101207_AAAJUH zhou_y_Page_135.QC.jpg
6cf726a747e95a193325a438c5d83e91
f71563bafb750914ebe9a3a2dc248516eddf70ee
5047 F20101207_AAALDE zhou_y_Page_183.pro
5a48062136b3666339fd85fbaa902325
b58dc0ef739b80a2a15991849ca35b9bc63c8b87
42235 F20101207_AAALCQ zhou_y_Page_167.pro
cdd78f2de2bd93b71268a2db1a48ba7a
02ece61a81fac5d9d6ae686c9c297fa479487116
F20101207_AAAKXK zhou_y_Page_167.tif
9c7e669bbefc75ff3549797f6a64e3eb
5912ad3daaaed53585453bd6fb3a4cbac7a4a8c5
F20101207_AAAKWW zhou_y_Page_150.tif
056bd5b812927b0bd0331ad63b42bb06
c26756826e0cf37c1989b91286ac5a6bdb356247
34682 F20101207_AAAJTU zhou_y_Page_079.QC.jpg
62d85f218a9492102b98cf4e6d67ebaa
6e8bbbcdc54578a95445d75aeaa6d96aca0d312f
2677 F20101207_AAAKAC zhou_y_Page_208.txt
6c0af82ca29fbea10dbb9bc1e8473386
0f2a11d4e0b5d1fed766e9384bbf293a5e0c701d
F20101207_AAAJUI zhou_y_Page_209.tif
658214c8119a4a6065de7d04e959090a
7a17f22b5c93333ee4d680fdcd4fafa4cb22bc22
50735 F20101207_AAALDF zhou_y_Page_184.pro
07feef6ec21de717c98a6e449f0069ee
2deb989fd614c092bbcccb183ecadc0c07ee7ff9
29215 F20101207_AAALCR zhou_y_Page_170.pro
40b3d50c3edb9bf695a74afebbc18928
023180bdf8c2365a84c952c1cc633d09d5ffa72a
F20101207_AAAKXL zhou_y_Page_168.tif
8fbf370b32c789d34bd5ed6b28a2eba4
942ce7c614f931e3176607ae2e795d7dbaa78a52
F20101207_AAAKWX zhou_y_Page_151.tif
2b582d285e4816c5ed612b105c332fba
dfa1a873d7d3919f4316c2fc128dbee9ffb66cee
F20101207_AAAJTV zhou_y_Page_092.jp2
d67cdd8ed814911687a177658b67be5c
902b1ee13a19ff0f567e4b15c4348643a7a5ef6c
40739 F20101207_AAAKAD zhou_y_Page_028.pro
6ba954743538c53dd33b628b9d47c065
ac167feec685f0f1207845c00c89e1a4fa89aa25
F20101207_AAAJUJ zhou_y_Page_085.tif
0cf9ccc71875ee6423f23e7b997c5056
1f06d3ae5375bc71c408048a4fefd2049ebc0c19
55437 F20101207_AAALDG zhou_y_Page_186.pro
00afbcf6a3fb3217c393ce79269948ff
21bb7ddbf5d6c274ddcccd8f4ae3a05d7ccd5625
49455 F20101207_AAALCS zhou_y_Page_171.pro
8fa657cd8024e05eb4cfccb97211762d
cd08d2117e58a50b9de34f00b48acdf9259cb151
F20101207_AAAKYA zhou_y_Page_189.tif
b5aeb4777fe48507b94b4a5c3bc0a719
0896dfcb4968b325dbf233070e5159ed266b12fb
F20101207_AAAKXM zhou_y_Page_169.tif
a77b949b4256fa8fd98f8d5fe18440b5
9663ecfff9103acc2c3c3ac625cba291c93a2f67
1615 F20101207_AAAKAE zhou_y_Page_135.txt
1d115d5fab48ec0b8955d01b59dd931e
216de0b1f0e566fb178f70c9531b638b1ca479c1
90220 F20101207_AAAJUK zhou_y_Page_180.jpg
47f42b169eade64a71ff2a533f5207c2
0a190d79578607a857c66692d558668bb876d309
51495 F20101207_AAALDH zhou_y_Page_187.pro
78eeb3c40bb2bc785c58652964145617
ab08132f9a3f643370ef236bcbc9771c02987252
55194 F20101207_AAALCT zhou_y_Page_172.pro
5225514981c258f6df41ec37905f5a34
f1ffad453cd29c30e239a429f87da01ea205a06d
F20101207_AAAKYB zhou_y_Page_190.tif
69bc6e91003a1df72fadbd6ec712b5c8
5d074eaeb00b9d99008861e5be2eaa800df8a9ac
F20101207_AAAKXN zhou_y_Page_170.tif
57089ba42f024f13c90ccf7ad24b3272
cdc0295bf8f9a2df47cf6fafa85cdae9691df670
F20101207_AAAKWY zhou_y_Page_152.tif
7ed3506ef4094b0c29463306f9f026de
e5ea672bb6756eb26491948555680cc643c7c1c6
F20101207_AAAJTW zhou_y_Page_109.tif
96f99bf0f0a8905ca09ffe6d9bfd7cdc
7aec755993c200584cb68f0f5fa98a96098dcd41
68841 F20101207_AAAKAF zhou_y_Page_206.pro
f6187af1e461b7f09301e5b948c8bfa2
dd9541da49663163ad9bdd97bf86aed1a2e6591e
109133 F20101207_AAAJUL zhou_y_Page_066.jpg
fdb6af683f0c46379aeae8821334d24c
e3e4cf4677ff24b102ffe2e4aae8b1a6f6eb21ae
27292 F20101207_AAALDI zhou_y_Page_188.pro
fe2fab701be5973f48064cf08141d422
6117eba67f504905b2ee2a1260b2c5a7619d6394
29418 F20101207_AAALCU zhou_y_Page_173.pro
7c34500b6d5c926243571fe5708245ff
deebfe479cdeafe076baed0a78e64e3d5a94ef46
F20101207_AAAKYC zhou_y_Page_191.tif
2f3304f04a11d67db148d1342b0c805d
4621248558da3f0049563e1223004e05e4f94100
F20101207_AAAKXO zhou_y_Page_171.tif
e2275beb22c299cc60bc232ca0ef789d
21664739687f4e02d6a2c825b5f283bc59456602
F20101207_AAAKWZ zhou_y_Page_154.tif
ffaca21c1090ba7b437065f33b5c871a
adf2db31c6366733320448dd3f342e2ea4d5f458
F20101207_AAAJTX zhou_y_Page_102.jp2
524071cc86f77561c3ac57117a0314fb
46bbaa4afc6d2c9bc31875bcb4ddab7e1c5ebb37
1760 F20101207_AAAKAG zhou_y_Page_137.txt
12c437ed05979f0a0adbd8c252da1c61
2fc09dff04248ec1ba5235efe08944378583fd21
109965 F20101207_AAAJVA zhou_y_Page_105.jpg
cc5ff022d489c661ecd51d388de6f4bb
475ff960a4bc7f9116e1673beb05e54abf7524a4
2224 F20101207_AAAJUM zhou_y_Page_142.txt
cb6ac4502d1c0d1ca8f8249ac8c46e6a
7100211ec7dc9069b5ccca68d868b65d2d92b681
43488 F20101207_AAALDJ zhou_y_Page_190.pro
3b56ba9094ff8e56b6037b4b3e879534
904d5c1ddba860437b48cbc5d890b36e80ea97e1
26118 F20101207_AAALCV zhou_y_Page_174.pro
f8c3e7b22c6687f679049a448e91ca56
75931695a3714ad295123f360a81bd797d74f916
F20101207_AAAKYD zhou_y_Page_192.tif
cab9846c09ed8ffa95baa1bac07f4a2f
0c15979734bda855a43675af5fe25b5cb9ee1691
F20101207_AAAKXP zhou_y_Page_172.tif
8171811c7b7b6303ce61592c01662987
85d97126d92edf2a99b057b395ccd76a99661429
32073 F20101207_AAAJTY zhou_y_Page_148.QC.jpg
3e752675cc4033db65e5f8f6d2e08a00
d715370bdec0626cd9315481a43887a6b0be3e72
F20101207_AAAKAH zhou_y_Page_182.tif
3204c2e52621d5a445d416fbbd8cfe1a
c059fdbc2b0278c105611e65164ed34c4f21caa7
89508 F20101207_AAAJVB zhou_y_Page_032.jpg
05aca500fb2344d25d847d2ee68eedc4
ebfbcfba8ba1e9642559054d78746419af3d820b
F20101207_AAAJUN zhou_y_Page_026.tif
09402cc7b83d7421acb3dfdf2d5b2dd0
308858c3c320e133c491ce1f865d997feb6c9287
55684 F20101207_AAALDK zhou_y_Page_191.pro
1dfadc935ccbaf206d0be9da1c9752c7
4be478e685e71d8c225068ab42883868552876ee
49699 F20101207_AAALCW zhou_y_Page_175.pro
327117065e6fb061e8464a07ed34431e
19fcc762758c18b0b6704afbdd4ed86f84bd4c65
F20101207_AAAKYE zhou_y_Page_194.tif
977bb178a942df256905239d93b226dc
eaf3892f8fb0a26063bc6d687f581cdf208d0f44
F20101207_AAAKXQ zhou_y_Page_173.tif
68106f8fe4fc71d54ec0f754d9550621
f1cfb5a3c587938794d137ef48ba75d46beafed9
2338 F20101207_AAAJTZ zhou_y_Page_058.txt
c30a9a424312d3077480be22a6a39832
cc104282b127fc2deabfd8f41dc9c40501bcb18c
31127 F20101207_AAAKAI zhou_y_Page_164.QC.jpg
748029c21b76e88da30a8a23654f0766
31df09e2fa2def656dee849cf1921a0b211661af
F20101207_AAAJVC zhou_y_Page_106.tif
ea24c7d107e1c3edbf5157ae532713b9
be8696913e714785b2f6f6a4c9497f386ff3b846
F20101207_AAAJUO zhou_y_Page_051.tif
a924f3c2882559a9031df619c15e16da
327711d6f1b9a3711c61adb2e117fd7ae24b88c5
1177 F20101207_AAALEA zhou_y_Page_004.txt
8f95cf31d954c2dfa9b0318588144f1e
02a1011a2dbdbbe7e513762e90f3e270475db2c9
32886 F20101207_AAALDL zhou_y_Page_192.pro
546c60a99b8bd3aadebfc6d5667b548a
332767718d8dca3069f5e82e5ac01ecd3d90e706
49038 F20101207_AAALCX zhou_y_Page_176.pro
02459e11b46c7acff3028421e90e242f
25eb1f2915b4f1f18adfdf918acadb575597779b
F20101207_AAAKYF zhou_y_Page_195.tif
e6f8a5a32dabf306c6077ba9bf71b55b
cd6b6267c8e8f865661517712b370509d314fa2a
F20101207_AAAKXR zhou_y_Page_174.tif
98cf38806b15681bf644b65cd5792848
1ee169bac227ae88e23f50ea3e56d7eda2274cdd
F20101207_AAAKAJ zhou_y_Page_076.tif
05410fc0bb586b3869302471900fa98f
e631180c6afda8b6280980e7ca1988ba7a5184f5
107494 F20101207_AAAJVD zhou_y_Page_083.jpg
7967676cd642172087f374e65eb3b715
9d1357c65206292b511b40ac79ac396bc49d892d
86668 F20101207_AAAJUP zhou_y_Page_034.jp2
7a0fa2ff554712b6d0038a59d7485dca
92a23b56116c1b11ffa7da431b4d182437ec3a1f
3367 F20101207_AAALEB zhou_y_Page_007.txt
ab41635b8f56c4667428182712c26dfa
180311f5081a928fcf5427400d143912a2ed97d2
35919 F20101207_AAALDM zhou_y_Page_193.pro
f7c518a78b701396092275fa2c6aeb98
28b506ebb9ae898dd82ea13f091979a2bc69d0a1
41111 F20101207_AAALCY zhou_y_Page_177.pro
64d7581a35e95113b06e46149ae4185a
d220f7bdbc8ed9c63c712715cfe5a59dacc48a08
F20101207_AAAKYG zhou_y_Page_196.tif
b7cc6455da98a097e518f4f8258e95d8
a05b702539806a265201099c03785cee5509a9e7
F20101207_AAAKXS zhou_y_Page_175.tif
1aac43363a8cf64d52a03c42eeeea517
2a0afff35dc4bcb9e0758b738288ccb1ed87179f
27462 F20101207_AAAKAK zhou_y_Page_084.QC.jpg
b2e8fe1a74fb71ffb2217d87444d8a6c
5e5b8df9927201c71750009ce583277a5d19833b
54317 F20101207_AAAJVE zhou_y_Page_051.pro
a1ad7dd6fa9a9dbdbc4a5b4a39678fca
66b6b83aab461ad4182fd6c7a2a46d684622d3f8
79707 F20101207_AAAJUQ zhou_y_Page_060.jpg
e1c9e14f278f1a8b05be98b46f763c21
7bb5a4e6128146b00b643019748f105af41bf3a7
3168 F20101207_AAALEC zhou_y_Page_008.txt
3c1639727594fe4b210ee024c7cebef0
b06c99138a3923e05eb1f8fa28c20bc4fd31b1f6
43243 F20101207_AAALDN zhou_y_Page_194.pro
50a959d327664cec77ff4e5ea853fe3c
95ee0131402b2323bbfa189ee32c761ed8cdff77
47077 F20101207_AAALCZ zhou_y_Page_178.pro
f09eca1b0303d907e3d3b0e693edeb1b
f39f96e82b03cbdc84bacfab6083f8fcb81974d9
F20101207_AAAKYH zhou_y_Page_197.tif
5e1923eb2034b14115efb5619c2374b3
11bd8028ffefc3684322ace94adc2e6be983343c
F20101207_AAAKXT zhou_y_Page_176.tif
6582217809c4b66321e9d215206d102a
ea0deab9069891470048eef59b6f93a20174ad9c
F20101207_AAAKAL zhou_y_Page_178.tif
c67f9ed10296bf59abf4df9bc5dec5ce
69339f8d3c48ba1a4d05b73dc7d9590e71e5ed10
8420 F20101207_AAAJVF zhou_y_Page_109thm.jpg
c8817fa949237d6b060e9b39d04b668e
76d25f97702ac4b359695add4dd21cd7f2cf6936
F20101207_AAAJUR zhou_y_Page_103.tif
7ca1ba164e55d652cdfcce51abb56849
54c222965a3668add85658370425e59d82e78316
27866 F20101207_AAAKBA zhou_y_Page_045.QC.jpg
edcfbcff97827839eadad2e51c3a6eff
5bb16b401a6b08fc6fc967f984cea17f8fedcf71
2403 F20101207_AAALED zhou_y_Page_009.txt
164acd73680edb6ade1d20ec064463a4
352313910f70ba001892c2a30872fab2797705cc
40998 F20101207_AAALDO zhou_y_Page_195.pro
acf2258d74f085bea52087c312da4ecd
d0967d6c92a91b5c67274caae137353f7d709ba6
F20101207_AAAKYI zhou_y_Page_199.tif
a367bdad4fa871162b35ea1b4d243d49
c9df1ac7d554905ba6ef20dae48892f42f170ff8
F20101207_AAAKXU zhou_y_Page_179.tif
6dfb10daabcc701e95ae2705c55cb573
3aaee5133957f95c4aa408bc6fab114303c9b496
54518 F20101207_AAAKAM zhou_y_Page_046.pro
d2f109f2a40fa9d629192df1e2407881
6e6417a297f2c29c3df7326791cb69ff9c78e2f0
55822 F20101207_AAAJVG zhou_y_Page_129.pro
9d079b7ca597c564486cfe4019634ece
3f82db403123db3a41c7e7674dd39c57b69fce08
61205 F20101207_AAAJUS zhou_y_Page_019.pro
a0423a074f9a6d0191c0245453ddf16e
3cb79d3abfa8c4f60f696a3b9b74985d575618c9
F20101207_AAAKBB zhou_y_Page_073.tif
0ae3fdffe14f96addebb0c3e60d27295
ca6819274419a56c55ca697b44b04ccc0be0d6a9
1189 F20101207_AAALEE zhou_y_Page_013.txt
7db792fe8afa1996306968781bb0512f
af24c4403cf6cf80c2e1a8c248bd60887cb00531
49844 F20101207_AAALDP zhou_y_Page_197.pro
faf2b2ac130ff80bab249f24096949f2
7f35f9326f5e87e7ec920990f89ada62e40ea2e8
F20101207_AAAKYJ zhou_y_Page_202.tif
4e038cc1ea8e50b8ab706da9df2dd9c7
e7e642df48c7be2cbdd37b1cbea4024b06748d3d
F20101207_AAAKXV zhou_y_Page_180.tif
7f1a5f4ba787b81110adfc5b9dbe8abc
7ccb84851b4e6fdb251d328ad823a9b549b128b1
59962 F20101207_AAAKAN zhou_y_Page_127.jpg
7e28e9953f34aa9576e137024f6ce7f2
eb1df1c824ab460ffc412989862cf73c6152f366
8068 F20101207_AAAJVH zhou_y_Page_161thm.jpg
c3fd4a7ee3c6449d0e502130b4d9868f
77b38782f36db7e890446f4c7d931e99e3100b75
2011 F20101207_AAAJUT zhou_y_Page_148.txt
a34ba13d43a67000fdabdd6bfdb55721
4ba1365b704d920ee57e162341a801130f5d9729
55005 F20101207_AAAKBC zhou_y_Page_107.pro
215380e4e36d99212bac9f8183ede3c0
34aa6e39fba15e36535abe1174f0f697bb9f3f08
10136 F20101207_AAALDQ zhou_y_Page_199.pro
422cd8e42e7cba45f3b6f1a64fbf8ce0
6e5e2754e2ca433168c0ea7a9c4fb48350431b20
F20101207_AAAKYK zhou_y_Page_204.tif
0066f254947cce458c386f6d9f98bc92
26d2499430a66fcc14923a9685f59229d23fbce9
F20101207_AAAKXW zhou_y_Page_181.tif
cb1677fc542d0baa2db1511b2df4323d
c91d6d729fdf1a71c255cb4ff09865725f0f3cd4
F20101207_AAAKAO zhou_y_Page_136.tif
0e878593d9f7b7f53a4d56d32cba64b8
abf99deab9282126bb31037a748ce89432c7c2f4
F20101207_AAAJVI zhou_y_Page_092.tif
a2e23a1be4c0d0ac35abdcb1bd5bb231
b8d89abf41cbd759cb55fd0b1eed65b1ba73bc49
F20101207_AAAJUU zhou_y_Page_161.tif
b4f2ea50126c45e5483a0d27e075ff60
2b1ae868d8bfbf2e03a2a32a5eb092831bcd7d88
1013 F20101207_AAALEF zhou_y_Page_014.txt
422b03426b03c6bd0cedb97c6f58273a
ecfcf29b6f4a2b6b3b5c793377121ab1970acd76
65723 F20101207_AAALDR zhou_y_Page_200.pro
02f388f4bdbe5a43e8e3eeaf9bb39afb
0b3952f84b71b7753540897844ca0b8a5c30b5a9
F20101207_AAAKYL zhou_y_Page_205.tif
bf87122984b32a169297f4997a170973
953fe6c1f75d27ed66d8257b12d848b894a3cc76
F20101207_AAAKXX zhou_y_Page_185.tif
dc705525dc73ff86059ae6c4e41fe485
8342727b16e9a1203f2c89975c2bf4f6e0bd7992
1051984 F20101207_AAAKAP zhou_y_Page_148.jp2
28264c47f07c28e4e430c786a462e631
f685291141589deba5a69c1df5aaae87db3470e0
134015 F20101207_AAAJVJ zhou_y_Page_209.jpg
9056473b1c33dff4b496ce77f15de628
e364701aa124e1395ac79ca107a6107b82350755
977066 F20101207_AAAJUV zhou_y_Page_045.jp2
0f8a0bc30f40cb1ca2510799221f5793
2a6255bfaa26a634c528b7b88059899635b117d8
1858 F20101207_AAAKBD zhou_y_Page_037.txt
ccee2c590666e3a83e195cb195aa5e0f
4fc7e8b8f84f67e6c13161f5192def00b8f8f687
948 F20101207_AAALEG zhou_y_Page_015.txt
dba2cec07644e9684d72c31265126007
8cfafd2641064dad7eb0717297053f25da0a1f23
70490 F20101207_AAALDS zhou_y_Page_201.pro
fa2d10653e7f6e07059ebcd2297ca82b
af59d85210a971811a52ab1c5a258a393379f55c
45566 F20101207_AAAKZA zhou_y_Page_017.pro
16eaf9aa8ab9e00ada449d632e1c6119
77ad5b69d85bc94ab36d91feacb329205f9b9b35
F20101207_AAAKYM zhou_y_Page_207.tif
23736b9b6d94e174e45573ddec75fc06
6bf7126bc0365a0c0b0e31464e275c92b877dd37
F20101207_AAAKXY zhou_y_Page_186.tif
581eb0c041a37fb0aa7207c9dc9c2ff0
2ff6bd5b6f0cd5295aa19d66c0a27b1abbee10f3
F20101207_AAAKAQ zhou_y_Page_193.tif
1fcb73fd52f0850e00c6370fa868f616
34a01dac3156e18deffcfe3a417c7e1a47e0cc8f
F20101207_AAAJVK zhou_y_Page_135.tif
7cf50ce0150e680442bbf65a0760854b
2ee432b2a2e52149bab187aba7ba6991a257f3fc
114761 F20101207_AAAJUW zhou_y_Page_125.jpg
6f8581072a3e376fd3ceb35e28a819d1
4f5d4e03c492a8756700f6f4ff75c05389f4fb27
8135 F20101207_AAAKBE zhou_y_Page_053thm.jpg
cd2d675fa3b44d3a5d8189b87d6ffb29
108e59d7c9a31e19332e49002423a03e7bae0e4f
2099 F20101207_AAALEH zhou_y_Page_016.txt
4c605f0f1d2ccc43f1371ee51e280727
8df16e7ad40e50ee2e7defe8e27fc8dc76f50406
64521 F20101207_AAALDT zhou_y_Page_202.pro
8b8a8c624347cd880d1e8ce94a955d2d
e7785cd057696b31126ea1d8a627d3418a7b9015
53335 F20101207_AAAKZB zhou_y_Page_018.pro
1571b8d8ab87c0045c56bbbb96d3ab26
f31662e9662e0fa40cd1a702065fd480ba499396
F20101207_AAAKYN zhou_y_Page_208.tif
34d1ca4851a075e5328f14b75af31df8
118b1daa5a46817d1a169ab66679f6f4e02eae7d
1254 F20101207_AAAKAR zhou_y_Page_169.txt
cfeb2a878bd67c5a187bdc75a72e7b35
11c9802b856510e4752b54cfea117d62c722463b
723439 F20101207_AAAJVL zhou_y_Page_133.jp2
fad2e40f3fbf54d54b16672f71fb00e7
3767a15b40b65112879ce7b2d4100f29fd57ccfd
836907 F20101207_AAAKBF zhou_y_Page_052.jp2
c05c0260981c53a355f75feb1206f5ce
a0e6505d6e5e44c862176dbbd432d13e03a5b17b
1815 F20101207_AAALEI zhou_y_Page_017.txt
75eb3b5d4bb1b0787638a5f8f492c024
5bb09da7ad644f48d530daffeb3467a625269df3
65556 F20101207_AAALDU zhou_y_Page_203.pro
bdf9cddb768beb1ad8d1479b0601a3f8
faf7894427c1494e961c91a6bc22578ef8a83b14
58871 F20101207_AAAKZC zhou_y_Page_020.pro
4236ece9dd2ab6ce659d36782d9b1d4c
15c1f574df3193c477645cb66dd366d90638a028
F20101207_AAAKYO zhou_y_Page_210.tif
a5a55d77bee933f03e6f4974d3546b6c
659891cfefca8af69523d60144a9b510d0321839
F20101207_AAAKXZ zhou_y_Page_187.tif
cb953d438ea1e427fef6143ae540fb12
50c33f49c212d473322e667bfacba3bd9c4a6afa
F20101207_AAAKAS zhou_y_Page_030.tif
00c9360436606afa5a8495384f08f679
cae6b67f722534529ba96a483112b07eb2fd5f97
1051986 F20101207_AAAJVM zhou_y_Page_078.jp2
c42e986953b7110106c755debd455021
3550a37b884f7c4027fb506ed5cde96bb88a5272
7253 F20101207_AAAJUX zhou_y_Page_114thm.jpg
da058afcb22cc252e168368e57e9ea3b
cb6ab22ef449e436ddfcda4f999da3454da11c7b
F20101207_AAAKBG zhou_y_Page_129.jp2
533c122255d7856b829081dacdefbd9f
b42d076de2e0ed7424a90509e56f840dbe96b1b8
965165 F20101207_AAAJWA zhou_y_Page_101.jp2
a79f30bfc9f9dfd4c3b40f4eb42300cb
37e077421a9afa646e36cc40cb827f38f946861f
2177 F20101207_AAALEJ zhou_y_Page_018.txt
e9cef126d342191a109b41b3de5196a3
8d72e15132c9488d24070dfff08fbc5fc8c299dc
66394 F20101207_AAALDV zhou_y_Page_205.pro
0f888dd87c09b62d76d8861e0fd494f5
06199f34215f4ee439546529bb0b8318dbc96f2c
53561 F20101207_AAAKZD zhou_y_Page_022.pro
a2fd10307db93d06e61d0ff2478be98d
16633c60d4b7b69bc77de9ab7357a35006b55bb2
F20101207_AAAKYP zhou_y_Page_212.tif
f79259f5f51d470bc4efc559e3fba404
c860cde5b2ae20107b2de17bfdffe2b3f6e638f9
7623 F20101207_AAAKAT zhou_y_Page_171thm.jpg
97eee15e550d62a6223758f693d7c633
90d5970e5fc0d3924abcce342bf5f799445b3250
F20101207_AAAJVN zhou_y_Page_111.tif
64cb13df33c05fdb045b249a0989c1cc
fce7b95700b33be67884dd568d3d3afc36e9f295
F20101207_AAAJUY zhou_y_Page_070.tif
e2fc2f3989411e0a8702641bb4528f3e
adf07a532ad3210c8f3cfbbf4f31f50ebdc22eeb
F20101207_AAAKBH zhou_y_Page_123.tif
b4c3681b6161c8973ded9281884d47ae
498512a55ca041a9a306fb672a027f0a053e512d
F20101207_AAAJWB zhou_y_Page_132.tif
dab35a5966f9867f78a81b90c219b767
b491ce06a3516462dea65063a713e87d74ec4825
2401 F20101207_AAALEK zhou_y_Page_019.txt
3e7a4d200b2766103366b3b9608e575d
55eecf01d8badc250abf6d47c44f0a5e46d5af8f
65961 F20101207_AAALDW zhou_y_Page_208.pro
0284370a021aed6bc38740d0fad4e05e
c73a55f549938c336823a3d20b2e0d09c1576408
56988 F20101207_AAAKZE zhou_y_Page_024.pro
3a19270be68e2df319c73a1eb0476ffd
98e094c2fa07390387c9580787af525db1dda53a
F20101207_AAAKYQ zhou_y_Page_213.tif
3c38034314d2dc96817a94ec1d163d69
09a061d22d533e2846469c96375f138667b91be5
19184 F20101207_AAAKAU zhou_y_Page_127.QC.jpg
5a38f847429bae79d9e91f53c3ff82e4
49614b061788495717ed45af47e4605edfd6c2af
34090 F20101207_AAAJVO zhou_y_Page_118.QC.jpg
0297059987b98f8905b5314f35fd138b
2cf96a1043ce4deffbcb81f2663e66ef45c8a08e
31848 F20101207_AAAJUZ zhou_y_Page_168.QC.jpg
826aba27db961604a519f3453d8006eb
65e02818fb5d7b8d3af3d231f0569f2a47229cbd
1051964 F20101207_AAAKBI zhou_y_Page_110.jp2
77405df54b20525a5248a4b46cf4b194
a5e26a25d57e9077f2e5bf97c7d424cc2fb7bd70
16889 F20101207_AAAJWC zhou_y_Page_213.pro
ad599d72c40b46aa41e1118df578dd8d
5f1106bdea7d7116c539ced94f9a57ceb319e9e4
1659 F20101207_AAALFA zhou_y_Page_042.txt
375192a68056e381f248ca6f5e817f9a
24147440a2360fca2b920f8d1f96259eb480f42f
2311 F20101207_AAALEL zhou_y_Page_020.txt
5cedf2b2433beddbd32b06d77f3f5b87
254682737e4930c5339ea6debd9795d95c393cfc
66544 F20101207_AAALDX zhou_y_Page_210.pro
35d27625add56ad3e0a8a3f75885f5d8
634edd91662d5c6dd22dca79b18c47df82704993
52945 F20101207_AAAKZF zhou_y_Page_025.pro
4c683fe3457b44c784941814a9ef8d8a
4580aa362f037b05fdfc3347ca09fd45b6a9bb1c
677 F20101207_AAAKYR zhou_y_Page_002.pro
c5f076962ab8e02c5322a0b8ead9f052
a1322623491e981f2a702af3821cd88ef7ce0464
1761 F20101207_AAAKAV zhou_y_Page_194.txt
cfd6839cce8d52338953bb4e47f5af98
56119f478a443b4a266d77d672cc851c8d8334fa
F20101207_AAAJVP zhou_y_Page_035.tif
ee5362c988b28b82ef4cadb4616531f8
b06826372d1a6602da0b77b98f45ab01120086df
F20101207_AAAKBJ zhou_y_Page_127.tif
25935faa4b3c3a2b4b52c9442a05aff7
acd6d2ba127102a1856c6e80521a79d82f431516
53433 F20101207_AAAJWD zhou_y_Page_021.jpg
d6dac57c3898b6a176440c8472107e98
ae0e140a9bce4c120cd65c6b532a956e1f9779cd
1904 F20101207_AAALFB zhou_y_Page_043.txt
b08e8ca9f8cf3814409e48ccc5ec37e8
965b8abfbb56d9ffd9f4882b8cefcc7076cf39a5
F20101207_AAALEM zhou_y_Page_021.txt
34a262ab48a46970fe33e4d9b958145c
e4aa81a9a2202053114b56550fbca4685118cdac
66268 F20101207_AAALDY zhou_y_Page_211.pro
739e830b039444ceea1eeaa31cf67131
dcacd5d338cc56b1ee44decf2253553f5d55e0dc
46390 F20101207_AAAKZG zhou_y_Page_027.pro
50761c237386991c0816c8046b0bb0b5
f59127b56afd22216a6427c6ed35e5f3a209dd34
28311 F20101207_AAAKYS zhou_y_Page_004.pro
b272876f0d033b66d6bce986e16e13f7
cb44e093546f4b37a26bb1c9844c1992806d67ba
F20101207_AAAKAW zhou_y_Page_130.tif
c2a89d51085d3e6d899d79402b7887fd
574f0adec42ce7371566a455caa95682054c4237
58687 F20101207_AAAJVQ zhou_y_Page_170.jpg
c866301847e130192ae4c8931736b0a1
77bff1178aa0eded62bcc67e37d0cb52d2fda44b
7130 F20101207_AAAKBK zhou_y_Page_164thm.jpg
d770b466abb25297dc96372b8ca6f233
951d0d9d8099daeee9521cd5f3fe6963143db30b
1051963 F20101207_AAAJWE zhou_y_Page_067.jp2
0ca1486735e8d6d6653ff988086c8ce6
16354164e6ff58d3dd76c4ca8bdde751ed2d587d
1215 F20101207_AAALFC zhou_y_Page_044.txt
98f80dd11489fe9eac730d6470013c50
441acca13fd2569de242b9d86892b362bc1399ca
2398 F20101207_AAALEN zhou_y_Page_023.txt
9d30beabe868afc981b515c9b5c4e206
3fe3bab017b5b2df8b60778faa854769e1c0ef5a
404 F20101207_AAALDZ zhou_y_Page_001.txt
65c748416868e5e3d60e1eb59bd451d4
3f8062f64dd0a62e6edc7603b8ea59952bd23285
39573 F20101207_AAAKZH zhou_y_Page_029.pro
37fe056ed9cfc0cb5249140993c47249
baecb801f971d08d2fdf4b0de7def16e33cb0f7a
61537 F20101207_AAAKYT zhou_y_Page_005.pro
bee3eabb67600c2643ed310b3173165f
b88d5d4998444e04efd61cf106af2447f67868ee
20571 F20101207_AAAKAX zhou_y_Page_170.QC.jpg
8072b809833ae6e7f2e4e3f87c077c1b
cd03b63d4c4e3cba45f755e525f8fb5f39da2835
32937 F20101207_AAAJVR zhou_y_Page_165.QC.jpg
204d76a9c7a0d531f91245c30ffb20c7
04cdced2c4a4a1b1b25f6694b779cf9c9e8668a7
18556 F20101207_AAAKCA zhou_y_Page_014.QC.jpg
e3dab3cd19d2aeeb3df29c8730f16f5e
0d4c480bff993472ca1ee9292478ffe040c97008
1837 F20101207_AAAKBL zhou_y_Page_061.txt
6bcfa015016fbe4f6467fed2f5f3a9a4
d021fb507f8a39a971c2962953c1d7532a18919c
56381 F20101207_AAAJWF zhou_y_Page_054.pro
9a3a6a32b669b8e061a455c54152ac72
9d99bd609f910d24f0cc89dccd23d0ae71b454ab
2155 F20101207_AAALFD zhou_y_Page_046.txt
39f3c0b74a3d6f12f17c2e5e2c8df4c4
61b10649e9b3b9ffb87e209e5f24be5e1acc2ee8
2094 F20101207_AAALEO zhou_y_Page_025.txt
69e9c2f441379f05d59f1d5d5c14ac7c
fb5cff60c98392e155cd32d1ef1900c21da1bfd4
54233 F20101207_AAAKZI zhou_y_Page_030.pro
2ada935f324185d6790a7ade261aa9ed
c98546908bc40d02525545214490918e4c553d0f
75418 F20101207_AAAKYU zhou_y_Page_006.pro
0966030319f6edd034fa87602fae9f4d
703b44f8d1e5b6d82e3e6c7058ed983043af4f8c
1051895 F20101207_AAAKAY zhou_y_Page_116.jp2
e4cadf81771db47277ab23efd5c5b48c
172806768ac3d147ae38694d4a5b65cc4a9c9709
104980 F20101207_AAAJVS zhou_y_Page_131.jpg
8907c331f8bc902cd6ccebc7fe34222e
dd6195c655732b693342f69e9cf859f8b9d8886b
F20101207_AAAKCB zhou_y_Page_081.tif
b83b01dd1a42ef7faec7522bae66359c
3fd4db8d375ec8f51d29d605b96c6158a37caa53
7895 F20101207_AAAKBM zhou_y_Page_125thm.jpg
3692b04bdd10b1b9d00c00958bee9de5
91755ca5f83cdb20c2bfc15a67791554d80aef43
4681 F20101207_AAAJWG zhou_y_Page_038thm.jpg
b2ea5a2fba87e93ef285ec721a3610e4
a8b424104560a749ed139022205d9c2689b1c1ad
2150 F20101207_AAALFE zhou_y_Page_047.txt
d10314aaa250511ee978f57f63b020ca
c3aba97fa1b95ded3c4598160b63d65e6de0263f
2035 F20101207_AAALEP zhou_y_Page_026.txt
44083c2c19f33143df55c6b250d62d3d
2ec1908a3f99033c11f91e61732361ffd5d3e8c3
45168 F20101207_AAAKZJ zhou_y_Page_032.pro
a1e6e3e2f7af8339ed24915ce33f15e0
cbc2681d0b0ebd18157c46f203a7b9c691231b5b
70529 F20101207_AAAKYV zhou_y_Page_008.pro
d4fc8e498fde4e2b6b3b323a574a3ae2
d66de1132e265c04402e0699fcb140dd9cee3aeb
2272 F20101207_AAAJVT zhou_y_Page_024.txt
c9931b491141811571411cf2a15c5b97
35ad9451a03b1521c71569eafa67ff8ee3515f9c
4264 F20101207_AAAKCC zhou_y_Page_011thm.jpg
4e9595877bf567fd7e68d516e50d98cb
5dfd4fdc8e37ac8afe8acba993bdfac4ea701d71
36805 F20101207_AAAKBN zhou_y_Page_123.QC.jpg
3e0f2b62168d3a3659b4c6d9bf9fef9e
9904145f40be5c9fa67426f8532c1bc7f8da8d0b
1033266 F20101207_AAAJWH zhou_y_Page_096.jp2
e63233899be2fbad0da5eea3b9dfffc6
91c7e5280f9c0fa8a012f088b3076cb08a0a8f48
F20101207_AAAKAZ zhou_y_Page_105.tif
771df1ea95a07f44f977a5e67304a97f
af79edac3ee25c03b836e80c93b627d517595615
F20101207_AAALFF zhou_y_Page_048.txt
a8d5a95d0358e7d4c82a547938463e1b
80c36d403b4bb64851177de61f37b26c2f30f183
2015 F20101207_AAALEQ zhou_y_Page_027.txt
5186bf9b3ee0fc36559ce9fe090a6b6b
928c63d8945bcea9b32752c885100dd26a627480
41565 F20101207_AAAKZK zhou_y_Page_034.pro
8a431377413934a9ff4f4ed3017a8c06
f583b870d86e8ddcaee39132b3124c65bde99517
57005 F20101207_AAAKYW zhou_y_Page_009.pro
86b19a1ee23ad5ee6171a6e47a223c11
8feb12b3b43ee61f163eba7b7d7aa85ced68a9ae
97651 F20101207_AAAJVU zhou_y_Page_178.jp2
b2a6a475c7cd0c9a18afc88882696bee
48abf5695a539c863903a7408f8bf6d3519df6e2
26191 F20101207_AAAKCD zhou_y_Page_212.pro
5b167d4dc2d8396724297cf625b3a1f5
dc619a8c10ae7d3643ea1bcefe65a953d995568b
1192 F20101207_AAAKBO zhou_y_Page_069.txt
d120ea14ee61b2b14ed69b2bfbfd9b45
54acdb56124290370df742dfac4f6d7373948753
2639 F20101207_AAAJWI zhou_y_Page_203.txt
25b67f3d93b178540eeda8240bd64938
82794378148b8d8358977d3eb3d57f16f34cbdc2
1822 F20101207_AAALER zhou_y_Page_028.txt
7711ee7884d10603c30fde487d10cefb
c7ac161db9ce5ab70164922d54da8deccd856220
22457 F20101207_AAAKZL zhou_y_Page_035.pro
86567f98a9a23ba0a23bc85fc7f18f2e
86f48695113ce9b0e8624d91e49b60a85f54e3ac
6179 F20101207_AAAKYX zhou_y_Page_010.pro
33212c106da3c2326fcdadf18aaa6762
3c0b60292ab19df4a123893d60033fb02477af21
1808 F20101207_AAAJVV zhou_y_Page_064.txt
57d2dff23f3e38ea9738746f2a466dde
23ca22672f3651ecb850e33ac312021bddb7f0c4
1838 F20101207_AAAKBP zhou_y_Page_149.txt
e4ff16dc7e1b7006c07255075c76c650
22e9da3a9e838d73ad65436501d3d38d6be9e6ab
1739 F20101207_AAAJWJ zhou_y_Page_084.txt
d8959bb063be818fc62b8a4a80c48cef
2c533e5709d08c27e92bdf0ecd429f4d2f768338
1744 F20101207_AAALFG zhou_y_Page_050.txt
59d735ac8d0ee6f924e62cc55b9ce1a0
7980e3e66e01b68d9b38a38ff8d92fa548402044
1868 F20101207_AAALES zhou_y_Page_031.txt
5a9dcf5704f846274282f6e6aa105dfe
001bb1a8b0128bff74d8e429da7ea3f540a32ec5
23678 F20101207_AAAKZM zhou_y_Page_038.pro
aa979cb8ab3ea103243ee48f18881095
d1beae656e0bf1c92f4cc0e340ac14e25e34e6bb
24834 F20101207_AAAKYY zhou_y_Page_014.pro
e1947246f80604949c1082c6490c1811
d948515bd06a038f5f06e920bbd5ed192e6f36ef
6012 F20101207_AAAJVW zhou_y_Page_103thm.jpg
2a6c36e5f9a4cda564bffa9106ae224f
df57cc006cbfa4e33abc585318ddfe9506a5c642
1990 F20101207_AAAKCE zhou_y_Page_178.txt
8c3b146ab10b19f963af8a1323e0f00f
09a4e9106f1e1112e63220924f0a74ca7ba92302
F20101207_AAAKBQ zhou_y_Page_038.txt
1e8069a65d8c1fa72f5e616ebdbdae5f
08cb8664619634f3b9669175245996285021e880
82 F20101207_AAAJWK zhou_y_Page_003.txt
93db98479f883e8d06a5f9d6dc81cb44
4ae0a8510b4f09ed4694aebf511d6a96f5cfdacf
2239 F20101207_AAALFH zhou_y_Page_051.txt
063a6c5bb77b983bc00367c8a1fb5a12
0edc2d782371120c2b36d4020e353db6c4f4de10
1928 F20101207_AAALET zhou_y_Page_032.txt
39948354fbb55c88e21328f685419ef7
748cca56418b0b621a88a88649953ac28f0aa0e2
33386 F20101207_AAAKZN zhou_y_Page_039.pro
5dd50238a6430535f14db481b14ed819
abc074d5b5298231859934315509db92c79811d5
23019 F20101207_AAAKYZ zhou_y_Page_015.pro
57f4802e6864b684637bee37b262bde9
70cfdbb387080aef8a8882e9547256c48e24c809
51598 F20101207_AAAJVX zhou_y_Page_155.pro
05dd938235200a94e7f93b28ac2a43c0
60914caebe554d30838fc5b61fca7bbfee5c1210
48132 F20101207_AAAKCF zhou_y_Page_026.pro
9454f1a3039e0b808208093949eaa1a6
ac94c638a4803b5d469ece3c918c160df2e270f7
47541 F20101207_AAAKBR zhou_y_Page_164.pro
561d408e26297d4010b2a4651f37552b
c5e189553272e29a92600a5558d896e059a36b96
F20101207_AAAJWL zhou_y_Page_153.tif
0b95db868dd463a17a14556a00fbfe8d
29b24733056a78891b99d3c1d338b4611a09c26b
1872 F20101207_AAALFI zhou_y_Page_052.txt
28c5cd878afd04483e226d2270ffe397
69e56c49a2f35630ac55e831790f4c0f17e3d183
1212 F20101207_AAALEU zhou_y_Page_033.txt
0112792691322e583e92b55889cec027
8ca6594ef55060a29d7ee812120cf4a79d327cd7
36595 F20101207_AAAKZO zhou_y_Page_040.pro
06f7872d0c5b3638f5e2030aa65cdd1b
4c300caf9c1048304959ce3080953ac955e51e40
26219 F20101207_AAAKCG zhou_y_Page_034.QC.jpg
b9ce5c2d8710b2b5a7ce7566c16e3b0b
f2ccda74774c4a5833e90fdcd3ea91feb1728142
128137 F20101207_AAAJXA zhou_y_Page_202.jpg
fcfe605d788c3a2da2f1fd99d9984118
9b83ac572af920370d953b71835ee2787b83a4b5
2373 F20101207_AAAKBS zhou_y_Page_123.txt
58d24d701c36ce517d3461f93cad8cb6
af4d9332d469f7ffc0ba20a551fd50028cbe2d07
440 F20101207_AAAJWM zhou_y_Page_002thm.jpg
761bfc9f4419e3ff6e47f4d281dc0016
f69c4d5eaac3d0254b7f8056ca1939e9f50b5ec5
3104 F20101207_AAALFJ zhou_y_Page_053.txt
688f456d7a7b14a068b27dc8e43f01ff
3f57b3abe4b4f4869ef0e966b60f0d0d64a09fdc
1788 F20101207_AAALEV zhou_y_Page_034.txt
ec04658b22ffd4cd2f85cd01041a1b3e
2e12c4368c3d4dcd43eda9112bbe6aa48efdc92d
21287 F20101207_AAAKZP zhou_y_Page_044.pro
9dd71501ac18bb1d5d7b37205e7eaad4
71a6dc22b151b2a45c7af54c76c6e22520848b7f
126314 F20101207_AAAJVY zhou_y_Page_200.jpg
d46187215b7e93f3122b48e07c80a698
e8450a4e07576dd48e2f84beb78fa72e57011ae1
48414 F20101207_AAAKCH zhou_y_Page_085.pro
2e762c3848f4a1a70d371d891e7a360f
1ec51d1a23997b1f224c083427d4fa8c52c1cbe6
2297 F20101207_AAAJXB zhou_y_Page_062.txt
68d49911de05a58f85ee5352b2ac17ea
e81f4ec113266dc662e680e8601e7dc343c4f638
1963 F20101207_AAAKBT zhou_y_Page_081.txt
b937aa1c6b27736b77b1464ad6c31420
27e09f395a2277f67e3c35574959dff9895c2428
6459 F20101207_AAAJWN zhou_y_Page_188thm.jpg
1eefe3613dfc7208533430b0781885ea
04e080ef88b30a510c8bcb3d4859607c57f18c18
2231 F20101207_AAALFK zhou_y_Page_054.txt
001ef1c6c65ef77fbef84c185876be18
16d3a05ec2c791b9954121d8a7d0716922353df1
2196 F20101207_AAALEW zhou_y_Page_036.txt
c29bd3410eb395e040eccbf145a5b25b
777a28cd062223cfb8f2c538836c1838e4084b2f
45106 F20101207_AAAKZQ zhou_y_Page_045.pro
4327af2facf7f85f3355acf54dc0c5b2
2455c847486750e1937080316446a17632a43168
33165 F20101207_AAAJVZ zhou_y_Page_126.QC.jpg
09a6e3a97ad6114aeb30c8a1da79af27
7c7c85b7667761d6d464ae31fc76a164fb8e969c
50930 F20101207_AAAKCI zhou_y_Page_132.pro
0f9f4a3ea010c2a420b6d3df08fca35d
85b1b4f215b9c0214bcfb6d045e6c25ae0325d83
2136 F20101207_AAAJXC zhou_y_Page_128.txt
5b608539e8e20133671d958b62d4320d
d69e2812b2335ab1f868839b87c009217571f17c
F20101207_AAAKBU zhou_y_Page_119.tif
a803bcc2960899f7fbe2aeb06b06375e
1619d3633173a071b4a41977a5682f8a98d3d0db
F20101207_AAAJWO zhou_y_Page_090.tif
aef31f210321653368d1a1992d926ac3
9edbf61f5afd849eb7c42f330006ab7c0d80f53a
2044 F20101207_AAALGA zhou_y_Page_088.txt
da31bab9701c2f0705c356ee53368ce6
b677b2b0fe4518d382e982397c48468e88abc7eb
1969 F20101207_AAALFL zhou_y_Page_059.txt
0d5f5be815eb5c4bc5913ee9f843e95f
274b6d4153ce136e5159578b22ad8550a44f5ed2
2057 F20101207_AAALEX zhou_y_Page_039.txt
8176f5b00d19c825af5df0740e7ae420
f473bf986e42874d77c0d4c7ca01c9e57cee913b
54588 F20101207_AAAKZR zhou_y_Page_047.pro
e4c71c0a15c9e1cc390f401a5d05343c
93e2e39cdd2f00315ca3fe74b446b4b2659cf85a
6732 F20101207_AAAKCJ zhou_y_Page_043thm.jpg
464b7144f0332904e0305e9010f784b2
7c260c77802cdcb9cc0360bfeac19e1a9a3cc97e
55389 F20101207_AAAJXD zhou_y_Page_066.pro
c499b09acb6443af3714c9ad53b3a2dd
4d2f291e1867d2d0ecc9a6b60af44f9a5c94ce39
2065 F20101207_AAAKBV zhou_y_Page_134.txt
f6379fb59cdfb6c0e13618dabb01a1b6
a1344d050cfdcf55201a2a380cca321cf09492c9
55480 F20101207_AAAJWP zhou_y_Page_105.pro
1fea5fd4719845c446c141d8171b97d9
60517664165a257685bee3c54e9ce2dc9a722a29
1150 F20101207_AAALGB zhou_y_Page_089.txt
439a21c78d5566d9bc724b4bdf4cf52f
e21e122e96c4650433e5451f8d283d12756b020c
2366 F20101207_AAALFM zhou_y_Page_063.txt
1b47d1ab36f80e8ae089fca5dfcb964b
136ecd90e73557dc112359a89faf66409cf3054f
1753 F20101207_AAALEY zhou_y_Page_040.txt
14610bac4363cf0a2376a03f9f68c13a
bdbb34439b8471703e62fc6ae1a98b4de65910f5
42699 F20101207_AAAKZS zhou_y_Page_050.pro
40adaf0c88bd9610817d463f54875d88
7ca6822b0cf866fe7c3159be976005b01d8ca010
105694 F20101207_AAAKCK zhou_y_Page_138.jpg
e424560384b10e5b88fe5fb1caeed8ff
4ef670a72d6e0c58c07e61edb867d1457f8678c6
F20101207_AAAJXE zhou_y_Page_082.tif
8b2aa194d49abe7142f652cbeedc7a92
720765fb42d4e5263bdc72cdb1d2b316c77c2e00
50401 F20101207_AAAKBW zhou_y_Page_198.pro
3bf89e0c38a189f4b23124eb55b6a999
79b4f2a941b0233a7cf012bad0c0d20418313498
F20101207_AAAJWQ zhou_y_Page_002.txt
f7ca94a4020a8f0fe66f65aaaa63b95e
0f97359d063bc398c3ce67de16aa7b30217b36ef
1055 F20101207_AAALGC zhou_y_Page_090.txt
c313a2c044d63c5d516f29987756297c
a66df5f4c0827666e35550bef658e6a91f8e5ec4
1953 F20101207_AAALFN zhou_y_Page_065.txt
30ca866095060be2e2a0dfd36a66b413
9351a1820f88e7a222837e336fb28e033b6e3496
821 F20101207_AAALEZ zhou_y_Page_041.txt
9886ea8f12efa3b03f39cd233140e0d6
085fd43f001870148430cd4c8beea08374375fd2
76933 F20101207_AAAKZT zhou_y_Page_053.pro
9e88e578cbeaa5187e39bf27323653fb
80510f3c58540dc563f9085729ee16fee9c0bfa2
2018 F20101207_AAAKCL zhou_y_Page_132.txt
5ed1c9b4c99107a943471e1a8d9dead0
4e77d6ddea34b87c327468b2df2a9fe5b2173642
1567 F20101207_AAAJXF zhou_y_Page_193.txt
240572339706460d83318f5ca6ea1d88
a0e6090b225350ceee02d91fcfde5b8819865efd
882472 F20101207_AAAKBX zhou_y_Page_167.jp2
d34587932787094090355f7e45797489
470347271391a88e8656dc75a8976ed0c41ff7ad
85974 F20101207_AAAJWR zhou_y_Page_095.jpg
7d8ba04eda7bad17b431031034225c2f
4b00dd01531daf614abbde01ecffe6cd4a1c954b
36199 F20101207_AAAKDA zhou_y_Page_144.QC.jpg
867663f9551722375d10884e3dff2529
9befde9a6ff6a02e7666fd6623259089458efe9a
2214 F20101207_AAALGD zhou_y_Page_091.txt
6fe0f056473ced2b1bf83652da6b4707
86def703041235cfa95f805227708e8a619dd423
2241 F20101207_AAALFO zhou_y_Page_067.txt
e3fa6b52194964f0c91535ae90cad524
b9f7a49c5fd420dd6bcb528a112e56a208fc8153
55135 F20101207_AAAKZU zhou_y_Page_055.pro
ea0791cdf1c560d01f7c98d66a364404
e5c8a910052d48c82481f817675cccfc1af40a19
2163 F20101207_AAAKCM zhou_y_Page_079.txt
833587fc90d0fd3d3f0b9e60d586df42
a9d0cda81a2ea8cd2f01b112aaee2678c6e3e0aa
6318 F20101207_AAAJXG zhou_y_Page_017thm.jpg
feba5806b59acef1b1fef07b0825f849
d1ac4dfa577b9ec9dd5421c7fc2bfb4bb016e527
F20101207_AAAKBY zhou_y_Page_154thm.jpg
b4d784c4f8625e79e3c2efb3c8649863
76a87fcf364d9b7dcc84a86e9f2bb1b1f72c32d7
105201 F20101207_AAAJWS zhou_y_Page_030.jpg
0656f0d17d351105b39c42242bf33c98
90f80430ee7352d3eee9176ddc6a586774b9a558
87151 F20101207_AAAKDB zhou_y_Page_177.jpg
592930d8e84e2046f13889a9c538ee62
1ed82991ecb8c6a59e3dabb83454b1a86ddfc822
2365 F20101207_AAALGE zhou_y_Page_092.txt
69fa9ded7a404ab0b07d8b86b80dcdf7
4880692f30445934ca02280c4eb7312c094057a6
2201 F20101207_AAALFP zhou_y_Page_068.txt
4bff51bd0ad9c11e3c4a5b6669e292de
febe54947dbd23fadb19bd7a5510042357ed98fb
59884 F20101207_AAAKZV zhou_y_Page_056.pro
cdcab156e4a2d3d5e9061427979afcd6
4a2c093575c66e317d0799344debb80f4b11df53
F20101207_AAAKCN zhou_y_Page_057thm.jpg
6bc6641e791997f41bcd40262ddb01ac
db2778b045fbf1076ae3a4c28cae269ff74d9b4a
36054 F20101207_AAAJXH zhou_y_Page_141.QC.jpg
aa76d25c6ba6e7f4ac47fcb0ea79fa75
dd0e4ada74383aaa01a58cba1a0f9106ad3e1009
91939 F20101207_AAAKBZ zhou_y_Page_178.jpg
d11b5a3de81af0ae5e282f096dcf2585
a9ed9523e6fc72d4258bdc3135f614c7c26aa53e
7686 F20101207_AAAJWT zhou_y_Page_055thm.jpg
c5ba91f1aa72ce0205dbead29497e945
6de6a2ee385ecf65b0bdc9985ad7eb7d0a9c8744
2085 F20101207_AAAKDC zhou_y_Page_045.txt
3e789a8c92d25d0b6a13fdbc4d594566
d70259f0c1d05d09e68263a6e2b6a2ba2c74c2de
2185 F20101207_AAALGF zhou_y_Page_093.txt
c215215791604025dd30a85b067fd02c
6d3e7cb41282a988d30b972914f2bcb1883ca2b2
1072 F20101207_AAALFQ zhou_y_Page_070.txt
0a2ca5b743ebf8641d44cf3e6b8dd4a9
b64115aa9915940606f7e5da85951fcabe812a62
63821 F20101207_AAAKZW zhou_y_Page_057.pro
47cd792f550aa1cf0c48f118cbd2ca3e
3cde409088e96970443e6f004fa52f3f40feb7ad
24414 F20101207_AAAKCO zhou_y_Page_169.pro
467e37a8a4385f0f172b8518c7904d03
34709166e391f4a54cd7e9edf97bba339dabcd1d
1051970 F20101207_AAAJXI zhou_y_Page_009.jp2
81608ca34757a192f2376883703ae246
51d9a36b4bd3adee4c2b852129a2c8e199ec823a
6762 F20101207_AAAJWU zhou_y_Page_060thm.jpg
c66654b30e233239b74f3208f949fc4f
bf0c6daf76b301ca6f9f736e5029038022909f9b
108582 F20101207_AAAKDD zhou_y_Page_155.jp2
b9db8ac3c5f10b6b663b713a4b681f55
24dd91fd8cf223aed998cb25b4c32c405b5afd5b
2131 F20101207_AAALGG zhou_y_Page_094.txt
17e401d80421adc500da3755d0e2d6b0
5ef37df52070b1d31135011c55082c666ec524e4
1993 F20101207_AAALFR zhou_y_Page_071.txt
42be16fd11e6976eddef8fcd16f55f1f
aeb23c6792ec701afd35306f1aeb75a2a744cfb2
58897 F20101207_AAAKZX zhou_y_Page_058.pro
dbe9e534ab9b0aa3219e603e3e082816
a7e0d5ccb2dd026b74d6becf416748afc8c32bcb
50251 F20101207_AAAKCP zhou_y_Page_151.pro
eb05f785c2fe7ebdc65da4b5ca620a39
0ad6680fb20cc7ebc92737f4c59e50f234125603
67920 F20101207_AAAJXJ zhou_y_Page_031.jpg
f2cbf57110a2f0f3c1fe7e4d9d73ea74
b3d405d572e3719939620d8b9645043e93dce0ba
F20101207_AAAJWV zhou_y_Page_012.tif
e69907cdc3c54c9b48717b133fe46d55
7430f6c6a8701c048f109150d2767225572188a0
633 F20101207_AAAKDE zhou_y_Page_076.txt
9d707ee0fbeea15b9bbc6a2bf309dc79
1f65d4483233be92c8f5993d1223faa74ab6f23a
1637 F20101207_AAALFS zhou_y_Page_072.txt
57c342de2e3de473b6c3e6e482f4023c
2f4b4a3eecb76a877151bc90716c6290a4633245
46753 F20101207_AAAKZY zhou_y_Page_059.pro
4496624f03286f8199df078dacbb8a27
4fbf2d4bbec4225874f43ebf333562b9cd04905a
13481 F20101207_AAAKCQ zhou_y_Page_010.jpg
fcbb90b5615e2d369f8d8bf4bda61c43
a88a35fe7b5699ea430b3ae04d940cbaf4ba80f6
F20101207_AAAJXK zhou_y_Page_022.tif
7d5b971e05a9606cb4c18a1f721d8b88
5081e07cf56813a07cb5d1c041792fe601692e1c
F20101207_AAAJWW zhou_y_Page_074.jp2
096fb18a0dea7146acfa6f950db348d1
9b0cab0125bd9caacfb96cb34c4a472779b425a8
2153 F20101207_AAALGH zhou_y_Page_097.txt
c202f32892dce5b390f11a4e3da523f0
2383d103c78c32654709177028a21ea988f7ccd6
F20101207_AAALFT zhou_y_Page_073.txt
42446d7910912d227cfd6f1c79812fe3
39e0e8716261a238917f0bc24ff2e842a394a0c5
42651 F20101207_AAAKZZ zhou_y_Page_060.pro
bd9a3bd0321dc7631ebc734f9418a6c6
f571660262ad75323678b99c58938d2f8c7bd1cb
8263 F20101207_AAAKCR zhou_y_Page_200thm.jpg
9ae810b3a8a9f21ed748706b0781de77
5f6a9ea075c15476e88fc475f264165073cbcb3c
34104 F20101207_AAAJXL zhou_y_Page_179.QC.jpg
07ad182c01353428f12e3782be4f67d6
5250d4a3a417b3b92f802508883445ed02d3852b
8103 F20101207_AAAJWX zhou_y_Page_046thm.jpg
5a7e671d1f722da51aeb8fccf290f58c
f1003e10aa81fbb10f4d264353858d318ba39fef
66889 F20101207_AAAKDF zhou_y_Page_207.pro
ab88647092bc9bde4358ac71fa6356a3
b40cd22607ae4937159431eaca6fa4ccc3f9acab
F20101207_AAALGI zhou_y_Page_098.txt
ade6673f811cc87d01357865f0fc833b
9f4c54330b66166c4f5521f758d337b83da2677f
2377 F20101207_AAALFU zhou_y_Page_074.txt
ade7d1468882ba001f55b5f36afb11c7
169d45048c3a82798eb596f1deca1655cf2b8005
1023266 F20101207_AAAJYA zhou_y_Page_194.jp2
5e9c3c8fccd1dbeddb7f75de4abc67fa
a46c2d574db7dfa725d451aab45f3abae66a4e16
2390 F20101207_AAAKCS zhou_y_Page_056.txt
82c0b7018282ca54ea9f2f7cc9b48cf1
98df93ed832d56cbf9aa97dc5412fc8db6f691a1
22288 F20101207_AAAJXM zhou_y_Page_072.QC.jpg
6c437f078addcafd8c480e7b9ad13f01
f4199bd50d9e43bae57e19106ba5040d386bb547
28431 F20101207_AAAJWY zhou_y_Page_073.QC.jpg
b715b1250f8140d60c4e053d93b733e0
b8aee0d3731d99fc81ebb4ffbd0a011ffd4796a5
F20101207_AAAKDG zhou_y_Page_184.tif
936bb6b25b6bd8a6f77e228a492cdd11
10114151b4802ed03abb23f0eb6c5bf3785ec9f2
1735 F20101207_AAALGJ zhou_y_Page_099.txt
8bcaa11d665bdc2e4ed1b2ee1e730b7b
b6d32389dad88a1a6ce060e00e56fea70723fbfe
1044 F20101207_AAALFV zhou_y_Page_075.txt
3f5240592f08226331222de2ebbf5db6
323773173953a596d8e123bf6ff1762f109d7148
1051971 F20101207_AAAJYB zhou_y_Page_159.jp2
0a137d75ff1b0d725d049e1ec3ccca72
2e16a4785411d8c100587676a3c97376f69f7ab1
1051924 F20101207_AAAKCT zhou_y_Page_175.jp2
4daef6a524304c38e31b6029c737c2a2
866e9733c58fcb8e207d0121697c9e2fc900060d
23710 F20101207_AAAJXN zhou_y_Page_070.QC.jpg
49c655296afe5de3beafad45e5a18a9d
431dce19df3e7b621e4d96058c0260fbeb279fd7
2327 F20101207_AAAKDH zhou_y_Page_077.txt
7524fb024ff3b84f1817ef65dcdbd59b
c252cd7075175a49b3eccd13c353096c1f3b1b19
1864 F20101207_AAALGK zhou_y_Page_100.txt
f8c3bf37cfdaa4c94beddff6286fa491
7dbe3a66f6120135c0ce96ee28a59866b030e720
2582 F20101207_AAALFW zhou_y_Page_078.txt
fecb792af21ec9fb54629be644441e19
afd2913a6f8af988621aee5914f5d706b4010652
56250 F20101207_AAAJYC zhou_y_Page_014.jpg
baf6cacc37a7f227219bfe7f0580d501
70627ff9e2c6ffd7e180a16fc1cb56f75bbe766a
33212 F20101207_AAAKCU zhou_y_Page_187.QC.jpg
f771f2c01870b2f76e00ec6a9ca59b41
a335f5880aa447a05cf9d70dc758105f3561a22d
3983 F20101207_AAAJXO zhou_y_Page_076thm.jpg
cec497ff3dea42142d0bc51a836353dc
9e566ea784cb05a4fa7f56b85798f0287dac3534
2141 F20101207_AAAJWZ zhou_y_Page_030.txt
7869d43f4421ff2e9c201cdf307dd841
5b706dad46f161bcef8f7dfa5eb7d9b39d506833
F20101207_AAAKDI zhou_y_Page_125.jp2
a4e86e6124004d810d080acc559a6332
0a792d53870dece6967012b72a20f7e156b18087
2220 F20101207_AAALHA zhou_y_Page_124.txt
5574ba453c2cad39fa17c01e14c347a5
eaed0471abdb756ee27579c227949ebee7f010f6
1977 F20101207_AAALGL zhou_y_Page_101.txt
167b8d850d48fcab6ce63261e7fce083
ec93dc11a81bd0b999a04f8a3fa2f122ecdc7097
2031 F20101207_AAALFX zhou_y_Page_082.txt
cdf534353c3c6aad4421e354a8b2ebb1
d130c38c772fc04b13589f0aae20464b5f6afebd
49938 F20101207_AAAJYD zhou_y_Page_148.pro
018164e587e23f27d49719573f54de1e
cc055796d09c5c7d52638f90d589402549b9879a
53954 F20101207_AAAKCV zhou_y_Page_146.pro
32a5ba829ada75f7c401180ac26042c4
b09b0402aaf90ef623c8baaccaab3fba788a88fe
83728 F20101207_AAAJXP zhou_y_Page_065.jpg
68ab4c83862c774807374f5dcb390511
1b1f5750a79df33d1682003f841e57fbc1003836
24040 F20101207_AAAKDJ zhou_y_Page_103.QC.jpg
a7b905c325d0a07aaa7136a2555aba2b
be42fb57ea88efb4eda71f088ff37eccd7212c74
767 F20101207_AAALHB zhou_y_Page_127.txt
329438788c9a0921ca75d68a17e8593f
c6aaa9debefcfe5d083a9e9c4d0335d074ecdc63
1421 F20101207_AAALGM zhou_y_Page_103.txt
2464d8515bfa903290c0b39fb25a6679
4a6daeffe9bb453a1e3a5b5068de1198a727e70d
F20101207_AAALFY zhou_y_Page_086.txt
92c01cac6aa3e499fd8bd1e865e62cbb
15f02b141cbb4972e1ac2d8af3063a9bca11fc06
623 F20101207_AAAJYE zhou_y_Page_003.pro
bf7bff2079713307f1593ce2dcaff4f9
bc8386ba0f74c0393a922d5ba2abd1151b5523bb
86120 F20101207_AAAKCW zhou_y_Page_084.jpg
5c4f99d2114d7132d3f233a07aeb2e01
c292b23a8a18c524a2912ef920ce568fc51ac84c
61068 F20101207_AAAJXQ zhou_y_Page_023.pro
881a1c336f72525b299c6c6f133f4dda
ec038b4ba362acc9a9f2fcb64291759ee00357b5
25036 F20101207_AAAKDK zhou_y_Page_158.pro
d7c7fdbe73c1f205f68e1bb1c1705bbb
58aad8f9280a917b8c793797c4caf06019307998
2200 F20101207_AAALHC zhou_y_Page_129.txt
ec63d862423a124ef8964eab8ae4ce88
17b87de05515c7a92cbcf9ef8909e64e2dc26be6
2111 F20101207_AAALGN zhou_y_Page_106.txt
5ad45f5cbcffdd723b70e817bc22fc7f
6b547d38c0a551d3cc7189630e007190bbe7fb35
2210 F20101207_AAALFZ zhou_y_Page_087.txt
c667564b7a98b6f910fd3b2d40a9d36d
f5aa781cf5a7440b35aad1bd5c5527440c5749e9
623645 F20101207_AAAJYF zhou_y_Page_098.jp2
e25915941628c237230f1cc39643793e
78a866707d8e6e3130c030a1006fd5e7970e31d4
1995 F20101207_AAAKCX zhou_y_Page_114.txt
459ded05d9b3b155995634899dd80879
4748f70365deae9cc158ffa9c9c1ed7990284e96
132512 F20101207_AAAJXR zhou_y_Page_206.jpg
8a383e0f32b420c683f306b6d5b574e9
bbc2b7c23a052be0b41f76adf2ef3f24ae2e7773
34886 F20101207_AAAKEA zhou_y_Page_208.QC.jpg
d73f3f4e1c0be889825be92a1caa9d35
16d84d583589639fa17b49fc93179232cf33cb2e
F20101207_AAAKDL zhou_y_Page_201.tif
656e08c27e5c5ddaa5f4afea56ae4301
5325ce0504032c98ed5a1b6982fbe0615408f390
2125 F20101207_AAALHD zhou_y_Page_131.txt
dedb9113ccbc6b1d5da2807d2969d460
878f9c4d8cc5aa23e8952f7a289f6ab8388dd2f3
2197 F20101207_AAALGO zhou_y_Page_107.txt
da0277122c9d4f756744a3db2dd9a837
749e3929c97e47e91609e6dae003fcf531ab4c43
F20101207_AAAJYG zhou_y_Page_200.tif
37c5ee1b31b4233ecfc69d4162e31683
a727b0889d73e137213a183a64bd0303cb67e942
F20101207_AAAKCY zhou_y_Page_138.tif
30c6bddfdfcb693946b43300e7c26a93
07966a57f422f88cb1d3902af6324e7695dcae0a
59729 F20101207_AAAJXS zhou_y_Page_074.pro
e01f51d2d40548bf95a118a086f738e3
f8c060244679af533cdcd4bbcc2b1d289e465932
F20101207_AAAKEB zhou_y_Page_183.tif
101d165550297356be2023a51ab064e9
8260de7d900de1d9eeec61b7b7237d58a0b99df4
7608 F20101207_AAAKDM zhou_y_Page_140thm.jpg
1df7753ff21429c37c2a4f79ac3de1c5
0be239326035fb40802c17795c19f0ce1912fdb8
1427 F20101207_AAALHE zhou_y_Page_133.txt
ac813a588733f5d95315eda4fe02aaf2
4a9a2f2bb5a353832d3152f3e19076930f08b3a1
1796 F20101207_AAALGP zhou_y_Page_108.txt
ab1394e07a3b96f964d1ba9361860524
41862dee490a99a2e0d0789751ee6b8a4bbca3e4
28817 F20101207_AAAJYH zhou_y_Page_195.QC.jpg
bca6462d2917f103cf92fe5cf0c26a32
04eb68fa45951d95312c2ae268911dab1130c15c
F20101207_AAAKCZ zhou_y_Page_146.tif
69ce7e55923f99cbfa700414fb9ac032
8a19416dc7d853594bf70c621f60cbc53b897b45
7635 F20101207_AAAJXT zhou_y_Page_119thm.jpg
de41f8aa738d000c22fa8f16db54de54
fb7c1262aa9902780f105c2f5a150bd38c4fb761
90327 F20101207_AAAKEC zhou_y_Page_088.jpg
62ecb1cdf8f55f1d4415796a829c415a
e70730ef63b6ca96c7a4d6b2beddd902b2015013
6824 F20101207_AAAKDN zhou_y_Page_001.QC.jpg
416a374cb0d54e9759b6a811cf8fabf2
0faf75ef3ecd784d82a7d9bcbac87c2441843116
F20101207_AAALHF zhou_y_Page_136.txt
10c8a5fa9faa66e427123ccc09b7c004
637657fb8c6f8bd276f9fa5835b746448945a416
2399 F20101207_AAALGQ zhou_y_Page_109.txt
1dd25262d82352e6659d7dd001fe7ded
2a6c83e178d71b653cad6385f1a0abe6e48b8b2b
20016 F20101207_AAAJYI zhou_y_Page_041.QC.jpg
cb3fc4513d01330e8e548a3f1d5b7fde
50148af7f100ce9455df75ae799a9e65a5740c98
F20101207_AAAJXU zhou_y_Page_115.jp2
112505b71e1e620b42f1b075caf034a7
743b04709ea81c44bfe896f9a0685e5307ccc131
1568 F20101207_AAAKED zhou_y_Page_170.txt
4448ce4d6e8751d2498927574056e292
17da1213c50ca0ac0abccf0ee6e4e15a6a9c7b8b
F20101207_AAAKDO zhou_y_Page_097.tif
2a55186864a6b2217db897a4a3ffb6f3
72ae0b841b441429957cc7adeae1b932323eec62
F20101207_AAALHG zhou_y_Page_139.txt
b03ff21647f2600393bc242974d24493
92975f3385297c8dd118a532ace96d9fd571d961
2041 F20101207_AAALGR zhou_y_Page_110.txt
cabeb6347b1021ac7ce58238f8774960
54a61c89699d02d3e4bc613e0c82b828b66db74d
54387 F20101207_AAAJYJ zhou_y_Page_013.jpg
1a448fe5b3234e24c1b9f3d1d50f1e9d
1faee4946e42bbb3c4e9cc433201958fa34a1f71
F20101207_AAAJXV zhou_y_Page_158.tif
c8d9ca589841b2735336152438cfef38
108c4cc86483470454c20b7217d0ed57454e5997
1675 F20101207_AAAKEE zhou_y_Page_029.txt
7377d078f65edbf00d1755c530e0f6d0
30faaab37ea643f84621c5423e99f5365b3e0106
F20101207_AAAKDP zhou_y_Page_077.tif
d18dd57aa780dbf6d4fd5eb58d6eb9eb
5ad8da476b502cb36011b6f13c6c38fcb8eb2d09
2138 F20101207_AAALHH zhou_y_Page_140.txt
6c6dff646203907d22190951ee38aa1b
572316caae46a63302c1ab48f7724f2d14fc274f
2114 F20101207_AAALGS zhou_y_Page_111.txt
9d5d6a6f3ccfa14fbf85d26a80bdf251
7971a00bc1afe9adc05832896e89f549a349c908
6091 F20101207_AAAJYK zhou_y_Page_072thm.jpg
60f5d819973198fdda9cc624443ed541
8a57723cc179c2f2ba3661fa95c4327f694dc2cc
26090 F20101207_AAAJXW zhou_y_Page_060.QC.jpg
2d81a1b5f03bad593ceeeb81b6ab447d
ba934a80fdf42ca9c532da6d04e67e23a8586019
F20101207_AAAKEF zhou_y_Page_113.tif
c2127da237606b4d1790214e87f69d68
1358bcdbaebd07257ed0a59dfe6ca9c26b3eca9c
30414 F20101207_AAAKDQ zhou_y_Page_026.QC.jpg
b0927db635d6508bcce3cfed6ef1e047
a6b0e474ed592d652232bb15ff68e0ebad8f47f2
1952 F20101207_AAALGT zhou_y_Page_112.txt
06412cad56cf000c05a8089ef72e8cb0
8e6b9ce286a7703bcab8a4e525017cb085576b2e
1004138 F20101207_AAAJYL zhou_y_Page_108.jp2
d1c0f8658c88cdded3fa51c37f5217f5
7eb57b0bc0f27128f58347bf2416a7b040103e16
45066 F20101207_AAAJXX zhou_y_Page_100.pro
5ae825ece29aedab2e8324e61b0625b1
ad7a666c84a788d05d71f40ec963e7dd9978157f
1670 F20101207_AAAKDR zhou_y_Page_180.txt
1fe88ae333485eabbb915062e9a80949
5e89704c5eaf372e6847d1acdcb6ec8a087e347d
2252 F20101207_AAALHI zhou_y_Page_141.txt
571441bdf93a722bc30bed77eabdf481
8ac539ddb2de8193525e8c99941bef0b26467aa3
1826 F20101207_AAALGU zhou_y_Page_113.txt
89e1e78d73e5dcebafd1edf223134db3
da51af808d1d733473a41ea577f63e41778ddd13
53237 F20101207_AAAJYM zhou_y_Page_140.pro
e04a5f383bbddd2166efb17289a53910
a868c4afd3d6b166aa844cd14f3d908e5e6c8802
30303 F20101207_AAAJXY zhou_y_Page_081.QC.jpg
112c113758d8fbfec48c1c29da090117
6830207fa3c002be962fba8e78d8af75763c29fb
F20101207_AAAKEG zhou_y_Page_141.jp2
1095298852a21ef91c506562abcab86f
68032528448da284d07b662ed8489855c3f8a1a5
30870 F20101207_AAAJZA zhou_y_Page_185.pro
2e16cb48c10274e9b71bdee07941646a
24ce1d589225c3076efec9dfeb48ef364d7c07c6
6928 F20101207_AAAKDS zhou_y_Page_032thm.jpg
3c288701959013f6377b5b15e3878cee
742f1f82de1ae3d312a2601c28497fb4ea10ca4f
2331 F20101207_AAALHJ zhou_y_Page_143.txt
2d6a7ed84089b60243e28813e3fa9504
4620ef8f55ee8a4bce5279e36d4d7074bbbc916f
2276 F20101207_AAALGV zhou_y_Page_116.txt
644114b2e95a9058f1adcc6ba6df4eac
5bb1e7d9f528f7fa942f3d987ab2e23203ba089d
108987 F20101207_AAAJYN zhou_y_Page_047.jpg
39faa9ca6f81d34b379cd7b0f1e192cc
8ae0c8ef2bdeecff17f0974d9bfae2600d6426a4
F20101207_AAAJXZ zhou_y_Page_177.tif
3d4c254be9d4e8e089fb7831a9ef926a
87df09d19521580309ee1f71e4896687ca7b426d
F20101207_AAAKEH zhou_y_Page_089.tif
42c535bc89011b302554e3c8a7327ce5
ba548cc110088beb3d87c4f26d39a54eb5350109
6484 F20101207_AAAJZB zhou_y_Page_052thm.jpg
4fbc18fb54595b642f473d82c452d144
8f23a392f960024cc76263917f72e6c17988773a
F20101207_AAAKDT zhou_y_Page_143.tif
2812a2824b9070306477dd3307bb4476
5c8aa222af0b0ff7193e2d17683555b5bd0e4bc6
2348 F20101207_AAALHK zhou_y_Page_144.txt
b0d16fdda7b957a44e118b061202c04c
1f59b15516c155898bb6399b2544c188e1896e0f
2236 F20101207_AAALGW zhou_y_Page_117.txt
3bd3e0b0d0e45a75e7ea5ec052f97ad5
59a28dd67af82ece10f5b46b0d31106d3733bb97
30992 F20101207_AAAJYO zhou_y_Page_189.pro
67fbb14ca5574641d46cdbe9f7a0fea4
b018bb5d0916296efb8886fa2be841d66a8b7225
136426 F20101207_AAAKEI zhou_y_Page_010.jp2
1b4e2bc2d4d3450ac9b13725239f4b67
12db94f8d6fb0f3ced5dd9776b55435c22a9ff97
F20101207_AAAJZC zhou_y_Page_084.tif
cdc02e1ddf6000cabc2fd9c32d02ac5d
61b83d9bbc22c86b3d1a40c1129be910ba0485cb
2268 F20101207_AAAKDU zhou_y_Page_125.txt
baf447d24b380b524774e2c809dccce8
10c0d8e00342febca314d35a6af6e70640862f79
1997 F20101207_AAALIA zhou_y_Page_167.txt
790911e66fd27cf1a07c9488b00640a0
2bf29438423ad5161ec649a3601171fc609f3da0
2235 F20101207_AAALHL zhou_y_Page_146.txt
f183e414d52033372a4414d052338ef5
445c106872ab3d318d9c5db20d8f569fe187575b
2176 F20101207_AAALGX zhou_y_Page_118.txt
3b6c2d36af4dee557aeb897a04d802da
5614d962088ab81cedf6d1bd628884c488021037
958404 F20101207_AAAJYP zhou_y_Page_136.jp2
6d69c36888dd7910fa99e3c3bf0b74b9
f99c54dadb012653a91855ec892ed570a99585fd
36466 F20101207_AAAKEJ zhou_y_Page_058.QC.jpg
b26ba4de547cfd50afdcf4945c03f7e2
8dd4b65199e0ccc01ddcbedb869baa9cb4d284d7
40311 F20101207_AAAJZD zhou_y_Page_084.pro
46fe3cf43975f81481bea14e3396af8f
0eae435d46a433c0c06558490869d1b79b40b430
52979 F20101207_AAAKDV zhou_y_Page_106.pro
d063f321ec22f4d320eb0893bd500952
79c2b955bc7f4c9894f38b482a9432cf7a6c5a52
1905 F20101207_AAALIB zhou_y_Page_168.txt
43f02a42f19349f3e70fe6233d9e52be
2caab8b206a7667c07ee8f738ecf7d24295e6245
2135 F20101207_AAALHM zhou_y_Page_150.txt
4995336e41ed6e98c165c026e52567a9
4718c8d1ae8e2f59e656cf98b6299a63a3d68ade
2086 F20101207_AAALGY zhou_y_Page_119.txt
70a358c8f93e1461b15ac705b01d0bec
5af9ed499103055459d4120e717105c28b6d4719
6506 F20101207_AAAJYQ zhou_y_Page_069thm.jpg
1cba8650d0adaf1e45f64eb9bc4ea5cf
97896f1207fa1cc4a963f767141ba7b1694d4452
6672 F20101207_AAAKEK zhou_y_Page_034thm.jpg
622c92b31ae4b98a50ed1b64783f5122
7a611323f32c92926ca812aa6503533352ef2e72
2112 F20101207_AAAJZE zhou_y_Page_102.txt
1b744cf166f2e90dbc4545e79acc5d88
16e829364db9723a328c622cd7cf8bbc296150ac
31743 F20101207_AAAKDW zhou_y_Page_132.QC.jpg
794337f747845b662e23b93e05e9a75f
4b0221c0f626a769a460d8f7523d5ff8b5367b8a
2020 F20101207_AAALIC zhou_y_Page_171.txt
43861cb0b44870fccf41d7a23162d9c0
e428cb75fbd8445941d3e1e936c60cb0dfe255ba
2081 F20101207_AAALHN zhou_y_Page_151.txt
b2b332a345ddad17c35f4d3db07026da
d3f789f085e9c77e0361b3b519322926da6c6890
1351 F20101207_AAALGZ zhou_y_Page_121.txt
fd1f880a69aa1a1cb913c1aad53cdeed
0a2ed3283ac2757165f0c59e9265a4b7127391bb
69108 F20101207_AAAJYR zhou_y_Page_204.pro
9ba4e85fa80d30781e2dc5c83e0d5cff
e95f34c44d76ad6f5e28602b70bb627879b05d60
25093 F20101207_AAAKFA zhou_y_Page_099.QC.jpg
5e84e172d041c687b8ddba2b8eaac2b5
161ffabbeb9ad8c0adea1e65767636485037ee2d
119499 F20101207_AAAKEL zhou_y_Page_186.jp2
1f48a7cf69845004c032060c6c5c0b3f
85182cbfcb7d25defb499be27b5ef415650de83f
105646 F20101207_AAAJZF zhou_y_Page_119.jpg
bb369da7026d81bea53bc0af86387ef3
05517ca7418ed626127dd2b55cedf9c7ef6d5754
7751 F20101207_AAAKDX zhou_y_Page_147thm.jpg
b68a8b56dd5e539703fba53f58935ea1
20eb8eb7b9c2e3041ec62feb135130dc0d519591
1562 F20101207_AAALID zhou_y_Page_173.txt
3a9398ab075236ce0b1a70b02be5349d
1aaa82e0f2643d5b42074a2481b4abfe0998e948
1921 F20101207_AAALHO zhou_y_Page_152.txt
b46f8ddc7dc376b67b54f268ae85c063
581ee594c9c9d60d6338269253b586479ff31ef9
111770 F20101207_AAAJYS zhou_y_Page_054.jpg
cd3480e4bfe391a15e1410fe1746119b
a9ae91312ffd628e36b0bacac91ad5830cdb0399
30728 F20101207_AAAKFB zhou_y_Page_082.QC.jpg
beff6d02e7ba2de596a63644fe97bd72
d5615f0586026fe861b7c601605c455427a0c089
7510 F20101207_AAAKEM zhou_y_Page_149thm.jpg
bbd55d84bf945fae9eaf122c11f0501b
01bf729fc01b622f744368f33d80fff1cab9b170
1301 F20101207_AAAJZG zhou_y_Page_192.txt
47c0566d96a3998ffb1c4e61af7568ec
e6268689fc81ac16f569ce4c7d33d83cb0e9ed88
F20101207_AAAKDY zhou_y_Page_123thm.jpg
9c182908631f497b4000ffd13806c7bd
0cd0513036562e7cee0788fb8aada5c460ee29b2
2166 F20101207_AAALIE zhou_y_Page_175.txt
01e6ab116db5cc010ab35b4bda3c66af
22c396f1347b6dd1ed7dc3d548342d250e6a2500
1936 F20101207_AAALHP zhou_y_Page_153.txt
b8121573a3e39854bd00f6bb662a1a3d
9aa9177f9a0f747ed1df01b590494d5a5ad76899
F20101207_AAAJYT zhou_y_Page_203.tif
153f62dab9208f0738c7a29e243fe182
e106d7612a3e8385ace0163900e30da3fb85bd8b
1154 F20101207_AAAKFC zhou_y_Page_035.txt
5bd8220befe7a097c349dc3a3983c056
6117990f3c0589da963453bfbf72a3eb5a6f68a1
89097 F20101207_AAAKEN zhou_y_Page_050.jpg
c04b66189ed9a26bba3011a10f882b24
0e4c6879fdf49e9f32b23b3a7640231a6431d3f2
F20101207_AAAJZH zhou_y_Page_058.tif
071a6983626647e15f81d04953b9d0da
7a7b289b20508b519c9edbcd40bb6341ff217baf
2212 F20101207_AAAKDZ zhou_y_Page_122.txt
329ba16f1b6f541b649ce49c5cfc7872
fa15a18e6fb12679a2010d806510abdbf59e2648
F20101207_AAALIF zhou_y_Page_176.txt
eb1b964ba57baa2abbf8748c244a3d6d
4512e204e5314a4617d79434dea4530fdbc7776b
1526 F20101207_AAALHQ zhou_y_Page_154.txt
57cc359f3f55ea3ddfd484f6637a4c33
be9ad05026b4910894e85f29450fff661c0f7b5f
6785 F20101207_AAAJYU zhou_y_Page_167thm.jpg
7347a942bfbf843f83b7ed68bbacd025
8dadfed35bebc511f6fe33b6e4a32e3928a210cc
8260 F20101207_AAAKFD zhou_y_Page_144thm.jpg
96bdd3ff56a0c0ebd83863662a283ff6
4d5d34cba0c644e007f19e38cea2d33d955d9c23
48621 F20101207_AAAKEO zhou_y_Page_016.pro
6e779739abdd0a46af150a85e4eb1562
6ff1ba6bef92864607ae00bd1fc62a5cb086f0be
6096 F20101207_AAAJZI zhou_y_Page_031thm.jpg
c25c3759b88390a5ea6ce067f1245dfe
704eaac41c0d62f6feef8acc4f5305241787db4b
2021 F20101207_AAALIG zhou_y_Page_177.txt
3b50643776ea053777e257b83c10b7e2
84793a4f59cb7cea129abff4ee8813215137e230
F20101207_AAALHR zhou_y_Page_155.txt
90c86f3b8f3792b34abde9e1a99d843a
b8f5e696472d6f0c4d7cab554a05aa1ee3b12bd5
96817 F20101207_AAAJYV zhou_y_Page_012.jpg
2acd25a88a99c3948bfa5cb036b555d2
79446b6d529f8aa69a363dbfaa46038269c8d764
8115 F20101207_AAAKFE zhou_y_Page_182thm.jpg
ff2acaaa239c4d12ae77726ff95423b9
009dbcc650460efae7cd270fd1a80029210a5964
26599 F20101207_AAAKEP zhou_y_Page_177.QC.jpg
d9df5e4f7feabc166a5ad7fb6f97dfa1
79435a3e805718ea93200543b5979097cc961190
3881 F20101207_AAAJZJ zhou_y_Page_212thm.jpg
d705edc5b817fd358afd7c43f8d18bb9
6f61f7f4e44d75b32c3ba49d8ac7af971b4695de
1695 F20101207_AAALIH zhou_y_Page_181.txt
66fc6871cf9cc45401399a9b723c707e
0235317e1b26c39c2ae2a1762ef312f25965ef1e
2097 F20101207_AAALHS zhou_y_Page_156.txt
e176c2c26af9bed00496ccdb3915e4a8
aaddf9543e6268fe5ff3ca0e622bb24ed713b374
2189 F20101207_AAAJYW zhou_y_Page_066.txt
5b1bdd6d3257abb7cf8e40c53cbff14f
d8bddba617c6fc82262baa16461f214d97dde112
100148 F20101207_AAAKFF zhou_y_Page_149.jpg
0e1d6b4fe1c30d47f5e974999f1144bd
799e26f5dfd0f48bc0735bba6cc4bd2aa1a04a67
17538 F20101207_AAAKEQ zhou_y_Page_038.QC.jpg
c9284f34d1f0d653921f18166ed32910
929f4cab1e7aa3a82af9961e7c550b924b7bfbf1
623480 F20101207_AAAJZK zhou_y_Page_127.jp2
d276e8dda840da8134c54950881ef445
2b9968b4a8a1f59cebe467385436a5903f0d48c7
205 F20101207_AAALII zhou_y_Page_183.txt
605d5364ee753b1cdcd2f6d0a2f0809d
f161d22b74c29cac9052a361a7b2cb08ae163e4f
2143 F20101207_AAALHT zhou_y_Page_157.txt
774f1cdb891b573a4067e9a7817d12a5
014715d165ef9e3d877d3e23d9df8fffd17154f3
F20101207_AAAJYX zhou_y_Page_055.txt
ee9fef8a2eace0afcc6d0a454d921fa6
94d8681e68dca66d1183682de12d7080c0e26031
776964 F20101207_AAAKFG zhou_y_Page_013.jp2
020ca3bb661d970047100e1fcfa79fcf
70c80109fb5f53f40b7597270971125ade055162
8542 F20101207_AAAKER zhou_y_Page_063thm.jpg
70282a1a09245c03a57dab62b1801388
5b69247c03936754c03a79159a89a412fd64ca41
F20101207_AAAJZL zhou_y_Page_004.tif
dc442cb1e298a3719d454eb9ceb0d767
e468f719145449c651734734cb1a0c3a432a274f
1036 F20101207_AAALHU zhou_y_Page_158.txt
812ed36bace75b75c610c7419282d313
2f59fdcfcde439f7d8b1277b888ca71c4381e752
4254 F20101207_AAAJYY zhou_y_Page_015thm.jpg
799e60f967f57955e3fce31f5a4387f3
fe57dc06583d61a64753a28ba6ac48c10db278ca
F20101207_AAAKES zhou_y_Page_018.tif
b2e6a973adf54aa42cd9b2c02373fc16
3a7122504c6a5eeb1f68dc450d36a813fe4746a3
8025 F20101207_AAAJZM zhou_y_Page_092thm.jpg
0241d1d328261d2e3e4a3a3147e0689b
ff00534d126dd6145160864d2d7cec46d02c2301
2100 F20101207_AAALIJ zhou_y_Page_184.txt
0844a7b1e09b805e11bd9cac31cc5167
373230ec347b7e1d91d4d491d5b60dd9b064f963
2238 F20101207_AAALHV zhou_y_Page_159.txt
7ef1557b56eb40397ff586d7ae44a199
5ff041b632b42ddd37c904e837c454c6adc2b227
35526 F20101207_AAAKFH zhou_y_Page_116.QC.jpg
56a9a83c7753a481480bf0412fc798f3
6d3cc668d729e6c8cf6eb856eb62f78f89af14a9
F20101207_AAAKET zhou_y_Page_085.jp2
c9568805c3b1bfd7ef39ad10579478ed
c42a482c64fae5309e6750f5d221539f16f8fcff
35331 F20101207_AAAJZN zhou_y_Page_200.QC.jpg
0842ff9468bf16a968e5e6cab7655eb7
aca2aecf9fdcaa1a917a3484c2292d825e4dec4a
1051976 F20101207_AAAJYZ zhou_y_Page_020.jp2
88192ca240157cd37dff852cf55a0092
af4c39a9a545b7bb69a9ae4a81550b07164f5450
1297 F20101207_AAALIK zhou_y_Page_185.txt
047fb26e08fbc58e18be95a844696946
3d1b3c89543ec54b50a48bb9bcf94ea4e96d452b
2349 F20101207_AAALHW zhou_y_Page_160.txt
b9de15a7af5f56d721fc07447a1364e9
1d7f23eaec82c34a4ece876dd8b9003ae4cbe158
2682 F20101207_AAAKFI zhou_y_Page_005.txt
3de7d28903a36a4a79696fcb85972906
8a84f680336e77a8177e2671bdcd5d0f318099f1
1363 F20101207_AAAKEU zhou_y_Page_174.txt
335c58cd7f076210b825d8e805051e75
1d32668953dcc855d8605e90bcf8edb44f6384c8
F20101207_AAAJZO zhou_y_Page_179.jp2
1c5691d0550e3c1f3ddd25962dfee7b3
4ab5785f0e258a75418415a635ed6d52347581c3
2696 F20101207_AAALJA zhou_y_Page_210.txt
a7384c08f32735350c6e300b69ca5732
5580c7dde5fac15c4bdc225fbf9582cb65398f8e
2248 F20101207_AAALIL zhou_y_Page_186.txt
f7d8e1b8a70b9dc6c86ef9b79ef93015
be2404e322a11a9e1fcee7b3bf5f1009ef8df358
F20101207_AAALHX zhou_y_Page_162.txt
92669c28d780540d4507e01004e10a7a
388f48a8cc5cf637ae37e8699c28ee94710a9c28
42163 F20101207_AAAKFJ zhou_y_Page_043.pro
2947e02c2529cbb5c62ada4967e9986e
15abdad963ccac47ae94644675e1aead3c3d528d
25773 F20101207_AAAKEV zhou_y_Page_173.QC.jpg
f3570b7e3801a3725112ba145134fd53
35e9aad7e4e39f6894dc382d9f2df9163a66b767
68573 F20101207_AAAJZP zhou_y_Page_037.jpg
8a8f045b0ba1f414710be9b7adf8a863
7f1b23e9f7ab913b8bedcc2bcb414bfdf05672f6
2669 F20101207_AAALJB zhou_y_Page_211.txt
1cf4c21e4ac036d3e0c69a8a0da86249
e71dc35f322acc7ddba514b14f02f470869f9d51
2053 F20101207_AAALIM zhou_y_Page_187.txt
260f33181252ce7625439a7b53977b15
8b6d5be9c12638e80d7de25fcb1d7a6bb0abdcb7
1918 F20101207_AAALHY zhou_y_Page_163.txt
dc38650ef36ee0927ccb448643d7f153
cd654ede19fb9a0f74c1898297d56f45c511c94c
1964 F20101207_AAAKFK zhou_y_Page_085.txt
2eade403d579c2a10effe3bc372b2777
da0120b157d88666c43b89dbd34a00094ebb7aea
F20101207_AAAKEW zhou_y_Page_120.jp2
b8a66a257d56490bc240d5995fd6d383
d1ccb3e70a2118dbc5b725de24ad4df34f241c7b
57804 F20101207_AAAJZQ zhou_y_Page_125.pro
4ae70d2a910e3a4031c96cc04745f77d
d111d6178d2408f2c69cbd18ccbc094933f5042c
F20101207_AAALJC zhou_y_Page_212.txt
3bd45d7b3b8d3ad2e1c311e5515f3b8b
e9165e61aefa8ba92690ced617afc1f58fe2a432
1224 F20101207_AAALIN zhou_y_Page_189.txt
e44360751c26b763017e9b94e11a7693
02508fee993185f9d18361498e729679ff0eec8a
2246 F20101207_AAALHZ zhou_y_Page_165.txt
1482dbabb78f2296aef8de5916593e75
46f55018e57012bce36de4bdadf246f2c7003c61
2204 F20101207_AAAKFL zhou_y_Page_172.txt
757562053f769cecb119d99e13d84000
b33d1d2b97548d737fa09a8788fbe6a57ddcf909
5649 F20101207_AAAKEX zhou_y_Page_170thm.jpg
dfd7742d334387b42b78e17239e77b83
f08fc89617a03b06772f49ab3b1e6c8c668255b9
F20101207_AAAJZR zhou_y_Page_202.jp2
10df1b63d2db5ae834062d2256b47648
2d1d2bf9008d024c2da28ecb97bddcca0c1c341b
28967 F20101207_AAAKGA zhou_y_Page_108.QC.jpg
61f85178882a7f7bb79f627b3d9cb84c
b820adb2d444c4c15bd2156759f587e04dd9e5f8
1350641 F20101207_AAALJD zhou_y.pdf
3baf37154746817d1f024362bbf72aee
047ddfa0545f84741bef220fd226c7969cfcf0f5
1734 F20101207_AAALIO zhou_y_Page_190.txt
e1b888257fcdeccee989beea85d1face
bb116794acd97c10f3ccc0d73a541f4eaa6c817e
F20101207_AAAKFM zhou_y_Page_107.jp2
338831e0ec2929bb056097f8c5e0252c
8a2aed268dba865f8942cf1ec48b3a16c998f80f
61221 F20101207_AAAKEY zhou_y_Page_048.pro
e0a3ab1b17112cb6ee2203d650e58844
ed5a80e301f232b0c8363fb91184dd45f9194dad
49166 F20101207_AAAJZS zhou_y_Page_012.pro
0724d0c011b7f347be124df9995db032
a71be0997f69195a95092ce46b9c67e1193c0f39
33602 F20101207_AAAKGB zhou_y_Page_133.pro
df3c4092822d8dea034c02d841d6cdd9
e21e8a3671657bbf173977d6a74b4ceef1a6c127
1243 F20101207_AAALJE zhou_y_Page_002.QC.jpg
d5d8fc6a2371317eb5f3409af8b89af9
a85d1fbb9c3a310b688b2dd6c2f4e1524a00c4d8
2203 F20101207_AAALIP zhou_y_Page_191.txt
a53b5e93a24ee18a315225db9c9d487b
1c8676d6d429b657b9f0661508a85e06378ce3ac
2077 F20101207_AAAKFN zhou_y_Page_126.txt
840e4690ec1eadc31f8601eebf2e9817
a285a8a6e7134a295df185ba36ad6a4f160f857c
32658 F20101207_AAAKEZ zhou_y_Page_162.QC.jpg
807a332931619155ee2a960732502a58
2b78a9a6bc41ae8e69af86809b906fdbb1e90c09
F20101207_AAAJZT zhou_y_Page_164.jp2
a3d7e1379cc9a753b7684ddc88d9da2e
057a8fc6285a0dfaf8a2abe6c754d93e4fd0e8fc
26885 F20101207_AAAKGC zhou_y_Page_069.pro
e4e5b12d2b7df98d613a27d78991db93
2908a20b1a57fe1845e8257836f5348924ded95d
4563 F20101207_AAALJF zhou_y_Page_004thm.jpg
35736492b766c3229741b9661b00a0e3
0e14e95b6f93c3ca9f4b081dc3447e9450795061
2000 F20101207_AAALIQ zhou_y_Page_197.txt
d926a6b8b18933529863c9b746383c9b
fa5bd7032c6005bbb9c5d46b64a5f78db8b36f1e
111209 F20101207_AAAKFO zhou_y_Page_140.jp2
cc8dcadc1c1aa1a78286c37303441ca7
109efbe67b360865d58ad7d0088aa230cd61fe18
980016 F20101207_AAAJZU zhou_y_Page_192.jp2
ddf34f6de72100ea31427cdc98fcc896
47b345f80251d508300823c35c2cab0d89649bc8
F20101207_AAAKGD zhou_y_Page_211.tif
804d6be51366c20d9081ec17461064d9
36e04da0a938afeb1c4b72a25d78f3fce500e97f
18459 F20101207_AAALJG zhou_y_Page_004.QC.jpg
ea1f1e48a7eaee19d9132366d6470e24
f57d281463409169dba8ad9b7a4556d08a7bb75d
F20101207_AAALIR zhou_y_Page_198.txt
357987f1f93f6294bf81537f4171cbe5
7d9e8a22f7da57cff28cd2a00bf07381ec907d41
7364 F20101207_AAAKFP zhou_y_Page_081thm.jpg
78436d65a881924649ff7a7ec966d92d
a7db756e3e9e523049be7f3cc807073cf13e549a
34316 F20101207_AAAJZV zhou_y_Page_022.QC.jpg
51d39a3a775792765c4b482e6a76e4f8
61665ec9b98e7d5b931db3cfff94fe6c33d48bfe
F20101207_AAAKGE zhou_y_Page_212.jpg
ec9cf4aea0cd53da2cc3d412e0c2bac3
b91fe3546fa7b196a9b69ae04bdf4e7066538c32
29641 F20101207_AAALJH zhou_y_Page_005.QC.jpg
b8ad6c8d8032b9713ac169812073b1a4
0887486ff04d45309344d14470e03aa6dd216f72
445 F20101207_AAALIS zhou_y_Page_199.txt
4694895e98e94895b02aa7367d041195
bb8fb5cba1f267dc4a7b0e055a5bee03b635da74
85487 F20101207_AAAKFQ zhou_y_Page_192.jpg
bac2930c82f05acbef8517f6af5f8e5c
0d73ad68b0ddb5b061b8b0da9aff4b0bf9a224bb
7617 F20101207_AAAJZW zhou_y_Page_018thm.jpg
23c3e55e75d792797014593486e8438c
ae5645d6f029783dfb330f1dc6207932ac62c644
F20101207_AAAKGF zhou_y_Page_206.tif
384e6731099a0656deb920ed6b47d502
c2a6036d934ee553250b916562c42bc29adaf93a
7200 F20101207_AAALJI zhou_y_Page_006thm.jpg
35896a9644eb325ece17c0a4209c3b27
ee4025632152c716352a93969bb7c54f421aa404
2638 F20101207_AAALIT zhou_y_Page_200.txt
2442ba952dc280b7be62168ab9b9e49a
ba8e206840c538bd91fcb8d71183742939df94ac
34272 F20101207_AAAKFR zhou_y_Page_068.QC.jpg
4f53b9b5250cf7c482e1ae0feeaba6c4
d06740287eb0c95142445851644d9880fc9a37cb
F20101207_AAAJZX zhou_y_Page_096.txt
3537d605e1c424b83c02f650fa4809fd
42dd6c493b0bdf58eda8ddb9410fe06f06cafeaf
66075 F20101207_AAAKGG zhou_y_Page_098.jpg
0633a0a67e354a07f62ee60cac337879
d446b7d4a8af4343e9fc647605f25f90d6136c00
35380 F20101207_AAALJJ zhou_y_Page_006.QC.jpg
f8e31fc5c10e70a741dd7295d6e8a9fd
961aa5c0f40d2794328fa18c858376ddfeb96ed6
2814 F20101207_AAALIU zhou_y_Page_201.txt
e27d4fd762836366b6cbee1db7193b10
caa9897364ff12623e52df178b611e36d86f272a
1916 F20101207_AAAKFS zhou_y_Page_166.txt
9900aefd54439e8a6d7f453f669ebf80
2ec147da2649eb5746e238f0460cb099591533b5
23758 F20101207_AAAJZY zhou_y_Page_021.pro
870285a2fea0687181d8ab0edf49cd03
92361fa11ad8d549cb5f7d8c68732a465139e9df
52023 F20101207_AAAKGH zhou_y_Page_156.pro
93d4924136cfaf4da168ac0a0373ff0f
96eddb7ece4ae8bd09a4c2ec26351499313c1823
2585 F20101207_AAALIV zhou_y_Page_202.txt
4ad299101af185bd2a3e86a8551020ec
14123a9c130e62e705afb4ef252b33470b9f75ca
32389 F20101207_AAAKFT zhou_y_Page_198.QC.jpg
16f765931e404dc18ea6528391c824cc
5b30bb00cce37a7c318ab7f48930b596cb142bf9
22005 F20101207_AAAJZZ zhou_y_Page_031.QC.jpg
fa0ac7b7049b966226418c541ded5e76
988bc48228d8924d3c1b07210a5964f07bcd5c28
6943 F20101207_AAALJK zhou_y_Page_007thm.jpg
f20844e3d08d97f6964e8c61e957b70f
16368baeea27cb805c3b9ccd80306c821e55594d
2765 F20101207_AAALIW zhou_y_Page_204.txt
a28a11e4d37dfcddbff961b184bceb9a
46742b9b0c8d4aac8fc88fe34e836759f7c4824c
46145 F20101207_AAAKFU zhou_y_Page_153.pro
de324c9deab006fa6e4ea8b850c136d8
f367346f3de4f2177b8f05ac092949d49ccb8c1a
27982 F20101207_AAAKGI zhou_y_Page_192.QC.jpg
a461634309d401bdc75d1cd4ed151b8a
d4ccd0a01d31aa5430111fc23c971643c3284aa9
8516 F20101207_AAALKA zhou_y_Page_019thm.jpg
b7a4d3dd70ccb77894ad7702f2fc5e56
b42ea86b5234617f4a1ed59e987ed7922d9bdc1b
35297 F20101207_AAALJL zhou_y_Page_007.QC.jpg
6be2d74fe37db75d99b13e9752cbd239
0d08f12faf247de64fa8aced7bf7c5cc76cc6952
2666 F20101207_AAALIX zhou_y_Page_205.txt
7c92032ff428156d85aa8ac3f36f2add
107fb9a3e64fa651e25565df9abfb04e6a79c177
37594 F20101207_AAAKFV zhou_y_Page_042.pro
f0f5bdb141eb541f6554cd6bd5f50fa8
d06bfd41800f37a222611442e62b523dc823c306
2096 F20101207_AAAKGJ zhou_y_Page_049.txt
3420abbd0a42a861b66e4754d1ff36be
b52a760b9fd5b132cc79a183417dfd8f3659cfcb
37496 F20101207_AAALKB zhou_y_Page_019.QC.jpg
cea5c9816c91c11ce2bd8d6693951fe7
dd733d2677cd611696930640f9b089165e360b51
34224 F20101207_AAALJM zhou_y_Page_008.QC.jpg
73a11aace4a39bc43fcc4c83285010ef
2ffdb380662ab05631a1ca037c0afe404c145b30
2678 F20101207_AAALIY zhou_y_Page_207.txt
8c7d7aa878a470e3ba1dce1edaf8f1d2
8793e3dc19b69347e07cfc9acce81f946d0db1d4
F20101207_AAAKGK zhou_y_Page_045.tif
270fd479f47100da61e967b375939410
95307d0561b2302f4fc3d1ff9607456039a78033
36859 F20101207_AAAKFW zhou_y_Page_109.QC.jpg
184456e0f17d78245855419c87712bfd
3a09e042b01b6f8101df377dedf7def4bd16e78b
8098 F20101207_AAALKC zhou_y_Page_020thm.jpg
0dbd4670af483cff63bec409d15df26a
0cedc2b1cb0826af1f1c4b770f475997c5d43d3c
7079 F20101207_AAALJN zhou_y_Page_009thm.jpg
8f087174760d27ff0ec7ebbc1aab6a92
ffc4e94e8980e422d217d68e65668ebfc8cdc678
2807 F20101207_AAALIZ zhou_y_Page_209.txt
54ad9526c8cae82be1a295f10e7becb2
b1722844bacd6915ef54ea93dda9b80fb591a032
7835 F20101207_AAAKHA zhou_y_Page_132thm.jpg
fe9ed0b4b921778eef2f8ca13fccdb0d
0cd441e594d3b59aac734e270c0335fbee41b11d
53308 F20101207_AAAKGL zhou_y_Page_147.pro
686ef639c7e979a162dcd3654f89e438
9e2e455bd96e80f67e1f68f8576f0629aa5043f7
F20101207_AAAKFX zhou_y_Page_128.tif
2163c39257e8a319e8096df734581eaf
038b4ca5add7df61a4c1d568d97ecf955966ba78
16358 F20101207_AAALKD zhou_y_Page_021.QC.jpg
13d85da7ebbd7b6f19d873ad8cf32c6d
16ff48b24265c45b3edd20d55194ad718cb374da
37321 F20101207_AAALJO zhou_y_Page_009.QC.jpg
2f7bca869a58034355a4e9fdd6f1796a
f8bb335c49ef14ea67c02e4d114b0e21add7061f
20340 F20101207_AAAKHB zhou_y_Page_090.pro
7109fc8f8df570ed5f0017df605a26d9
84158ec0f48658615fa19f1e285f61740dfda814
21904 F20101207_AAAKGM zhou_y_Page_133.QC.jpg
fb0cfc262706fad884ff2abf14831ec8
475ee3b9b21d56579a59a23511011b149c362992
803361 F20101207_AAAKFY zhou_y_Page_181.jp2
d73a06bc96fa6f90bb92b92a8d7b6a52
2ca4f2147d69a9422982e53dfd05623f74510443
7719 F20101207_AAALKE zhou_y_Page_022thm.jpg
62be0569ae92d8170666c817d446c449
9cf0e2e0d0bee2dd62d20acc67a728cd87b78120
1292 F20101207_AAALJP zhou_y_Page_010thm.jpg
d6d516ca5d62abd259ec39dfeff41fab
852c8c56e6bbb5464c5def0eabd2d665d43bffa2
116820 F20101207_AAAKHC zhou_y_Page_077.jpg
655b25ded57f7f1e7a181077b784546c
af4b3ead32642691056185d8683e042f58872bcb
861396 F20101207_AAAKGN zhou_y_Page_185.jp2
c2a8487942532accfc0f90502a73cc53
9e047272cad20a504180e8a33ea7a3bd6f5cb56d
32281 F20101207_AAAKFZ zhou_y_Page_111.QC.jpg
5a4114dbb6344710e822e5132cbc1f15
4b7f5307e5b875245d2612784567f135761bbec5
7963 F20101207_AAALKF zhou_y_Page_023thm.jpg
ff340c43849ca59b80782c4dbac30ded
835cfdf43b166439151d35df8e4fc54f6ea010e4
4579 F20101207_AAALJQ zhou_y_Page_010.QC.jpg
8fd950751c1646024370d56469fd52d1
f1eb1afd39272bce4c6f395fc4b2852fbf7fcb41
24354 F20101207_AAAKHD zhou_y_Page_104.QC.jpg
d9a512a8e949cc7aaddad4d916385a1a
251056737c26fda29116fee5dc2410290287a729
86178 F20101207_AAAKGO zhou_y_Page_173.jpg
c8917f228285dacb64210e10eebe6d19
76de63ad4797d431598c113b85c8d6b9d152b1d9
35988 F20101207_AAALKG zhou_y_Page_023.QC.jpg
b9459ddb93de9c08a47838f354d29c9b
4fa05c50b46eae06a377458dad423c1f4f7b6856
18254 F20101207_AAALJR zhou_y_Page_011.QC.jpg
f6c99c2213666415f31db403b85405cb
38444d5e2025c3d59576d5cce70a893a34b6563b
F20101207_AAAKHE zhou_y_Page_195.txt
ef3e13b2172887df20833c573f792c99
a56b4c8095e2eb36f5ff6aefa7164d2c75bb4641
2743 F20101207_AAAKGP zhou_y_Page_206.txt
17afecb3e92ca1d4db112ffe2d7c765d
4ec9f4a37914779566fd3147095183b31b1dcb6b
8154 F20101207_AAALKH zhou_y_Page_024thm.jpg
67e7bdf4ce755b26d5dbefc7a30519a6
4111655901a1254027ad68fae693a834217a5e81
31082 F20101207_AAALJS zhou_y_Page_012.QC.jpg
14b6d066c46677ef5db869e39c73bcda
20d48dfdcc250ff10997086b26ce5fa29a3b20eb
8065 F20101207_AAAKHF zhou_y_Page_078thm.jpg
a99007acd04aec1589cb9d89241d4503
5b3bc43f08087dbf5dbe5d3415445a30fe6ad6f0
8029 F20101207_AAAKGQ zhou_y_Page_062thm.jpg
d277c37821991071e70f17f8dd755a84
deb7cb9808dca67703e92cf2761034c0e5b989aa
34417 F20101207_AAALKI zhou_y_Page_024.QC.jpg
a807a941b9d5711f3d9fdd2675b9c737
913df8adaf96135bef906b8bbe3bde5f07f657f6
3826 F20101207_AAALJT zhou_y_Page_013thm.jpg
b44f4c11184c69377d09330793c50286
abca3cf4ac77aab5db4ff2cec7cb5581e2ca8ce6
F20101207_AAAKHG zhou_y_Page_164.txt
e5cf51848c8776144263630ae3f15c70
1ef28133a0dedd9d00e4f4e018b7a75709e3c3df
113443 F20101207_AAAKGR zhou_y_Page_092.jpg
dfcf5a8730074ed755cece5df4c5fe84
f0263880100094096c4b7093accbfbf26986e09e
33994 F20101207_AAALKJ zhou_y_Page_025.QC.jpg
80434186d530dcb0dfca1caa46ce634b
1790c2bf2b93daab0240302cff3394a20376587d
17721 F20101207_AAALJU zhou_y_Page_013.QC.jpg
9057b6cc9b255e1618c0a1ee51546f0f
827c17c7d06108d63dc211bd342c6dda680cb7a7
33742 F20101207_AAAKHH zhou_y_Page_083.QC.jpg
70a28513ae12631022e7ae8455f0e469
1d6a4a7e602bdab5f7ce2c8e30bdd75ad46de24e
F20101207_AAAKGS zhou_y_Page_095.tif
22bea8f4a51e0a248cf25e673a100c88
6f127530b6a05a603da6594859f6c190751db7b0
7350 F20101207_AAALKK zhou_y_Page_026thm.jpg
925222b6e00e8743a0c4e95dc027a6fc
5ab00e47e1213ee81e54ab2501b6c3476bfb7274
4271 F20101207_AAALJV zhou_y_Page_014thm.jpg
e75bd297f25c4cc5e280ef575c411535
c4e0297005e0300552fc2e96cc9b6aeb1a88045a
F20101207_AAAKHI zhou_y_Page_083.jp2
49c29810d07bf19e3cb8e277bb560c77
c0db7e835c8518be97565174eb43878aa0f593eb
6451 F20101207_AAAKGT zhou_y_Page_177thm.jpg
84018d9c3ad2db41a165d63301d786b5
d70e3cd6cb3a056170432e282e508520e0afafe5
17318 F20101207_AAALJW zhou_y_Page_015.QC.jpg
a7ad9cb62b77246a84de29d1e71b326a
051541fe10bc2a45e8f286ae4e3e5ea36e7f949c
115140 F20101207_AAAKGU zhou_y_Page_074.jpg
7946d52940ea3b83b1c348a20e561cdc
ffa7512857a5c1f29def16e25cd59a63acf5a324
20090 F20101207_AAALLA zhou_y_Page_039.QC.jpg
c8494b3c3a6ead129fac6800c92e23d3
619b59c700e3d26caadacbe7a93b0d09415cf5d7
7356 F20101207_AAALKL zhou_y_Page_027thm.jpg
5f5ab3c504fef738b9d1232647069f4a
521c0b731fd6fa4e9eb5a6217f109842fe4aa902
6699 F20101207_AAALJX zhou_y_Page_016thm.jpg
5447723bfd1174511da14b7b0d279da1
60c29557c98490533053193c3e3b2ee0a86f02a9
50166 F20101207_AAAKHJ zhou_y_Page_111.pro
c6e35c4ff6d825dc2b40d48fbd3d9447
de7da7a878bcc9c069ff48d0c37a83b940411adb
2124 F20101207_AAAKGV zhou_y_Page_196.txt
be2616876416d99522eb33d8723067d8
3462b2fba5225d5e99b91b5c8e464606a8de2cf3
6105 F20101207_AAALLB zhou_y_Page_040thm.jpg
65f04884a59aa3292f80b0a0469f2497
9e31628acf82956593d3030427a95dece0541300
6586 F20101207_AAALKM zhou_y_Page_028thm.jpg
279c3cb2ae4d66828bd7cb8eeb71f0ca
dee6a451e26d6a37915b96222d09343bb15cbc38
28440 F20101207_AAALJY zhou_y_Page_017.QC.jpg
1a2d9443457d0abbfc043fc24165f6e1
eb2b311c13e4cc19379314075f2d9e17ad5a0922
31213 F20101207_AAAKHK zhou_y_Page_155.QC.jpg
ebbf5586cd2f78437d8512076e5d76f4
6436718fc5f833292c0ce24c7039b51d410076f4
F20101207_AAAKGW zhou_y_Page_168.jp2
d7f390c1e0a1a6e7d49ec836df75d7b6
013f057e466c92001b805adf3e7ed249917e5655
6302 F20101207_AAALLC zhou_y_Page_042thm.jpg
a2b09849066e70e37b8b66eb6127b7c7
bc4f28f87cccb48295770e16c4e7540242ee1bfd
26039 F20101207_AAALKN zhou_y_Page_028.QC.jpg
730780201e0eaf22741eaedf1b12c701
454c52e1eb39be669c0328b700326e3cc21474ca
33228 F20101207_AAALJZ zhou_y_Page_018.QC.jpg
d59c590378b38a8c98f9ba5420d0952a
eadfc1cf1185c99d6440acd0cb61230bfda72fbe
32400 F20101207_AAAKHL zhou_y_Page_140.QC.jpg
6bd7d2608da367980d0cbc03c0309632
5e4d5a071f4fa2c4dd059d962d103ab1c55d3c81
27803 F20101207_AAAKGX zhou_y_Page_193.QC.jpg
fb6760f61851a87bca96f0f3dbf3f9da
fe0020b5026caa6017324159e142ab1cb774cf08
59355 F20101207_AAAKIA zhou_y_Page_011.jpg
a796d7c9b23a9ebf952519b783cf18db
d352852480e046d88a342a9508244d2a748d5add
24728 F20101207_AAALLD zhou_y_Page_042.QC.jpg
48468eded47507b7baf0fbd73e5db830
976042669357e2001795f747134671ddf83d21b0
6209 F20101207_AAALKO zhou_y_Page_029thm.jpg
9fc5ee21584af7e2f7af24829d655891
205454a4f96319c190aafe2aa23d2033016d09a9
53364 F20101207_AAAKHM zhou_y_Page_196.pro
09ff2078b9f5174cbcd99941e974a5b6
fb7545e465e5f81b02238b1a8efae38c21364719
F20101207_AAAKGY zhou_y_Page_028.tif
973d612812339a29dcbacd22e642cd6c
31e133ad3ded2a361faa75d75826d87639d33297
53601 F20101207_AAAKIB zhou_y_Page_015.jpg
fe151b46e2d00550e8f88f9331d627dc
6fd05f76f6be0bc071648eb69ff331ab925339e3
17757 F20101207_AAALLE zhou_y_Page_044.QC.jpg
2f1df1c932013ade95e14f8333771d0f
16b796b81bb356e29823ae52925761c625af19b8
23727 F20101207_AAALKP zhou_y_Page_029.QC.jpg
67f98685a59fd9f03cd68f4dbf33618d
b666662d682239cf93010675efec1b3783547a89
24490 F20101207_AAAKHN zhou_y_Page_040.QC.jpg
aeda62bab30b6a93e75ded690357d649
ba3ac44d2fc171161ab1f3ac97d21cc99e1708e1
50156 F20101207_AAAKGZ zhou_y_Page_110.pro
af32cf9c3f3dbee1cb3c5b47d31b5348
d12048ce81d239c34aa53c2b6d15f77a3aac17a4
94053 F20101207_AAAKIC zhou_y_Page_016.jpg
8b247e61e3e149abe6ab86881da4fc01
2bcfa6c4c6972ed8bbd1ceff56b4578c4bd9d78e
7105 F20101207_AAALLF zhou_y_Page_045thm.jpg
d5fcc55479c6327704fda681b8471123
0b61d6916f6b370534ef4c0b1353d96682d10be4
7841 F20101207_AAALKQ zhou_y_Page_030thm.jpg
57018b8cb0daf9832ab178f750ec39ea
8e34ad5b75250594a1caee7084a6fc8bef31ad96
76366 F20101207_AAAKHO zhou_y_Page_007.pro
7f7365be36093b2e003ef934f15dae05
4dce2416041065f3f2999ae02fee206b287f6642
90436 F20101207_AAAKID zhou_y_Page_017.jpg
6c1a8dab39269b90a9f1bc1c70b427bb
9c235aff5662964ed2f30184af27b4c037fb0df6
7853 F20101207_AAALLG zhou_y_Page_047thm.jpg
6396a7c11b730cdaed4e3af6e6751043
ecebfc45217c06c4a25c70ad974c099403fb62ad
33607 F20101207_AAALKR zhou_y_Page_030.QC.jpg
42bee03cc506191531e41cd4bd8a7582
6881836cce6c04e5979882eea0cdd3da65f13479
109383 F20101207_AAAKHP zhou_y_Page_157.jpg
8663b43facc3a806bf2ce749f801cc42
3b05ee46b9f279c0e0c15c51d5d4a522f2d3f758
106085 F20101207_AAAKIE zhou_y_Page_018.jpg
1c8a1c8d3623bfeede257a7edf4ea676
5df7d7626bd744f1b69e547a8d9b201fe7090930
8433 F20101207_AAALLH zhou_y_Page_048thm.jpg
f0544b48b87041cf51bbdd422f758699
71bc2b19e3e0d5cada86a093ec0e63b74462b74d
28700 F20101207_AAALKS zhou_y_Page_032.QC.jpg
a385d022aa58812279c5b1fb23bba974
a174891c3976c066d101bd565cee37f3711096fb
34573 F20101207_AAAKHQ zhou_y_Page_092.QC.jpg
978660ab5a4bdef049e24484eb53cec2
53d4567bae178bd47c35aeb165bf2db8560ff51f
121457 F20101207_AAAKIF zhou_y_Page_019.jpg
bf94a3376aa41d9d6a6bb17f0587fd35
4cff4b589997eca389e02135723e776de4a06d44
37714 F20101207_AAALLI zhou_y_Page_048.QC.jpg
d88dbd2aeb48cf098eda4fdc3fa7604d
b11aa76efb5d2ec5af29511478331b815b054d34
4619 F20101207_AAALKT zhou_y_Page_033thm.jpg
90cef69890994d771d9e4180642d8b49
cc997c5f42b494aa29449dc668feb82b7fad34dc
314028 F20101207_AAAKHR UFE0021161_00001.xml
02a65c9ca5675d48fd45c57e268c2d30
c9feb8e393ee1dabdcb00e9755a6198bde160adb
116203 F20101207_AAAKIG zhou_y_Page_020.jpg
acbb2bce357d174fe40f3fe580322a22
5db2d9b8f810a57fc636d22000d3b298c1a18554
7645 F20101207_AAALLJ zhou_y_Page_049thm.jpg
a6c993b49eff8c07dec81191c96eee56
7cb5c7c8bd3527b2819cd839bf17799cf75f271d
16882 F20101207_AAALKU zhou_y_Page_033.QC.jpg
f9203bf8881883e54ae75866d5e24296
eacb3cc6ed2a7f06b95cd75492ab5d00ece79d79
109368 F20101207_AAAKIH zhou_y_Page_022.jpg
c275b2ea7c8954580d554335e3c22647
5de89b7694747cc3ff852d0a66f404e724c5f652
33613 F20101207_AAALLK zhou_y_Page_049.QC.jpg
599b358fc367fb4197f8d374e5558af3
6f7845884d94995c72b91a21ec275b82a411a1c4
4949 F20101207_AAALKV zhou_y_Page_035thm.jpg
05f2651bdfacf0ca935bf5b2755198d4
5ac32256990de28710e9828978fdcd2a35c48e66
115325 F20101207_AAAKII zhou_y_Page_023.jpg
9a0d33a2becbecf95d682511cea1012b
c4ea0322768921dc50c5c85a4d156196a815e527
6567 F20101207_AAALLL zhou_y_Page_050thm.jpg
982f55a281c720babbe946a191f75793
4791c00e5f2dd4ee36dbef28742d3b45f11ceb57
17815 F20101207_AAALKW zhou_y_Page_035.QC.jpg
4163c4d3aab6ee10bbefa07897fae3d2
47ba2d221b93199d47141bb14d3b4416967b3d67
22805 F20101207_AAAKHU zhou_y_Page_001.jpg
49253471a5a0bc95fd7dfe62723714ff
59cabeffba68c198636ccd121159ef6a3fcf5583
110345 F20101207_AAAKIJ zhou_y_Page_024.jpg
2b093ed480e99a372aaca67eb70b5d8c
d07a005630542764254245690f1ba4b53212d4a4
35233 F20101207_AAALMA zhou_y_Page_062.QC.jpg
8549fecef2a2d989156f917a63bd9353
1eec631d5e1832f18066f8b754c211e9f5556e84
33838 F20101207_AAALKX zhou_y_Page_036.QC.jpg
747d39d0e3a6cb67970b1dd3418ef625
a765b3fcf849507631aed68756bfffc20db20c65
3532 F20101207_AAAKHV zhou_y_Page_002.jpg
3cce7be4a2d5a26f9d5c0d8033aaf3d0
ad684752abd41324485ec84cd8fb670c6a605201
37142 F20101207_AAALMB zhou_y_Page_063.QC.jpg
32dca59b6e293bd9ca1268a95becbc21
85c24747187a2556a2c8822d5263911f4f92e643
28459 F20101207_AAALLM zhou_y_Page_050.QC.jpg
54f2045b555dcf4f11b31395ec16945c
41e9abe1bd7287e6643c89a9e82f20b6f512e223
21769 F20101207_AAALKY zhou_y_Page_037.QC.jpg
d0db0a5f35d297288fc3053fe87d6eb9
96b72a34cc253a757e74d1501ff91e1cdd829cce
3084 F20101207_AAAKHW zhou_y_Page_003.jpg
2dc1c4e8bfc9d027b2a15169f2f75425
9faf6b97f24a4236411fa4d881e94295b454b254
108223 F20101207_AAAKIK zhou_y_Page_025.jpg
6829747a67358729d0ef132e5f1f2849
e473b1f172f707f7dcb1cd469af93e1a8eb0b756
6978 F20101207_AAALMC zhou_y_Page_064thm.jpg
3f1e5d4dab211a0ad2c76976862a73b9
46d8d2cd8838345099d0e6500b3fb795b97a367a
7956 F20101207_AAALLN zhou_y_Page_051thm.jpg
5bed49be3793ce7e8124f047a8c2f785
47f3e42829d79375ef10326e099983f57faed83c
5289 F20101207_AAALKZ zhou_y_Page_039thm.jpg
254e4058894c7440aaa2d0d59bab91e9
7711366808cd708cbaaa9c3c415280b00ad00ee7
132312 F20101207_AAAKHX zhou_y_Page_006.jpg
5916387f349b95fd7de06eabcb87fc2f
ae6c8cd8a8fcdc48b1770d8f9eb839349c735922
104454 F20101207_AAAKJA zhou_y_Page_049.jpg
5b42ed21c08efca7aba6a2261161668d
99cd78424802834722ae8957184a37e683b92471
91092 F20101207_AAAKIL zhou_y_Page_026.jpg
0dfa37aa80b4b8a0ba5b21a392bca211
4c357a0dca41f8714810e3565215e04c5a1c93dc
29869 F20101207_AAALMD zhou_y_Page_064.QC.jpg
e44412d25a058e832d448a49474db68f
8aab61dac1e947183685c7de9880b6b2bb80b7e7
34390 F20101207_AAALLO zhou_y_Page_051.QC.jpg
be4df368c11cd90dde416e1d2648c6a7
f325d14ba3a68dbdb003cf0840d7d13d46ab611d
128934 F20101207_AAAKHY zhou_y_Page_007.jpg
37dc833b8c5c26b05e9c2cfc1ef6678c
eaed67f99c54889526213eb68d4e48c83d723bd4
109563 F20101207_AAAKJB zhou_y_Page_051.jpg
f992aa558ea1b06c0bc596a05073bf89
3311b5c4586686fb02986af65ed4d2f252d66139
91562 F20101207_AAAKIM zhou_y_Page_027.jpg
b470a6f9da466798b2585154eb8aa392
7b437edf3d12bcfd8ee7c2c5cd8ef5811d3a3b01
6169 F20101207_AAALME zhou_y_Page_065thm.jpg
9eba8b365e487ea3ee953cf1a8445631
4b37af9b8a2e5cac2ae5f4f7e9f3d8bd1e301af4
24042 F20101207_AAALLP zhou_y_Page_052.QC.jpg
c2460281c17df2d82c1546c491869369
91480a204e03b6d34cdcb579cb5df8f9036238a0
124432 F20101207_AAAKHZ zhou_y_Page_008.jpg
9e3d2d77cc457d7629fd7b9f9a2287e7
5e56c11c3ce56f4eef6dbbbcbbf2650eae624b11
76082 F20101207_AAAKJC zhou_y_Page_052.jpg
f7152391a817df115317ffa32771b480
e55955b94eb79972623139c1614ff407dc00445b
72894 F20101207_AAAKIN zhou_y_Page_029.jpg
f47e0e400ff232b0d7d8e852b3ef6b9e
9c977a43af68cc36b448c22598b8dfaf8ce21c0d
26035 F20101207_AAALMF zhou_y_Page_065.QC.jpg
3b9f4249ba12e736154dfbfee6cb2f4a
927772b3d3143ac306ab4feb32b2cc3c3d2e279f
36267 F20101207_AAALLQ zhou_y_Page_053.QC.jpg
c6d9a1f81d415493f11214c96836750f
694493eb0ead2dd2ff02d7f1c0a87cb0dcd2b263
101225 F20101207_AAAKJD zhou_y_Page_055.jpg
a8f49b83ee4441537784cd988f7544f0
e858668cbd9be4dc9e865221bc616de2ce5567ab
51359 F20101207_AAAKIO zhou_y_Page_033.jpg
f28045f4bd7fe79076bbf2ce6122243e
c9a46bedb4db252d705b21d6770dbc70c828cfb5
8254 F20101207_AAALMG zhou_y_Page_066thm.jpg
8113e726d9990cce42a0a0a5873b3fac
dc6c2c597075177ab85a21eeadd75525abf5c5b9
7924 F20101207_AAALLR zhou_y_Page_054thm.jpg
35cd18ddf2532c09a5a7c94fc2e98305
bf7a82c8c55a9bd6099104d1c7f501e5d83264d4
127144 F20101207_AAAKJE zhou_y_Page_057.jpg
116a26e6ba6f42fe5b8f3c9aa6abee13
7748bb7295ac9d7d26897659119d1fd5f4a14254
82281 F20101207_AAAKIP zhou_y_Page_034.jpg
1c210666b6a7f2a8823b859a26b3d6b8
b87cab90a6ee19cfbf07476feb651c6b499b703e
34559 F20101207_AAALMH zhou_y_Page_066.QC.jpg
dce34ff4651f997399024c08e5e300e9
e9c7a4a4cd85b0a9fb1cbfb87238dd68c2602306
34881 F20101207_AAALLS zhou_y_Page_054.QC.jpg
6dc024a2823a51c1f68fa8f4489ea60f
bd018c301ee4360276f890dcf5d10a9095ea3f05
116531 F20101207_AAAKJF zhou_y_Page_058.jpg
e3cde59fdc4bfbaeb7e08c78a3a352f6
fed4b52f321b9cfcc955c4e4965ddb81e09d7df2
107912 F20101207_AAAKIQ zhou_y_Page_036.jpg
d871dcd689ac0fc15a3a9bd350ddf178
3abcc2b57237e6c41cc322dca4fbb2712c23826b
8075 F20101207_AAALMI zhou_y_Page_067thm.jpg
454127e38bf206ca7a6dba3d887cba5d
724597acb45762b7f88d0a8bc59c42cc1d9aeaf4
32534 F20101207_AAALLT zhou_y_Page_055.QC.jpg
6ea5b0d91023bb5fbf2c24ac94891158
8e5c82ce9f53da1338fd327b41a780b8a93aa2e4
97731 F20101207_AAAKJG zhou_y_Page_059.jpg
642ad4b892611d07c118cb5a921c0bbb
980b2348493287849f8ebb1b6b9a677361b14b82
52522 F20101207_AAAKIR zhou_y_Page_038.jpg
911b518a9c30915eb8728f4bbbad93fc
d4af9405794444d40a8db640cacdb85716c19373
35042 F20101207_AAALMJ zhou_y_Page_067.QC.jpg
e8466cd113e385f2988d2172aa77d7b0
09e3e74698889dc0acd638d78ab05832b74074ae
7695 F20101207_AAALLU zhou_y_Page_056thm.jpg
2dd5bd8313d501bb483afc443273b8a5
f3aaa5db4d6c9fb0457cca8547e9608f18b941d4
99197 F20101207_AAAKJH zhou_y_Page_061.jpg
c7f8daf8f1bcf23d1a7c7dd4695f3c38
3eb3d8f7343c663097a72726b0f607c48af38153
72827 F20101207_AAAKIS zhou_y_Page_040.jpg
a082f2548a525ac25232d76ee9637073
3dfadb9fe76c84578a78f51a811f1d1374cc534f
8080 F20101207_AAALMK zhou_y_Page_068thm.jpg
51f1d8e86cb74b8035d08a37bca4921b
1b0e30f9bac5b11a139b97fa518bf661305666ca
35971 F20101207_AAALLV zhou_y_Page_057.QC.jpg
dc993bd1ec9281486d231ae9b28c8353
69ba59dddc03c7167f4c2cfa4913e8ccf805402a
113745 F20101207_AAAKJI zhou_y_Page_062.jpg
e115eb6a20cabc71ddacb038098934fd
03a495a81467c2f400db15b0e363afeab5175bd3
66278 F20101207_AAAKIT zhou_y_Page_041.jpg
13bdbdee39514f676ac0f2644b1c48d8
415df52796627c58033b166a7cec7772d30e10c0
24192 F20101207_AAALML zhou_y_Page_069.QC.jpg
815c45e3a18aec02ae09168cb3aa41f7
7dbcd67724e833cb92e52c9b7c0aa12ca1fc6c79
8315 F20101207_AAALLW zhou_y_Page_058thm.jpg
134e2d6c74245a159864dfdf6d66be3e
39dd7fae72f71b91d0a9fc8e609a2aff30cf4f53
117334 F20101207_AAAKJJ zhou_y_Page_063.jpg
93ecf6ec2872701a97d3750168106cb7
396b70ae90431cbdb6b266a58e2a29cf22c0f2ec
77949 F20101207_AAAKIU zhou_y_Page_042.jpg
d6d44f0a3a7c253321f7ef5e477b919c
d4cc21e8589e08e542d472c45f43ade7527ea495
8122 F20101207_AAALNA zhou_y_Page_083thm.jpg
0e53a3b154d79a95cf1f1512e029c519
f625b64168d4ca30b5cf07f51a15c1bee1e3c144
6133 F20101207_AAALMM zhou_y_Page_070thm.jpg
98722475c2658c38fe3a91b9f7f5dc33
45d66450f43d3771a3c18c2037c32071432a38f3
31340 F20101207_AAALLX zhou_y_Page_059.QC.jpg
3f5d63e1734d280fdf3d8a4e519cba09
be4e3c60e5461b184d476450d221ae8defc5a18b
94180 F20101207_AAAKJK zhou_y_Page_064.jpg
3312f76adac1c04afc427c0f413ce4ee
9d3c747661981bf02fa80e26bd4cf5b744a314aa
88345 F20101207_AAAKIV zhou_y_Page_043.jpg
03beb012e97d8c7e4f59e7d6942ad755
8134aa395758f0e2e9a70bea7cd593658184be59
7060 F20101207_AAALNB zhou_y_Page_084thm.jpg
8a61c512322178d5dc5a4ad091ff1bb2
1448554f84f51dfc3d100ac3df1db685475f3993
7035 F20101207_AAALLY zhou_y_Page_061thm.jpg
cd051d37fa606bf68bcdcab86e7e921c
7c8cee22c8cc278166cc0146b4beabf910a0defc
62800 F20101207_AAAKIW zhou_y_Page_044.jpg
e8faa8be3d91611e4963251cb0c23113
cda093d496b06db0ba818a7b7f3534634a0e0a83
7552 F20101207_AAALNC zhou_y_Page_085thm.jpg
45d0cff66fa48597c3e3da7045884467
15b67dd39b16b3df8ed2e03e3d92e32f98580ff3
6870 F20101207_AAALMN zhou_y_Page_071thm.jpg
252dd92534a0a785a096eddc09d3e342
028c962ae4f9b2063de78add0b8797adb7b9dcbc
31083 F20101207_AAALLZ zhou_y_Page_061.QC.jpg
fd556c17d1b4c05943788aba2c4c3df3
86cd9ec01a4282fd3a4eb65da6afc374a14a064c
78601 F20101207_AAAKKA zhou_y_Page_089.jpg
95a51276b68f34c46ea42558331b3aff
9e515d45994d78cbb2d23ee30d3dc410230d74a1
109079 F20101207_AAAKJL zhou_y_Page_068.jpg
e03908bd6e24d49aaecd7fa438e218f2
6fb5eff8b855cd664e289052336e7d20014a64f2
88255 F20101207_AAAKIX zhou_y_Page_045.jpg
63cc4f876361b8066c1f883a292b9cff
31105a9d1c79ae13db9310a9e22f36a8a8e68eb3
30961 F20101207_AAALND zhou_y_Page_085.QC.jpg
ac4edfd51cef54dbdb49981cbb58babc
bfcd87db55d92c9dabe9715d4195eff3c5ba359d
F20101207_AAALMO zhou_y_Page_073thm.jpg
88d856cec445d0a40e39e083d5fffed7
5f3d9e7a6df61bcf369bb5050d4cd036b08d7ccb
107395 F20101207_AAAKKB zhou_y_Page_091.jpg
58c1e123756d684fbf041105f35b1654
f178dd62d5eb1f44af01f04b21dc8ba82ce3407d
80541 F20101207_AAAKJM zhou_y_Page_069.jpg
f86e476a0df76f80bca261b87ac1e095
34f5536cb208045c9b02b1b3bdcbc1528541b1d0
108699 F20101207_AAAKIY zhou_y_Page_046.jpg
c17b080f239a014779cc09d134a19135
49b5d0b1a637a29da1631a916f0eac8d83690db6
8632 F20101207_AAALNE zhou_y_Page_086thm.jpg
84b2b42a6a57bd1ae6b59322d7b8939f
ff114c4b072a3859388324a68035d1d4f41ffb40
8189 F20101207_AAALMP zhou_y_Page_074thm.jpg
f68f733c54f27d5dee699a3b7a95d318
a7e10d108356de13a11a1315585e55e97e55beaa
101016 F20101207_AAAKKC zhou_y_Page_093.jpg
bb126d6a5bf167ceac7d3061126860eb
67b8829ac980be5eb1cce2b203c27173e6d4abad
78490 F20101207_AAAKJN zhou_y_Page_070.jpg
601bb3985c54c63ac747c988444f8b41
07c4f9516949377ed79acdca72d7946c905e50d4
121146 F20101207_AAAKIZ zhou_y_Page_048.jpg
dca04860e6b11d05a2a0126da9f8a230
d0277effceff0891b5cbeff3180ba6dd8c7217c3
38453 F20101207_AAALNF zhou_y_Page_086.QC.jpg
077d405c5e31f5607ac2ee1a5f58f148
e0ad068d51cacd3db49bba160e2e3a5e6b047e45
5203 F20101207_AAALMQ zhou_y_Page_075thm.jpg
70f5e66b9bc8b5ef29a9696281644cee
a3bd0b6b9ae2b366b379cce25df1c181b9d8a8c0
98738 F20101207_AAAKKD zhou_y_Page_094.jpg
a2a0c79bde45502180cf8ee7d65cde13
6690ec468e762b2a9b681f07bce8f200dbac1eb0
94149 F20101207_AAAKJO zhou_y_Page_071.jpg
8376b56a5134d7e4be11d76801c70373
49e535ba9635ca107abc7d0910b9136ff29f65fc
30986 F20101207_AAALNG zhou_y_Page_087.QC.jpg
443d46beb9d0770927f745ea3c566b4a
9c96ef81bab4c0c857f851684c47297739369ee8
18901 F20101207_AAALMR zhou_y_Page_075.QC.jpg
d59083b6e6342d2f4cdd775055e244bb
3c84051a7f411d45b2dc38655507a961a888f9be
97608 F20101207_AAAKKE zhou_y_Page_096.jpg
7159740dbb368957703b046d9c1fc952
7df29c8a669b3eb804256566429ff572d3aa6710
68738 F20101207_AAAKJP zhou_y_Page_072.jpg
3b1c991892225929087e22e0c5bc6729
c36a62eed596f7c7837129c8b66135f2a4448a58
29455 F20101207_AAALNH zhou_y_Page_088.QC.jpg
a67598965b77b10582c8979f783bb2ea
9ab60361691c53b132c37a7969e5af3132ea13a0
12065 F20101207_AAALMS zhou_y_Page_076.QC.jpg
bbcfd9b5f6bdf69ecaae2bfc84ed9fc3
fe705b4d3bf2341401cc8677cb4f9298a4c5e500
98680 F20101207_AAAKKF zhou_y_Page_097.jpg
b068cca4ad6822f97099a88f9cef398a
05dd0a361f6b89762fdfbff8669289d62eebaffc
92215 F20101207_AAAKJQ zhou_y_Page_073.jpg
cec666a9c107252be5ad69c627002e84
350e00810fba6265b72873579e761bdef6486726
6304 F20101207_AAALNI zhou_y_Page_089thm.jpg
aba534dc3a114aad409b8787031a3434
33ee7c9717b447e6fd593a9a6d0955f75ba9ae14
8178 F20101207_AAALMT zhou_y_Page_077thm.jpg
a2c59936096b6948b9d6945c256563ed
60ce55e1e31bdac05ad948dcb4ce330585b2efcc
74233 F20101207_AAAKKG zhou_y_Page_099.jpg
c6df7e64d03199bb22704ae6bbc604ff
d1510bf7898a3dc0017011e445ae246c42e586c4
41024 F20101207_AAAKJR zhou_y_Page_076.jpg
7938d7ef334b77020db24e682c1df19a
4f164f456d42ee94dc5e2fc992f5e15828e86e77
24262 F20101207_AAALNJ zhou_y_Page_089.QC.jpg
5fd4b89331fecc66aaa2756f3453745e
ee5b6e050448da1548e5a41cf6dcf621ad7cf548
36580 F20101207_AAALMU zhou_y_Page_077.QC.jpg
b9c129e9c06af79b06025ed973755a70
c646d1ae07b7645b4bd267a771c1cf9fee0c2391
90212 F20101207_AAAKKH zhou_y_Page_100.jpg
c62769cc6b50e3308d7993cae13a5e92
35d8d5f21d887b81234b917edfdbcb35f624134e
128975 F20101207_AAAKJS zhou_y_Page_078.jpg
0acd55f5131b1ad042f6f7aba4273252
5bef55a8ce080b4f50528c526207354074434d69
6570 F20101207_AAALNK zhou_y_Page_090thm.jpg
d35d2765bce864875785c492cb446a6d
4a29a3568c59d74bcd9fe4d6d83b0c44db26f322
34259 F20101207_AAALMV zhou_y_Page_078.QC.jpg
dcbe23aebca90ecc77ff81f3a55bde0f
0724faf71a9971a8d6467462c42ed16c5a0e19f0
90590 F20101207_AAAKKI zhou_y_Page_101.jpg
975ac661326106cdb2cff0504a09b6f3
55407ae9ea3aa7ebfa5d0f0e5069dac04119b787
108645 F20101207_AAAKJT zhou_y_Page_079.jpg
d078177ff7a4a5bb9491a27473cd6a12
f0be6bfe6b9a1b3d9f8c35aa1fc1a3adc5e994ac
23644 F20101207_AAALNL zhou_y_Page_090.QC.jpg
d8485b1e01728ef6f92872f36ba80b59
230187b09a7de93b80ec273215e59f9db33750d2
7965 F20101207_AAALMW zhou_y_Page_079thm.jpg
6953900a13013fd80ea6c7fba295fcdf
4311a640e78a5203f85d1e44e3a35a4cddbb16fa
102887 F20101207_AAAKKJ zhou_y_Page_102.jpg
ccdc41b297cdea14ce9aa21245dd1b28
76778d14cb94b9e6668fe13ce29a06314ee8bc9f
72050 F20101207_AAAKJU zhou_y_Page_080.jpg
4a5594722e9d92c6f4c48973c80178ee
01b0ac63a4168490437e7af1ca6c830a8f832401
7020 F20101207_AAALOA zhou_y_Page_100thm.jpg
630f234a7c89e156703affc89822affb
a84902689b92937271c2a91a4a1fcb6b1f75d566
7842 F20101207_AAALNM zhou_y_Page_091thm.jpg
03ac89809e5ea0588432d9e811cc8486
ada7c8d70af63171ee53fcd94c18ff1b40edcf38
5966 F20101207_AAALMX zhou_y_Page_080thm.jpg
5f99b003b998d95c896a78f11eb83ac9
6085f4470fa4a5129f7ada63dc13f2a50f7d854e
73722 F20101207_AAAKKK zhou_y_Page_103.jpg
f0bb9d0be42d671785bfb94b584898c5
6c4f0839ba3bc47b79d9a61b082f63df011c777e
96953 F20101207_AAAKJV zhou_y_Page_081.jpg
12ba7d66a6fe85e981700e96698957c8
a0241548d51b448261a55717f643d6484f983248
28695 F20101207_AAALOB zhou_y_Page_100.QC.jpg
70423123a4b5a8f61d4baa26b6d42736
0baa5e7f329a2bab7d76f9b72499264930112c95
33803 F20101207_AAALNN zhou_y_Page_091.QC.jpg
2bbaa59141dbea37b98fa57397cdccad
ebcbb63ff54067cd1a06ca75a62bdddaddb9830b
23416 F20101207_AAALMY zhou_y_Page_080.QC.jpg
7f825e6dc139dcec149b6f698c39ccb4
78623a6649366ba63a0891136fcbe473c43578ef
76541 F20101207_AAAKKL zhou_y_Page_104.jpg
066e41d30a924e3f5cd8c7144eed1d5f
8d968ab686521fdce9ea7e24c26386808bfc57aa
96496 F20101207_AAAKJW zhou_y_Page_082.jpg
fcc306baedbaa727340a25ebc9b3ef45
aa063c349864a822ddadf25205b382e5e28907e9
6629 F20101207_AAALOC zhou_y_Page_101thm.jpg
a404a59988641f7d0d89c34f60d12503
43f8853a52b98d3ab28d79a233a43a8b6e98b897
7157 F20101207_AAALMZ zhou_y_Page_082thm.jpg
816296f624e5b84483c535b8a8e8d959
5afe1621710d976334dac50bf94f2ae959f5c786
96483 F20101207_AAAKJX zhou_y_Page_085.jpg
4b3cc741320d6ec568b2835b74a8f6f9
74868ad904856f97c810d42eabb23e3b91db8d64
108952 F20101207_AAAKLA zhou_y_Page_122.jpg
af7a80fea0edfe43e2488746b94b4eaa
cc41967d4d48ac25486511ffbaa3a92aca9a1001
28649 F20101207_AAALOD zhou_y_Page_101.QC.jpg
27c72a50da5e8f51dd509680cd790f4c
4fad2574c0160e57f9081c4bb85ef7465db449ae
7314 F20101207_AAALNO zhou_y_Page_093thm.jpg
ee4e716695cb0ed8a642be8cddb17517
1283c9df6f95a025b687ca15f8d822c329788f31
103105 F20101207_AAAKKM zhou_y_Page_106.jpg
0d5de8c26b84e55a1358e475f751eeb4
f081652c2e85ee5511f993094ddfbba67cd720a4
122641 F20101207_AAAKJY zhou_y_Page_086.jpg
b85edcc7fc3ce7b341f6c63d0d285132
5c2bd1a78d1d002a5f87823f13300f3e30dcc0b4
118670 F20101207_AAAKLB zhou_y_Page_123.jpg
a175aae5aed1fb205fb653d11a7893dd
7d171e99794ccc9d4cca22670387b36f5ebb326a
7446 F20101207_AAALOE zhou_y_Page_102thm.jpg
5f86fa11e81b31b73ed1c6d303cf1b96
7fa62a71b126c19c6530e9930ba86322e489a2e6
32021 F20101207_AAALNP zhou_y_Page_093.QC.jpg
780943a00e0cd3dadbd469c640e723bb
0224839cf66c55720ed35b6dd3f946d2042b448a
108363 F20101207_AAAKKN zhou_y_Page_107.jpg
fe93355054a792c7a6b9e97f88f3871a
6fad7f8e12a967b31a66f4a992debb2d002022d9
98137 F20101207_AAAKJZ zhou_y_Page_087.jpg
b987794d18d93183bd8ee809055aeb56
9305118a9f2f07817f075260b9aa6fbaa3fe2d9b
108193 F20101207_AAAKLC zhou_y_Page_124.jpg
8b0b3e0c42d2bbfdc32e098765d365ca
19d0fb8e693c326f71ddeedf0ee838a0fc3bb489
32642 F20101207_AAALOF zhou_y_Page_102.QC.jpg
19cee4d2eb3a716c85c94fc358d63fc8
ceaa5a80e104177116752afccbbb7f1e714f64e6
7674 F20101207_AAALNQ zhou_y_Page_094thm.jpg
ae4cb34b43bc7e5f3b98a9111841a8fa
52b6341ff8ef1e525a1912a662194b9dfd398c74
91291 F20101207_AAAKKO zhou_y_Page_108.jpg
123a256ccfd2f3b81af7ecdcbf2a9ead
03abb956d25165a22588edd1d9f9e3b218ad2503
104662 F20101207_AAAKLD zhou_y_Page_126.jpg
c3735889d652032a12769bd5820a45ee
1cb6a7dd517b4a2a0d8e4f439f251daebd6441d5
6152 F20101207_AAALOG zhou_y_Page_104thm.jpg
9af8f2745464ee77c2eb413a558098bc
3ba45616c655109c31b610badecde446461bb89f
32436 F20101207_AAALNR zhou_y_Page_094.QC.jpg
c91c8298ffe6ed77bafe8f0c4bb2a84e
19267c0135831f018a81347340c44aa661bb14e9
118399 F20101207_AAAKKP zhou_y_Page_109.jpg
825cce5720f574c0a5924d8aabbce7be
849a45ed6fc0d9ec4f418192bd1f95495c69f09d
109872 F20101207_AAAKLE zhou_y_Page_128.jpg
7c5966e458530553f3a85ef20396b0ec
cce3f8011b0e72b205fa15c85317f676bbee2463
8117 F20101207_AAALOH zhou_y_Page_105thm.jpg
257090b601cc9cc030938b9d5aefb9fe
59857ddd633f067d2632d44595a1bef2f3f6dab3
6670 F20101207_AAALNS zhou_y_Page_095thm.jpg
0f6d0eeb69b66739923e1be1b5a65ba8
20f20b43b86eafef02c109bcf306363e931f8bbd
97288 F20101207_AAAKKQ zhou_y_Page_110.jpg
f5dd9d6626e4bdc0ef9aa18223a005b9
2e48efdd5ce8e8c27129168157c953610f71ced7
109587 F20101207_AAAKLF zhou_y_Page_129.jpg
1ee50ada2da1045259c6ac2511723667
c56e06b8cc3aaea54936728c46e79af63de7c5e4
34969 F20101207_AAALOI zhou_y_Page_105.QC.jpg
917c3706c19108716e8e755018cd8ce9
9d837355b9a067b69ae320d59962d9e3aa3b2703
27622 F20101207_AAALNT zhou_y_Page_095.QC.jpg
8bb0372d10abd8484294cebec2d7ebad
f5c2b340c1f6621ef8fcd65f500bdaa158d169e6
100036 F20101207_AAAKKR zhou_y_Page_111.jpg
14ebad8ab25c15a9a30db502d69b7821
e57611bd98c4c246a9ae0c7433e93abeea5e6bea
105017 F20101207_AAAKLG zhou_y_Page_130.jpg
4c4ccc412062b635880bc0cc4eff4683
4628b025a885b2e425161abbb835ecabf6e203a6
7828 F20101207_AAALOJ zhou_y_Page_106thm.jpg
c0935a66287c91841a4e1315fd5953ec
6b6c27aad0174fee87be512fa9a9753046244ee4
7736 F20101207_AAALNU zhou_y_Page_096thm.jpg
390218e29eef7611f0e140a3e8f46bd5
8e9a5a0cac95311276cf50f57a2bc02d1dee2628
95851 F20101207_AAAKKS zhou_y_Page_112.jpg
f333402ad9c84d00a563ff59d7b9fec0
9b64a22ea7caf8a0fc56c57304afc0c2cfad7da5
100305 F20101207_AAAKLH zhou_y_Page_132.jpg
a29ed663593fefb68961e1b2f2b369cc
2d55a160df379946c8af040bbe268b241d454c79
32828 F20101207_AAALOK zhou_y_Page_106.QC.jpg
f1923281a18da812f514635511c67e72
31e4b97933d8a5591143309a4d8eb4e0119707af
31550 F20101207_AAALNV zhou_y_Page_096.QC.jpg
daf95a6a976ea0f75d3dea9b435c7b07
2096c4b7c6ff4635222d54ce9e8ef03dc2b1c91c
102490 F20101207_AAAKLI zhou_y_Page_134.jpg
c131edc82839f76d39a743732a1c788f
55b53405579cc41338c9753e347229c9af4c850a
88812 F20101207_AAAKKT zhou_y_Page_113.jpg
12dd41f81fda9573acde73c7a50dacb9
960125881ebe5d982bc945ee5d14aed47e81a56f
8031 F20101207_AAALOL zhou_y_Page_107thm.jpg
90a81e540c1990157ae64153db35296a
e506a95732afbd9f21fa4d2e10a100be848bcfdc
7590 F20101207_AAALNW zhou_y_Page_097thm.jpg
ebb2fb1a15eadc64c1abef45ee871385
93a0d4ef35d67fbb47839ec53a1e424447af8c6d
55043 F20101207_AAAKLJ zhou_y_Page_135.jpg
8dba3701001b45944298b5165aed604b
58498047dd5524a3599acfed7dff64ca5e08aefd
95945 F20101207_AAAKKU zhou_y_Page_114.jpg
564a2f6d59e865e6e9e58a42150b71df
cb65872e3be76bfaf4769660a05a5c28bcd75894
20751 F20101207_AAALPA zhou_y_Page_121.QC.jpg
b327b9d1a9d70ab62479a5fb83e95806
2c8d2b4e26d3f97ddcb854a4911fab542092e8d4
34057 F20101207_AAALOM zhou_y_Page_107.QC.jpg
27066f8dc0703ae9bd492973cff8fc8a
fbc7d5331fc4dfceb2bb44f2d83f8207ac5779e4
31770 F20101207_AAALNX zhou_y_Page_097.QC.jpg
4723164b15e1fd2114c964c87c99d3f2
1cd26b395b6779a94108e95a81bb09d082a35882
72331 F20101207_AAAKLK zhou_y_Page_137.jpg
eaa6dc1cb87a60f7a6eb60909385b536
ef1709d39c4db143613e393ba7aa09362fdf294c
111610 F20101207_AAAKKV zhou_y_Page_116.jpg
bb4ffd3226ade1cb77cd0573cae0afc4
12f76fd951658dfe8bc1528e78cacfd226b58410
8022 F20101207_AAALPB zhou_y_Page_122thm.jpg
88755f2c5f08487803b323d7ec20888d
82262611e1621c7de462caf280ef5849c6ba16ba
6998 F20101207_AAALON zhou_y_Page_108thm.jpg
75ab8b40d50b792a3330e33a41e5a896
aa4c469304007f801c5ba83b0968eaa689285c30
7187 F20101207_AAALNY zhou_y_Page_098thm.jpg
b277766ade755a99b3cf236f4c0ca7b7
93638095d060a35772769b5de1feae9cc02b9311
101053 F20101207_AAAKLL zhou_y_Page_140.jpg
f1e9b15a6a51ebaf35907a248edec753
0e6a2bcb65bca862c15e37e478016c4cc9de6345
110928 F20101207_AAAKKW zhou_y_Page_117.jpg
4a6adfb3f8f9293256bdfd206a988bac
04969e57d60a508d2b05a43631d6ce437b7d3b7b
34114 F20101207_AAALPC zhou_y_Page_122.QC.jpg
f6db210b044f8f091ca4b19297f6e2af
112e75bf81f56e8fac6137b45bbbebbae80c1e09
7438 F20101207_AAALOO zhou_y_Page_112thm.jpg
6b9ea2b8d2113d8935e79dc0627bc6a9
c74f6761a104de89a76106b0cbdb60e8d2e9748b
25425 F20101207_AAALNZ zhou_y_Page_098.QC.jpg
5b6df64f345e87a18606d0df6ce4e881
d494541d3ca685faef7713ea4100895362123b1f
114055 F20101207_AAAKMA zhou_y_Page_160.jpg
892e59069df653500f2cd10d2b9c3bcd
ce6fda43c00523a36f515755d714d662db2810ad
116527 F20101207_AAAKLM zhou_y_Page_141.jpg
34bfa1f41a19fba006363321608a4c58
b697e7cf76ada8da5235ac7c984097c7eee63f7a
107765 F20101207_AAAKKX zhou_y_Page_118.jpg
05f3cbad480a89136b21c1ba82294615
9fde89b547aa62fcf06f1882769fcc36a936c537
8158 F20101207_AAALPD zhou_y_Page_124thm.jpg
2f02b9d9e96a33b261e8e6f28459f212
f8705fe16138bc9615c91eae0010244481cc3289
110071 F20101207_AAAKMB zhou_y_Page_161.jpg
2a5e8306f79a4fa9dfe5ffe2bd8042e2
bdcdb550d2ab057ec608cbe3571bd4401445ab9b
119381 F20101207_AAAKKY zhou_y_Page_120.jpg
28bd234e24a7143b188e88c0981f4625
58f7d4ad21056d899733679d874c502996ec0488
34608 F20101207_AAALPE zhou_y_Page_124.QC.jpg
3aa7b26f6c679633ed4e50de5ef4d059
2c23eca47692d14af200099431df580caebcf0f8
30282 F20101207_AAALOP zhou_y_Page_112.QC.jpg
d1f5d550567efd63ed8f5e47b9bda1db
f7e3fa71ae6cec992736d35f3b61d46cc0163941
100970 F20101207_AAAKMC zhou_y_Page_162.jpg
afa48d3cf29311bc5ecb87168a220670
36cc145437997cfad9a467fdbbc723bb7f239449
112526 F20101207_AAAKLN zhou_y_Page_142.jpg
90ed201a353f526275075049e71ce966
a15a38c9e216c79bac5504e7fe0426b62365f8f9
65059 F20101207_AAAKKZ zhou_y_Page_121.jpg
0daada57572490ebdf1c6d6a32171e98
876e548a102f516d0366b79e51f01d3589e7d1fd
35430 F20101207_AAALPF zhou_y_Page_125.QC.jpg
7c3d48e5014283e376fee3ab6da422ff
fb72c39cc2f5e358f0d5767c9e9d86e33edede29
27680 F20101207_AAALOQ zhou_y_Page_113.QC.jpg
bd30f6b9b85e9cce6a940c7d7d2f75db
c17925966b6c876a19443427ebdc09dac8e006a2
91294 F20101207_AAAKMD zhou_y_Page_163.jpg
edc104f98812f987c91a890ae2e2f279
010da6af69e5944f6f8b72b041197a7947f25293
118077 F20101207_AAAKLO zhou_y_Page_143.jpg
1e0441310bba5bb14279280ce09de1bc
70179813393b4ba376bc7d002e78a4fb3319d5f4
7616 F20101207_AAALPG zhou_y_Page_126thm.jpg
c2e24104b2cc6d0fab1f0cd7d70a5ffa
f15ccaa795c4ef6e3fe25ad85154a7d73d64be36
30463 F20101207_AAALOR zhou_y_Page_114.QC.jpg
74b3ef66031579e7719195ea5748bca1
9907f0793fb85db5c229968ea9a4cb348efbb038
106054 F20101207_AAAKME zhou_y_Page_165.jpg
a046c70de110587a9554c53e662fe286
b6d28386e7df26e74325d84b13c84393be88932e
108703 F20101207_AAAKLP zhou_y_Page_146.jpg
538f351d8d0ecf96c5561174ea6136b3
5fd6d12c0a0c93bae3f633707fd0cb7477cb0d52
4841 F20101207_AAALPH zhou_y_Page_127thm.jpg
cec3cd8a2b41ec2ef17fc7ecace26f38
21323615a03681f2ff311899e505526290612b98
8094 F20101207_AAALOS zhou_y_Page_115thm.jpg
ac756520cdb63edf10c21f2cb3bf5227
3f6271f67be915e7a536d5257a10f18c1aa2be15
93094 F20101207_AAAKMF zhou_y_Page_166.jpg
e995021c487a7cfa31bcd7af59882867
bb21f4c91e94991bc5c8a2ee304247253c733f87
103273 F20101207_AAAKLQ zhou_y_Page_147.jpg
f961308273867e382eb097fb3a52c74f
89feb2b1fb635a9c0e952389316a6d3a3eb96ba4
7672 F20101207_AAALPI zhou_y_Page_128thm.jpg
418a2838728960456812b675887404f2
20fb59e86f3219ed51e56f073af8f6c545ae500f
33492 F20101207_AAALOT zhou_y_Page_115.QC.jpg
a0ad30cd3cef706de8d94cdae5f91100
35de2b27dcf05e448cf55fe9a426d415de2def48
82577 F20101207_AAAKMG zhou_y_Page_167.jpg
3dd0410cede3aeb2a7a359b95e74fdd5
bd9b307942d30acc61088f9146b71be5a31a4564
101351 F20101207_AAAKLR zhou_y_Page_148.jpg
ecc621b0cacd58ef58c934949c970fef
0971bce6e3339c9fc56d580cae40b487fd4ca849
8047 F20101207_AAALPJ zhou_y_Page_129thm.jpg
3a11d6afd6ed27dd68fa7be55c19ab50
e732877c7765ba51dd8b84313cb1d3be33e19efe
8119 F20101207_AAALOU zhou_y_Page_116thm.jpg
390252cdf79d58e47d0d8867affa4c27
7c0620bbf2ea65b967dd132680bcc5b697765895
99457 F20101207_AAAKMH zhou_y_Page_168.jpg
33cf60bb2a9143cef41189da9f88f73d
6c578bacbffc8a5febea9b63f8ea4ae8be68b1dc
107939 F20101207_AAAKLS zhou_y_Page_150.jpg
1b93821b3358a127cb8c71d293334249
8d5cf6d09c045c269cf75eefc6516f1f0783469b
34019 F20101207_AAALPK zhou_y_Page_129.QC.jpg
aa9040ceba7e26b2f40e161dc4bb9fd2
4d1c0a35c8b0e07829909b589008dee29b561679
35369 F20101207_AAALOV zhou_y_Page_117.QC.jpg
9ccaae11477cbec004d804f0f434fbf5
fbef1c7db85c5f6e16be7a8c15814941ecb8c006
49415 F20101207_AAAKMI zhou_y_Page_169.jpg
91253ad26234c5c8aa720912779a794f
796a07e38b44ba20c855ca2c81eafffd8af83ee6
99837 F20101207_AAAKLT zhou_y_Page_151.jpg
94a430b2b9007d21cdd780f7190c8291
9c02d54ecec5047fb4d73a3ef98850d0fe91d973
33303 F20101207_AAALPL zhou_y_Page_130.QC.jpg
5f0d298d6c99f3fd25cd14bcbb390bf6
f7e57e8df4e8ef555a44bf959dd2cb2037b82fb3
F20101207_AAALOW zhou_y_Page_118thm.jpg
a5fc67f02d210b2f9f06cbb9eb80bc41
2ac85404e6068d15dc76b138e7847a73e6abe194
98916 F20101207_AAAKMJ zhou_y_Page_171.jpg
b59fb61fd4175548bb8b3e55e7e3c568
67efeab7377a914cf550a86b677a86e8bba6a1a9
88607 F20101207_AAAKLU zhou_y_Page_152.jpg
9ae8f1fbfa3206f6cafa5999a8a02b4c
0874b75480e28ea8d00661ba4ffd75afc0c9d5f1
8356 F20101207_AAALQA zhou_y_Page_141thm.jpg
4bb44271e68a1f40e62b3442a1b487cd
548564eb1c253f22c73994612e8cd3334df598ef
7939 F20101207_AAALPM zhou_y_Page_131thm.jpg
b2434fe2d62ba36170268eaf19acab0a
ce4301d668a52a2e5602f09d68f767832dd8185a
33257 F20101207_AAALOX zhou_y_Page_119.QC.jpg
317550fb1eb3a1be1ed9826907047dbf
207ab92cbb37641cf7657f7765da57183f91ebda
83260 F20101207_AAAKMK zhou_y_Page_174.jpg
07a6d2f036b3cf28379dd0b171376abe
43dd5179d21bb734d1d004d31732791b4e3d96b8
92839 F20101207_AAAKLV zhou_y_Page_153.jpg
b18a10c1a3280458a60d6decba857ce7
c7db7c006aa79189ad22c2d60073c329e6be65cf
7970 F20101207_AAALQB zhou_y_Page_142thm.jpg
ef8079e409ff4e2d40fef3a3965e293d
3338838b1b6ca54a611ff1fe0fa7f23233d52dd7
33685 F20101207_AAALPN zhou_y_Page_131.QC.jpg
24a890b2693845fb4cf76f33d0a0e95e
e41ebbb76600be9c499053540d733832dccebf2b
8293 F20101207_AAALOY zhou_y_Page_120thm.jpg
baeaf85f70f5d78a8570f8dfba2c71c9
93f5eafa1383efcf7366890bb93f0c035886e893
100678 F20101207_AAAKML zhou_y_Page_176.jpg
2b25f50c4879f012ac86848e64747dab
b1b74e350efddfff41405d8b6a401329f3a87551
98539 F20101207_AAAKLW zhou_y_Page_155.jpg
41439dc3841140bf719f081edd546fc3
804c849aecee6d3056bdfc44a95216321b936001
35105 F20101207_AAALQC zhou_y_Page_142.QC.jpg
8ff4f583f5153acf7715114e91fae516
d2bbacfb26509201ca1623a8f8c4c500bf38eea3
5875 F20101207_AAALPO zhou_y_Page_133thm.jpg
a74e7c8279e9d2e1f5210a335073c153
2530c2fb999fd4767a4d62fa01b5db631214c96f
4955 F20101207_AAALOZ zhou_y_Page_121thm.jpg
7d21867fd6094d94cb4394be5cb5d35c
907912c5a12eb9290cb322b24da64d2656dcf5b9
109742 F20101207_AAAKMM zhou_y_Page_179.jpg
4439dcd4409308d9daec4d80dea8c401
dde73aa4d55f3bb542ec806cfd55a7c2ade0a9c1
98471 F20101207_AAAKLX zhou_y_Page_156.jpg
3ecf60b7626401912a27143c6baf12a8
3da360aa09393ba1e01fa3edbc1a997a578f7a7a
96685 F20101207_AAAKNA zhou_y_Page_197.jpg
8bb1b3591bbfd41139c83e2549318da0
0e1dd3b64efecdc50dcb06a03717108bcfefeb37
8159 F20101207_AAALQD zhou_y_Page_143thm.jpg
16d2895ec30b514e0801d52e8f10b650
2afe96f57e6d748234e96fee62f00d2f3457014c
7849 F20101207_AAALPP zhou_y_Page_134thm.jpg
2541f23499f6234e20c4f07377697ff9
2ff0049594c197683b3e23d6f3c9d0ffd21cac1e
75616 F20101207_AAAKMN zhou_y_Page_181.jpg
ccaadc3d135b0dad7437ed0f1ebd81a9
14c919c9cb2801e1626be0f17f6956acd23f5969
53950 F20101207_AAAKLY zhou_y_Page_158.jpg
5b297d94c77718278edb0ca8efda8cbd
40e6b170d7dfb36dfbeb4f658fb53cbf34b4b0cf
137002 F20101207_AAAKNB zhou_y_Page_201.jpg
2136f5caf55deff9f6fe3fc059e6ec1c
5bed98a1021da339dbeb4c19fb4b63aae02583b8
36583 F20101207_AAALQE zhou_y_Page_143.QC.jpg
78641ead08809c3075dbbb7706987af4
34fda26232db2ef0426e51d8bb7b4b8d6b39e691
111008 F20101207_AAAKLZ zhou_y_Page_159.jpg
e94b922073f5fad91d44c73c01eac190
bdde5787040f5504d2505916ff73ae969f22543a
127180 F20101207_AAAKNC zhou_y_Page_203.jpg
7d5e5271fa4bac6217c3eff5e593742c
b60c276c4ee30b84d4a1e799fcffc3062e8cb2a0
3936 F20101207_AAALQF zhou_y_Page_145thm.jpg
2cb8ee95440d2b1dc015e0e3b6ce40ce
b24b0be01e33c2e333026315107988ec2f9288aa
32229 F20101207_AAALPQ zhou_y_Page_134.QC.jpg
c8851cf2d8af9714292f7d966a1a3e13
975f73ba405b9ea8498f120833671e795276e1b7
110631 F20101207_AAAKMO zhou_y_Page_182.jpg
786830b13904f6547ceba6cd12228e5f
6a2157b3d1712f7157fa19bc76177109b7801f62
131384 F20101207_AAAKND zhou_y_Page_205.jpg
f5c3a00d51545c6390ff0152cb8a5571
e4bd6aec33594995fde9eaa57f3dfdccdc87d003
17154 F20101207_AAALQG zhou_y_Page_145.QC.jpg
a11a5a2a6e80dfb57c937f5a3710275a
f177e3f41b1e15857c906b2b595879ce6cc9f942
5058 F20101207_AAALPR zhou_y_Page_135thm.jpg
e01acca57c7309121c9dd608a4ff6223
fb31e125af8f6f3c46df75f295c18819bbedef07
106728 F20101207_AAAKMP zhou_y_Page_184.jpg
5fc844e9cdf0869c7033d185ba34424a
aafc39cf740270bbae3cc1b052f9c7f956720e76
128820 F20101207_AAAKNE zhou_y_Page_207.jpg
b9e4fd86541776f7f6dddac41e10cdfd
77a266a59379cd30489bbed1783a2723873ba1d1
8123 F20101207_AAALQH zhou_y_Page_146thm.jpg
a124a3effd909b5663a42391d21a94a8
0c2c1682befdc96e0b9d71431b65bf3c6ac766ba
7357 F20101207_AAALPS zhou_y_Page_136thm.jpg
73b4be9d816a28114af379a7157c05f8
b37e24d5e891549d8061abaa22b2a95a753e3cbd
78289 F20101207_AAAKMQ zhou_y_Page_185.jpg
88b58b9ed6b608728162d2dc3d7160ca
bd04be351f358df6cc7d10fbb926f1ab2692ebb4
127752 F20101207_AAAKNF zhou_y_Page_208.jpg
60acd88214abc2ef695bbf0009c97a90
ab0cad2194587161435d97fab7c5ccf75b4afd59
34752 F20101207_AAALQI zhou_y_Page_146.QC.jpg
a3c1cef0b1e4d6b451bf62ebfb442bb3
05b31ba7e50e1ddda5cf15b4446fe5aeba5c8cfb
28497 F20101207_AAALPT zhou_y_Page_136.QC.jpg
fca9f1baeaa7e675f90ccdd9f62f6f1d
101ca24e29a82a21e1f4de16374ed78f12f6e6bf
110873 F20101207_AAAKMR zhou_y_Page_186.jpg
eab2fcae8fdb25413dbc1f87add2aacd
3a869e85201212ae7f9b631ec5d0ee7e2d8ce246
128972 F20101207_AAAKNG zhou_y_Page_210.jpg
05715bacfd0deae20eae015270e38ca8
454016e890576d9af9002842390ec52b4daf5e73
34106 F20101207_AAALQJ zhou_y_Page_147.QC.jpg
b3cebb4b7285de8b36facf066f68255e
5d19485be9fea933d01bb2f256c4f2df06d04e78
6382 F20101207_AAALPU zhou_y_Page_137thm.jpg
9b6fe1d61aa1c751c5092f16c830e08c
afda7cafbb893d575ecacc3eaa07e09df161508b
104787 F20101207_AAAKMS zhou_y_Page_187.jpg
0da068d6c6835c775313868e0652d7d5
6d837782fea1818cffe6e74b61fb8a1a6548a53b
127106 F20101207_AAAKNH zhou_y_Page_211.jpg
1c6f6d7c50f3810fec87601a9875dca0
020b6a1908784c240622ec1a27023f719ca5f06e
7560 F20101207_AAALQK zhou_y_Page_148thm.jpg
d2d249637e89b11848d9ab72385daea0
e0ab1804ceb205d9b83b1ca8d65ad91b8c907b0b
22490 F20101207_AAALPV zhou_y_Page_137.QC.jpg
2e66c54d1b53afe70eb793c8bf554d9f
62ca440a79669ad34d20ed98f55337e2fbb69284
71206 F20101207_AAAKMT zhou_y_Page_188.jpg
64f599fab24147ffb8567ebe8ae4f08f
873db4d4f054be9be7116d2290a2d87b1d8f0e81
37769 F20101207_AAAKNI zhou_y_Page_213.jpg
cd6f8f2a08bd64026c9bef7f7c8c675f
edc958ad5c1a180ceb444cb6f8fdfabbc92992e2
31482 F20101207_AAALQL zhou_y_Page_149.QC.jpg
d5b99ba20a553fbf000e13ed0e77e860
52a77e29a1988edf23912609d0f026c051f7f754
7881 F20101207_AAALPW zhou_y_Page_138thm.jpg
00c02a9a596857ac665f637fb829ec85
2b06a7a0358b15d781ad6ef8cb3061631c656342
89924 F20101207_AAAKMU zhou_y_Page_190.jpg
60d244b9a9480ec4b3632840e6e616fe
26515dc7089cfa3eca3382085a91292773a44563
4665 F20101207_AAAKNJ zhou_y_Page_002.jp2
9f978ac3ff48246a71605d2ec305928e
8e329e253bee8200dc5badac692ca4012529cbcc
8039 F20101207_AAALRA zhou_y_Page_159thm.jpg
736349304639b351ec3cdd62192da10d
da321bc66551a14bd9ce22aeadc0a19c721763e3
F20101207_AAALQM zhou_y_Page_150thm.jpg
160307469bc376db017085b9039e8da4
078562f994726ec38201ad88fac7b5cfda18accd
33380 F20101207_AAALPX zhou_y_Page_138.QC.jpg
c8f79f1f47c93a40e096af6c344d4b3c
34de8e514ac6fc2570e164ed4e502104b0e1831b
111572 F20101207_AAAKMV zhou_y_Page_191.jpg
b03b50e8739bffedf45a04147668eb43
afa73af90ce2281bb442c7c8589c2b20c0d8ec17
4385 F20101207_AAAKNK zhou_y_Page_003.jp2
1881a14d0665dc47fe12e4bb4714fb4d
e6e108305da6589d6e527461d5c5ad818f611e1c
34469 F20101207_AAALRB zhou_y_Page_159.QC.jpg
46f815cd97ad05226e12a98fc9b1e362
916102800fa0517c08610d3f31f7a353afc99196
34703 F20101207_AAALQN zhou_y_Page_150.QC.jpg
4274a7f74ef1e6d8b0e3e019dc1cdcae
1b80e790072330bff4c7561c7eebf8e467802331
F20101207_AAALPY zhou_y_Page_139thm.jpg
6465257c0504ce67ddf4e6c72f1a933d
73f8670c792d56b36baa71a220ccba5883e6d16d
84220 F20101207_AAAKMW zhou_y_Page_193.jpg
26aea4dae125399fba4302b88b7fbe73
be2aa58595a48809e0aaeb16339fe7720def1738
64405 F20101207_AAAKNL zhou_y_Page_004.jp2
c07e915801c98e66690688bb6a726e4d
a64342efffb79bec4e3cfcfddc01f8d3956b4cb6
F20101207_AAALRC zhou_y_Page_160thm.jpg
e1aec8c43c0310bab7f248aae8829197
04b77213777c8ab5ca548b3bfde580b983b9d7c6
7611 F20101207_AAALQO zhou_y_Page_151thm.jpg
72d953f375f389f6979a9f343d7f4ad0
adbb25cde45f569d3afa27901d512d9326da5da9
34851 F20101207_AAALPZ zhou_y_Page_139.QC.jpg
3e8a254e415b3f528860a5e674e67d4f
aaf1e2d59f9a922e64a77b586260beed184aba9e
93716 F20101207_AAAKMX zhou_y_Page_194.jpg
8550c6ed4b7b6d5e9e628b169e03d854
5161fb31d0dbabe335b1ddcb0a7f06f1dce008fb
977552 F20101207_AAAKOA zhou_y_Page_027.jp2
17fba533c248ebd3ea562533794acae9
f66f24cd031e009eb4666ec0ab6f49f14202df70
F20101207_AAAKNM zhou_y_Page_005.jp2
5df0d97958ae627bfc640c1354342585
615182b2c075fb00d9a6f37a83391d7d5aba10eb
34600 F20101207_AAALRD zhou_y_Page_160.QC.jpg
f7a7c14bb4bea73fbefae0aad3277c10
35c081c407f69aa63e449cb74a41933b38ba09a7
31275 F20101207_AAALQP zhou_y_Page_151.QC.jpg
52971a212a782c8c777a0b453eca14cf
a4f8e242667cac9e7b7661b074fd655b33c81138
92438 F20101207_AAAKMY zhou_y_Page_195.jpg
75ec1164fae84729fb403817167ced25
c9a8dee5a5f3a9d83e125d29d812892f20d30c2e
89040 F20101207_AAAKOB zhou_y_Page_028.jp2
fd3a40ac4839ecb6cfd8f85e2e1a2680
98df5ef7e2e509a6e177688014baeab1c08a4382
F20101207_AAAKNN zhou_y_Page_006.jp2
7621df1e6d925f11cb827391c9831d96
9b314ae1566e1900ace9717c47bb7f7ced4ad27f
34845 F20101207_AAALRE zhou_y_Page_161.QC.jpg
d8088d3eeec05b94947b322961f1de97
5a44677af09278dfa337b0a60a630ff4688f9422
7014 F20101207_AAALQQ zhou_y_Page_152thm.jpg
eb0b732ec48b0deb3d5655dc98d36eca
7789bcbad18ac3ae0e71e4999a8a468662773682
107890 F20101207_AAAKMZ zhou_y_Page_196.jpg
81b41f0c456f90f8a43f97ca6ec0cff2
98c74d4352953fd5b7e9156dd2e383b584ba19ec
700241 F20101207_AAAKOC zhou_y_Page_031.jp2
ca41d8c74bf316cd42e3d4c8d927e1fb
44368ebbdaff4d5815b2bc97ba1ab6a4cc24ed08
F20101207_AAAKNO zhou_y_Page_007.jp2
14ac38f48be87bb85db82ee967587b0b
65c56e3b6828dfbf5560f7b12a53021c3f3f3887
7734 F20101207_AAALRF zhou_y_Page_162thm.jpg
2f11559f8d5a307ecfce1842da195808
a656f07a96f04cd62925457f6c8140f9e2802e45
940270 F20101207_AAAKOD zhou_y_Page_032.jp2
58707b62b57c72f3e36035b68ebeeb87
ab8b192a22682219d9dd90c7148196771e166ff9
7050 F20101207_AAALRG zhou_y_Page_163thm.jpg
dfe1eb6d2a6d90b87b721bc3c72fac25
f11866ad713c8c7be424a03016df77871ed691f8
7328 F20101207_AAALQR zhou_y_Page_153thm.jpg
b4c30898b110685e2598ab6c9b416402
cc02bfafdcd206548e4f86a533bca1103427fcf1
58044 F20101207_AAAKOE zhou_y_Page_033.jp2
67a3fb32fbb881eb7d3293b567af86fc
1cec9a95a41d8345aeb025574964fda2507ffa89
F20101207_AAAKNP zhou_y_Page_008.jp2
724c9981d3f7fee028dc47a8363051cd
26b824e57fd792ab522bd2961551cd7501a202b6
28229 F20101207_AAALRH zhou_y_Page_163.QC.jpg
5cb068727938512c099284013aabc19b
08558d9eb82aeb04ca6ad277888f8e634abad2cd
29619 F20101207_AAALQS zhou_y_Page_153.QC.jpg
3bf5835ad2a43029d009bdfe85550d47
b648c93f7c5e43c03f8cc86a87f7eadb28975201
F20101207_AAAKOF zhou_y_Page_036.jp2
a7e30118a863930d94195cde671d7da8
663dc7af809afa2571c1f32cb4c5dae7cb0fc080
988962 F20101207_AAAKNQ zhou_y_Page_011.jp2
59ee702b9c6df57c295bd38de9d6d190
5c04f2cfd8ac12a70335dfdae7e20f7c939d9354
7791 F20101207_AAALRI zhou_y_Page_165thm.jpg
687e8f01832e532ee0ff938c2cb12f2c
e67bbbec864728c9cf959c7b7027f0449468f925
23577 F20101207_AAALQT zhou_y_Page_154.QC.jpg
841fc290164ed74d80d53aab8454c3e4
d6b9a0e1310bb9441c4586e7b1ddf30c06b8bf62
725112 F20101207_AAAKOG zhou_y_Page_037.jp2
9aba6b3bddd8b2f991e1db055b4c3af9
2533c1fda151e2ce802b5d8861579867faa32b87
F20101207_AAAKNR zhou_y_Page_012.jp2
300985b748a73fb246cbd4c6e924df0d
19f29b428dabc7153bc84b085b1129e35a4f0b70
7389 F20101207_AAALRJ zhou_y_Page_166thm.jpg
759794f88c5ec2070081c1b1260a6b13
08349b39196c58f9341b9273e959fc33aaadd44d
7589 F20101207_AAALQU zhou_y_Page_155thm.jpg
77c3da1423fb2d6f39a084293af2ef06
c8bf8c426004a182f35b729156a20ec09c0bb3e5
569493 F20101207_AAAKOH zhou_y_Page_038.jp2
0c1d569c22ebe6bdd2159013ca9e3699
af6128d634f5854a11328c8589495b51a3526d53
59614 F20101207_AAAKNS zhou_y_Page_014.jp2
814b0b37c140d79a736654acbaf6b282
47c6c5ed00eb17b325ae53d8cb6615eec6ee64c8
30031 F20101207_AAALRK zhou_y_Page_166.QC.jpg
21c7f0b1d3c0ba729ce0b5a6f3cb155b
07e06236a891d502988ed441882d3a974ddccdb2
7493 F20101207_AAALQV zhou_y_Page_156thm.jpg
07a95c0cda4178fd6f701547574e9e14
c20db4e0d801a89f0d466f58358b56b36faadff9
640231 F20101207_AAAKOI zhou_y_Page_039.jp2
07d7daf9820ee9b6cf03d36ccb110a8d
2f7acd6a1397eaafbaec298ecf0e2c76d17d471b
58176 F20101207_AAAKNT zhou_y_Page_015.jp2
12cd20019e43880cf865da6751c8c5ea
77d61ec97c5bb583b4aaa7c75569bf4519f6a188
F20101207_AAALRL zhou_y_Page_168thm.jpg
15cb909e5231d22e7d6909b1746c763e
4279a77ad386ada404411ff71f0fddddbe11c69d
32172 F20101207_AAALQW zhou_y_Page_156.QC.jpg
e11fb4428b144903a45c9a076b93500a
56946de34f3431bbbb5f538c1039d14d851a46a8
774528 F20101207_AAAKOJ zhou_y_Page_040.jp2
34ba21e8bb6c7e38c11910dcd0a1bd2c
fe8729773bacfe784d846df205766a5cc28eeb02
104954 F20101207_AAAKNU zhou_y_Page_016.jp2
c2c0f234b7cc98a49002e85cacf80e88
95960fd08725ff5d01851c037eba90cfc8ed3950
28708 F20101207_AAALSA zhou_y_Page_180.QC.jpg
40f46fe379b5db25de7f1fcb3983cbb0
10050875b14e909fdd762cfb9188a174a736f0a3
4212 F20101207_AAALRM zhou_y_Page_169thm.jpg
f94709222037a2b8c2db2624d9484a7a
380a34302cfe68ff6af2aa61d9b2abe689d281cf
7884 F20101207_AAALQX zhou_y_Page_157thm.jpg
c98a662c3a4a9e5d2a81781459eed313
c9f3446afde5197a88ffad574ad5168b70e2137c
727908 F20101207_AAAKOK zhou_y_Page_041.jp2
fc6fdb4e9c2a172078649778a6bde786
f3788cfd965d6fa75b135f9efda7f9526f0cf3d4
97964 F20101207_AAAKNV zhou_y_Page_017.jp2
34d9195869c4165098ce84711c635a25
bf13c31b80a84a58e5aaa43349da081b84917e14
6359 F20101207_AAALSB zhou_y_Page_181thm.jpg
f2e2160d3113b242ac43d55c686525b1
e9cf0569480dbd562e047d68b039d85ce41dbd91
15731 F20101207_AAALRN zhou_y_Page_169.QC.jpg
b532604e231bbfeb1f192641369d5ba7
0d8f384b03992e189f2a7433fbfc01258df87e2c
33937 F20101207_AAALQY zhou_y_Page_157.QC.jpg
3bec308c12cc9c66bd4206115869220e
9a775c28c8fe42de9a427d49d2a680afcb034801
82660 F20101207_AAAKOL zhou_y_Page_042.jp2
a54fb953d25de5bcf0b8738183ca1e8a
e2a83060f9ccd0087043508a126b2cc7492c90c9
1051975 F20101207_AAAKNW zhou_y_Page_018.jp2
64a161f39ded945be2873f007651a346
c45f99cbf50a4454cb4bef761e1c1c8f7a105621
24815 F20101207_AAALSC zhou_y_Page_181.QC.jpg
68b6616bfabe053182a9ee2739d85362
af7a4c1d8caddc30ef3da3cc0fd139379daf7801
31267 F20101207_AAALRO zhou_y_Page_171.QC.jpg
d808ff0fa077e26062d8489c8f04addb
f8d3ac1313354c08a72503b00a916dfacde7e242
4083 F20101207_AAALQZ zhou_y_Page_158thm.jpg
d1f419e813fc48a4e4a6c512bb8028b3
85a99abaf65aa2e890785dcb126f92316e8c83b9
F20101207_AAAKPA zhou_y_Page_059.jp2
120797185d38afe2e1a0a2c8a207d8b2
1b87750320a876c2fae03749d453d8fcedeab32f
950909 F20101207_AAAKOM zhou_y_Page_043.jp2
720831dde33b755ddb70c546a2d2052f
769ba88ac4c58ebe062b6fbd8ea6cf454e70d9ff
F20101207_AAAKNX zhou_y_Page_019.jp2
2791bfe61465344c7d763b1f4973a3de
6ff161eadc989c40b7bbfd67b3b74d93f296dfe3
34254 F20101207_AAALSD zhou_y_Page_182.QC.jpg
c2e7202689c3c7809bf72c58de97bcdb
89651bc2b410579e8b449a4c0e265331f3b6f6c7
F20101207_AAALRP zhou_y_Page_172thm.jpg
32d92190f0e895417dab588aa9e21b74
26cfae74de62b00e169060df82ecf69a09d2b328
930418 F20101207_AAAKPB zhou_y_Page_060.jp2
73d06dba1f1bade077c0d88909e5026d
0f89a89d33627b8cf930550f8ee1ac54039d8e10
662326 F20101207_AAAKON zhou_y_Page_044.jp2
333374f4442f6c14b9a570faf1757ff5
68a08f63529aedd05abb877908366ec97fef3140
126167 F20101207_AAAKNY zhou_y_Page_023.jp2
32cb30e0cfcf39006a62c4ad976e8df2
1213debf87c362630d9380fdb3564792499e6bdb
1146 F20101207_AAALSE zhou_y_Page_183thm.jpg
64393414f08f2993a6180227abc6fb45
17b9b2ea9747190f2abc3237a1c28e1ab9837c5f
34675 F20101207_AAALRQ zhou_y_Page_172.QC.jpg
a925659647cf386067c8bf36f2a05602
adc6050b6e2d2f2e871e51c3c9f87b0a5fd72366
F20101207_AAAKPC zhou_y_Page_061.jp2
f4c81a1b5d544c51aead367aa38e3b13
065c78e09fa7723dffed189ba527102a3b35aafa
F20101207_AAAKOO zhou_y_Page_046.jp2
b1d4f0b142ac5f63d18e3580f04c7c49
3f20ff08d7b54416c4003fd1f144aa9c4818112d
F20101207_AAAKNZ zhou_y_Page_025.jp2
a0e5867c09f3ad9c93c066588965d6f1
480692f35481d44b8169e85071c41aef69aa91fe
3878 F20101207_AAALSF zhou_y_Page_183.QC.jpg
59ba4e3c7a3455c2ce7c18eacbfdad60
0bef496e03536f36de3037d08dce87c68ede5b58
7041 F20101207_AAALRR zhou_y_Page_173thm.jpg
5f88b22452c025bc4bf1adc693c1a990
5a97e42a30a6d09ad2e1af9fed7d744c6e031457
F20101207_AAAKPD zhou_y_Page_062.jp2
fa7d143d08a8b13e1ce916d12eefa790
3ef1f65ef898983cd62a6f23fbe95196022b1535
F20101207_AAAKOP zhou_y_Page_047.jp2
75894af9f31d3e3b2b113ce4d0030801
afb30239ca3e1633f62c82175412033ee8711893
8006 F20101207_AAALSG zhou_y_Page_184thm.jpg
b999100ef1815c7c2a745bbc00aaefc4
44aeeaa1f0625077911d1873e01f9eaf62e5864d
1051961 F20101207_AAAKPE zhou_y_Page_063.jp2
456b359bd7a1cd56c385b6411990c3d4
e1a19b5e5933fe9572bffbefe2398053fa24c870
33876 F20101207_AAALSH zhou_y_Page_184.QC.jpg
005fc27d5fc04799dbd747af5381ccd8
60966d1590b070287952e4dd508c08ad4e116f9b
6529 F20101207_AAALRS zhou_y_Page_174thm.jpg
b1e10b7a8fe10006899da5ca2f728962
ee53e8aacfa6b4d94a57214a885c67a7289e4273
1027943 F20101207_AAAKPF zhou_y_Page_064.jp2
5abbec4ebb1eb48241039cd04ec6e89e
40f7f4a677b271aa946d35360a635dbc376f96c6
F20101207_AAAKOQ zhou_y_Page_048.jp2
fd0dd956d7355ad45cabf12601085a72
74dc2dd04a2d30f23068e67458bef24a1b43c515
6576 F20101207_AAALSI zhou_y_Page_185thm.jpg
d4594904795312844fa94d4a22395b9f
c8d281c33b255e78710d8876658153dc5a403599
25353 F20101207_AAALRT zhou_y_Page_174.QC.jpg
2511711a2737edc405b08ecf28867e6e
e4f1ae12cab85134cdb3cc56a28d168110c06e49
904933 F20101207_AAAKPG zhou_y_Page_065.jp2
925e65fa1798ff10af4d64e828294a26
5127db2d42c0be655b9b5fb959910011c092a658
F20101207_AAAKOR zhou_y_Page_049.jp2
600b61e0be06ac499162c674d664b9ee
7f5e976ca98f556fff320a5d8df21b0a6a334183
25516 F20101207_AAALSJ zhou_y_Page_185.QC.jpg
30836b62dbf5022e1b99fd311f468084
e50e95471c14b7f5debf2fa7904267df3640ad41
7282 F20101207_AAALRU zhou_y_Page_175thm.jpg
4cafb8bdb0de0d44b70e10eb4181b1e7
dc540895fdf7735d3fd8fade481037bcc976fe3f
1051942 F20101207_AAAKPH zhou_y_Page_066.jp2
cc440909cc17a9e8a3bb5689b0723dac
0411f9c7fc8f5280c437908c63d51862785a25ef
965235 F20101207_AAAKOS zhou_y_Page_050.jp2
74e3d44f22d4f4a53c1bd8b47647ef17
99e16a291208646248624f4cf1fecfae01147a44
7411 F20101207_AAALSK zhou_y_Page_186thm.jpg
36176a6d1851d2a9118361841f00c5a0
1d9e06ac5dd9dd3f37638c773c490f4e29046b24
7520 F20101207_AAALRV zhou_y_Page_176thm.jpg
4db917ea2cd0ec28619736c428893181
a028e0fccff18eb07840e6d308421232b233fdee
1051951 F20101207_AAAKPI zhou_y_Page_068.jp2
227770bc24435759ff55aa6e11e323f6
a4c6c2bda8443d3ed8698a112dd9b6058b7a72a5
1051956 F20101207_AAAKOT zhou_y_Page_051.jp2
47880b621c611d4f419f5fbb4e04a61d
e844045b166aec9534df9b9742db1a10856a8ee3
7834 F20101207_AAALSL zhou_y_Page_187thm.jpg
18d8db5e1a16f40bfb500f83288e4d60
c24eb659fef1f6c0466e1293be842638691a23a5
6830 F20101207_AAALRW zhou_y_Page_178thm.jpg
21f8e81324ff596763595527810fde76
f16c36f70ac05f5e3a24171244769529faaef4e4
957208 F20101207_AAAKPJ zhou_y_Page_069.jp2
1af9b75ec07e5cb7829f04a952e994b2
47a75a276774b0f5031dc751bd242edf470d7103
152731 F20101207_AAAKOU zhou_y_Page_053.jp2
20fb582e253a365ecf9745187232b8bb
84cb754876c18915048082bb6f708518fc95b762
7799 F20101207_AAALTA zhou_y_Page_199.QC.jpg
21a460c2ef5d2b865d26685bc1f60f4a
f63a597c63732464096fc30b658e02a236bc64b7
23566 F20101207_AAALSM zhou_y_Page_188.QC.jpg
4b56c69cc17c63937f2af1656dd774d3
9642f98bcfb36f1a6e98cd32c45f3ec058b071b4
28252 F20101207_AAALRX zhou_y_Page_178.QC.jpg
3e08444e0452ca85f2c9c92c5f4ef8f4
17090d6401325d0391111d7d43fe84880fe8e65a
98226 F20101207_AAAKPK zhou_y_Page_071.jp2
316e2f7744724d050ff27a29f6787299
c4402ba07f78d38fc61ac66cee03e034db7c3583
F20101207_AAAKOV zhou_y_Page_054.jp2
174a3de14e6625bac256e718be640632
c2f0900a0c26c8f4231a525e5d38fe33ef11143d
36587 F20101207_AAALTB zhou_y_Page_201.QC.jpg
376626a63e4d32f0bd4e20050b85076c
f898d1ec9f585d49e1f069b18b000b4d431c2947
F20101207_AAALSN zhou_y_Page_189thm.jpg
0125d3a663ca7ce6c73932ff840fa7b5
687cc7746432ee1ee00d787ab1ad5d200ed949ae
F20101207_AAALRY zhou_y_Page_179thm.jpg
48052ba3dd4316a5cb4a037d1b9f3750
bbafd0d61b3c2927346096c559bbad70f02096bf
73902 F20101207_AAAKPL zhou_y_Page_072.jp2
8c8b47128cc8ef19b5328e8fae261586
15b6328de11ef000796f7b94eb4cb165ae7755c3
115028 F20101207_AAAKOW zhou_y_Page_055.jp2
81ebb2bbc36283e3f7d64f5b0362e8c0
33ebc3e0eb1be3c3fb452351874bbdbb1feaa857
8437 F20101207_AAALTC zhou_y_Page_203thm.jpg
7555bf182eb3be7ef38a3f443fb3f0e5
2c467efb1e490a74d055f6a3a9f3011552e6102d
26978 F20101207_AAALSO zhou_y_Page_189.QC.jpg
9b3faeb666d3c815297b47ffcc2308ce
c6eaaf1e4e6d803393061eedb2229fbe3e8bfd35
6921 F20101207_AAALRZ zhou_y_Page_180thm.jpg
d789530d2d1eb92ea1d5272ac7acd38c
26c3f2bd042854a5679ef10dd13e72f8597defa9
1004768 F20101207_AAAKPM zhou_y_Page_073.jp2
c9b0517196fef389d5f2cd2b57e9e1be
927ac21a209bc17402656543f9507ee1db614847
123649 F20101207_AAAKOX zhou_y_Page_056.jp2
54ed296aac17f236fd90b9c4e45fd831
37a76835cd2fe056195a2cbcf8e93c902cd8dbce
1051936 F20101207_AAAKQA zhou_y_Page_093.jp2
7d464561dcfb600c48aa50c3181180f7
f9dccda6fd92bb533fc8ae5a081984db6c1611ec
34954 F20101207_AAALTD zhou_y_Page_203.QC.jpg
0baecedf3d06e0504d06191b261504e1
b80868c3c2eda6b0f23e7e2580d24242c3bd8060
7140 F20101207_AAALSP zhou_y_Page_190thm.jpg
ef2881b282220bfaed333c15cd2801fd
9669156f983a9a915204eda04ae39277784a539d
694655 F20101207_AAAKPN zhou_y_Page_075.jp2
9d55d7b0143e8be56c49722c11483826
8609bbdeabaecd88bd022f3448f98a442e0783ff
1051908 F20101207_AAAKOY zhou_y_Page_057.jp2
c272c6a35aff81fcc47e98279f8110f9
82d41694125f308fb5bc30c97e8a15e0048ba879
F20101207_AAAKQB zhou_y_Page_094.jp2
6f0dc513c07f4f5a1c80efa0032cbf22
422ef7e7e182c3297acf3433e33ddd634d50d6f0
8547 F20101207_AAALTE zhou_y_Page_204thm.jpg
e3977927fe77dd81c78e7255e8dd4d30
19ea39149849e443a2f1f0492e9feb077dcb0888
28485 F20101207_AAALSQ zhou_y_Page_190.QC.jpg
a041f441411db8b5a04ab016b5a5fc60
8fd44b6d7917523536f5baaaf74c597f1a015f2f
470576 F20101207_AAAKPO zhou_y_Page_076.jp2
2313d3d5c8a35e8a98d9ec5876d1086e
ce258fbf3185ba567a38a9b6072e7363895890c1
F20101207_AAAKOZ zhou_y_Page_058.jp2
30282086d0d26341fd9d70f63621e237
bbce5e694374a4308ab873ed5aafe4ce2cb665e9
901376 F20101207_AAAKQC zhou_y_Page_095.jp2
06272e3859520290072da2ab1f6284cf
57d29ba2ba1328d1ecce47c3de5d35abff1e8eba
36170 F20101207_AAALTF zhou_y_Page_204.QC.jpg
9484c416d100c897b18b0539e6b163ea
4567a3c498cb7042bc269b7186a09ddc4c45c31d
8063 F20101207_AAALSR zhou_y_Page_191thm.jpg
50fe5733226276745ee6eecd1730bb77
e2e8cb9a3f922b7048d2f929a0d109c2ffb9e6f6
1051937 F20101207_AAAKPP zhou_y_Page_077.jp2
54f1109a42f08487c38720a103fa0761
e72146aaac9bf2fec8d7f12a5927f34eb4f86f30
1040814 F20101207_AAAKQD zhou_y_Page_097.jp2
96c4356db73a4db0104eb22e75d93cbe
ca7184b75fbf12dd50fbde4a6a9ecedc2f679635
8553 F20101207_AAALTG zhou_y_Page_205thm.jpg
6d914696c0feaceb0f9bc1c67de65db0
0d45a2a3803884b76a60ed99591ee1e57c36ae74
34963 F20101207_AAALSS zhou_y_Page_191.QC.jpg
9dfa7ab1eb7390551242507ad32cb64d
e7135c100d28d58b232c0ba0562dde1c076ecb67
1051922 F20101207_AAAKPQ zhou_y_Page_079.jp2
012592b046cb46a373f3f0e91be2396f
2fb8563b313f421e06e47053073b9ce2373efaeb
732819 F20101207_AAAKQE zhou_y_Page_099.jp2
731c26648f72329b1cde3b63c14897b7
fe9b073a4c491a32162be617cebcdfea18b5b234
35475 F20101207_AAALTH zhou_y_Page_205.QC.jpg
e8b45c813268e50288e44839e93a3811
9fc081945574818d7885ef4c4939a3f969f12083
993539 F20101207_AAAKQF zhou_y_Page_100.jp2
dfce58b62c8959f321c3ebb406c52673
11da44599697aec2672b1da060aa6a1a9842988a
36815 F20101207_AAALTI zhou_y_Page_206.QC.jpg
6dd53a2ea69bf4eac7ec60bc9e70cb98
b270fdb278503e6ea8ba2712920689062734de69
7648 F20101207_AAALST zhou_y_Page_192thm.jpg
a8cf54dab6e85f760ca5759e24edb8fa
3a52c4777057fa21fb015a082d5d818aa5b48c9a
743214 F20101207_AAAKQG zhou_y_Page_103.jp2
e7a6f15de90ff8cc550e9362435bad57
52ba2a1ea18c6b458ffdfcb01b9774c98f53468a
749956 F20101207_AAAKPR zhou_y_Page_080.jp2
b758f647a5c17331ec04eae6b0597bd2
6e12499cab9c5657c9905ac4e9de48838f04e73d
8296 F20101207_AAALTJ zhou_y_Page_207thm.jpg
6bef7d02a0dc42f5062bd49e4db88a80
604193120648e2b26f206ef7bb629f56aca42aac
7416 F20101207_AAALSU zhou_y_Page_194thm.jpg
33c3074935eb98aec3c9f79876688fdd
87fd329be371e516ebb29f0137583895e69d1f48
855564 F20101207_AAAKQH zhou_y_Page_104.jp2
12a6603b7332f4f0e03e185c643fda68
694996e7c6451e846e3383b591d3cf75d9d09ae4
1035498 F20101207_AAAKPS zhou_y_Page_082.jp2
3d1f607c594396f8b41c56de6d5de42e
51d6552b89b3b9d99375ca7ea3b766af7f347124
35214 F20101207_AAALTK zhou_y_Page_207.QC.jpg
454eea471bea882bffb0e62a31d6b69c
074a514b95e4bc9ca078f6a007c34cc324ae4dde
30190 F20101207_AAALSV zhou_y_Page_194.QC.jpg
ae404b576fc0fd4df3b56c48eb98e6e4
02f2e3580068ea9f040ca252a753590860010c02
1051955 F20101207_AAAKQI zhou_y_Page_105.jp2
7ac2031e54483e03ddc496a56d3ad972
0f40e30b5b574fad593971269b6064fd4e8002e4
953336 F20101207_AAAKPT zhou_y_Page_084.jp2
d2e29ec7d16d15945b236b300cdb5bc0
b7b1a0effe76d842793a5cc8ff42c826ee7de94d
F20101207_AAALTL zhou_y_Page_208thm.jpg
8f46e8a0697401551a795745ca82d508
c1d5a6723e235726c6a207ea48cd3deb1a167b70
7930 F20101207_AAALSW zhou_y_Page_196thm.jpg
fedd22d8b9e7c06af29c1d9ae2aa6faa
f9f6c11b26760d9041ad9086442a3f47bc9a1ee8
F20101207_AAAKQJ zhou_y_Page_106.jp2
906022fc51d197f28187342e1440f217
c24698d3326e094dd0c6ccb6613b08a63c927fbb
F20101207_AAAKPU zhou_y_Page_086.jp2
e53e8fb8361f8f983e0f62344ea84f4a
b027cfb7f6a8b121f10cd565375c182cc2927eb4
8360 F20101207_AAALTM zhou_y_Page_209thm.jpg
da7e04a5b19d0014b0bea0ba2c102a91
c58b25246c62d40b7f8cfecdac6eae501a17fbf3
7022 F20101207_AAALSX zhou_y_Page_197thm.jpg
e73522f004ee0ad5d0eb45a8b1c9e7f0
d6e9b54b73cc614a64bafa89e58d092554d12c2c
F20101207_AAAKQK zhou_y_Page_109.jp2
be0f765d221ec197fed1d50fc9b627a9
fb3ba935ece97a8df4b1d2d8527453214ccb0218
1051965 F20101207_AAAKPV zhou_y_Page_087.jp2
859e767f4eba0f02ed5a009c153cc911
8b616fdb76ce4642c6f07c5d2340e1ffcf69982b
36996 F20101207_AAALTN zhou_y_Page_209.QC.jpg
b1b9f4eef147d8bd85f778b0a9ee181e
6f71fb5a9c05085196105485c8c68141d4b633e2
28862 F20101207_AAALSY zhou_y_Page_197.QC.jpg
09cd4d5ade5db10c7837a14f13457e71
b12d5203496c2702dabd7a1816b7cd2afe77bbd8
F20101207_AAAKQL zhou_y_Page_111.jp2
1e40b2445ac73fabc7c3ae8720cfc87d
3f79c342bbe64dd25b0bcea901e3dbe48ec5bf12
1009824 F20101207_AAAKPW zhou_y_Page_088.jp2
e17e2922d0f33f796a86234a388b3255
3fc529a8d2190f5a04b46c717a935814fe03b82f
8240 F20101207_AAALTO zhou_y_Page_210thm.jpg
871da0bd13f95112474a43a32419d0de
4e2dc6dd506e2f4b838a9f5330127966e22ae8da
F20101207_AAALSZ zhou_y_Page_199thm.jpg
01832a4daf41b3b43cb293383b60d649
c5507b69af73c4ae18c61b7a20f832db3360f1dd
760972 F20101207_AAAKRA zhou_y_Page_137.jp2
78ec5e1207afe46dc5d5271cfcc35acf
67e3d183aa8d69de6e800d5a893a819283ee8f7b
F20101207_AAAKQM zhou_y_Page_112.jp2
01d1dc5fc418b169ef170d1a6b4ea07b
1c4dabcc9ee82d8828b266b83c7d095b313e154e
948935 F20101207_AAAKPX zhou_y_Page_089.jp2
794c0d26a5af3ef36d28a2304747e248
9cde044a6d782b655aa4f77b220f78eeadc9fde6
34809 F20101207_AAALTP zhou_y_Page_210.QC.jpg
69573f421e8239683d1066c32fe1b6fd
908796fcf967d963e6d17a355c5fbc3a5c0ba6b1
F20101207_AAAKRB zhou_y_Page_138.jp2
ed70c58cecd9fa4538ac58a55e04881a
0d9eae2be56951ddf556b895ee5c5af6cfedb688
961163 F20101207_AAAKQN zhou_y_Page_113.jp2
f599c60f8814cf5a2ec0687dd7bfefa2
cda2d586fa7155859cd61e10bab26160726fe4fb
943810 F20101207_AAAKPY zhou_y_Page_090.jp2
bfc6157e6cfbd031b8ce39319bd367fa
b624ed58ff9a3ecca044ffefa9fa828ac18e50bf
F20101207_AAALTQ zhou_y_Page_211thm.jpg
b2fec6c4a3a268e2614918ce642f5e11
2ecca39f6ddfc0b336536cfa55b70f9916b4fcc6
F20101207_AAAKRC zhou_y_Page_139.jp2
a58d695f88798d4d5da5946a448bb517
a3eab6ef5da26e68ac72e17fd555a9130c6bd164
1051915 F20101207_AAAKQO zhou_y_Page_114.jp2
7790b92cc05b9321d150fbec596cb84f
408532babc541871ad5625a03a5fd7f46c520fa6
F20101207_AAAKPZ zhou_y_Page_091.jp2
8b0bbefed265cc3c83f0432811646989
e69c1240d1011f2adebe1569a9427840d62a7efd
35305 F20101207_AAALTR zhou_y_Page_211.QC.jpg
d44ec66d08a1c31720ab3a5710d7d392
bee58c9ad3a6a892c7d71656888e65c66ba10125
1051943 F20101207_AAAKRD zhou_y_Page_142.jp2
cb3595e2e64260339dc2d3430896c0e7
447eb2d23720af489d8b3967fcc5a016bf2f26fe
1051957 F20101207_AAAKQP zhou_y_Page_118.jp2
973adfb9fa3eacc976d4d01af984c56e
6f4c10bc0502700699113f0aa3365c1e077d7e60
16299 F20101207_AAALTS zhou_y_Page_212.QC.jpg
769aa629db05cc3e657b61d7b8bb7eb7
835c8463986d4efaf37535e615774b06ade9638f
F20101207_AAAKRE zhou_y_Page_144.jp2
992e6998d195426f1479d60eefb4aabf
39d0341b033d58ac8d47b397bd53877cc3e044f8
F20101207_AAAKQQ zhou_y_Page_119.jp2
b9939c6e22b00343d6cf859837c84fdc
2a9617810a196ee7246f10c773b5c5487db07fe6







SECURITY IN WIRELESS SENSOR NETWORKS


By

YUN ZHOU




















A DISSERTATION PRESENTED TO THE GRADUATE SCHOOL
OF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT
OF THE REQUIREMENTS FOR THE DEGREE OF
DOCTOR OF PHILOSOPHY

UNIVERSITY OF FLORIDA

2007

































2007 Yun Zhou



































To my family.









ACKNOWLEDGMENTS

My foremost gratitude goes to my advisor, Prof. Yuguang \1i i I I Fang, for his

invaluable guidance, encouragement and support with my years in the Wireless Networks

Laboratory (WINET). Prof. Fang has not only guided my research in the past few years

with his insights and knowledge, but also with thoughtfulness and patience on my personal

growth.

I gratefully acknowledge my other committee members, Prof. Sartaj Sahni, Prof.

Shigang Chen, and Prof. Dapeng Wu for serving on my supervisory committee and for

their invaluable support in various stages of my work.

I would not be a wholesome graduate student without a group of great friends. I

would like to extend my thanks to my fantastic colleagues in WINET, whose presence

and fun-loving spirits built up a warm, family-like environment. I also appreciate their

collaboration and insightful advice throughout these years.

Finally, I am deeply indebted to my friends who have aliv-l- been standing by my

side. Without their cherish and unwavering support, I would never imagine what I have

achieved.









TABLE OF CONTENTS
page

ACKNOW LEDGMENTS ................................. 4

LIST OF TABLES ....................... ............ 11

LIST OF FIGURES ....................... ........... 12

LIST OF ABBREVIATIONS ............................... 14

ABSTRACT . . . . . . . . . . 16

CHAPTER


1 INTRODUCTION ...................... .......... 18

2 KEY AGREEMENT FOR LARGE SCALE NETWORKS .......... 22

2.1 Introduction . .. . . . . . . .. 22
2.2 Key Agreement Models ......... ........... ....... 24
2.2.1 Global Key ......... ............ ......... 24
2.2.2 Key Server ......... .......... .......... 25
2.2.3 Pairwise Key ......... ..................... 25
2.2.4 M atrix . . . . . . .. 26
2.2.5 Polynom ial . .. . . . . . .. 27
2.3 O ur M odel . .. . . . . . .. . 27
2.3.1 Mathematical Tool ............... ........ ..28
2.3.2 Assumptions ............... ........... ..30
2.3.3 Share Distribution .................. ......... .. 30
2.3.4 Direct Key Calculation . ............. .. 32
2.3.5 Indirect Key Negotiation ............... .. .. 32
2.4 Analysis ................... . . .... 33
2.4.1 Number of Secure Paths ............... .. 34
2.4.2 Number of Disjoint Secure Paths ............... .. 34
2.4.3 Number of Agent Nodes ............... .. .. 34
2.4.4 An Example ............... ........... ..35
2.4.5 Security of Direct Keys ..... ......... ... ... .. .. 36
2.4.5.1 Node compromise in one subspace . . 36
2.4.5.2 Node compromise in all subspaces . . 37
2.4.5.3 C(!....-. degree t ...... ....... .. .. 38
2.4.6 Security of Indirect Keys ............. .. .. .. 40
2.4.7 Memory Cost ............... ......... ..40
2.4.8 Computation Overhead ................ ... .. 42
2.4.9 Communication Overhead ................ . .. 42
2.5 Security Enhancement of Indirect Keys ............. . .. 43









2.6 Key Establishment in Wireless Sensor Networks . . ...... 45
2.6.1 Random Key Material Distribution ................. .. 45
2.6.2 Deterministic Key Material Distribution . . ..... 47
2.6.3 Comparisons With Related Work .................. .. 49
2.7 Conclusion . .. . . . ... . . .. 50

3 KEY ESTABLISHMENT USING DEPLOYMENT KNOWLEDGE IN WIRELESS
SENSOR NETW ORKS .................. .......... .. 51

3.1 Introduction ................... . . .... 51
3.1.1 Sensor Network Model .................. ..... .. 51
3.1.2 Security C'!I !!. n,. ..... ........... ........ 52
3.1.3 Attacks .................. ............... .. 54
3.1.3.1 Attack techniques .................. .. 54
3.1.3.2 Passive vs. active .................. .. 55
3.1.3.3 External vs. internal ................ .. .. 55
3.1.4 Security Requirements .................. ..... .. 56
3.2 Uniform Key Material Distribution .................. ..... 57
3.3 A Square Cell Deployment Model .................. ... 58
3.4 New Deployment and Secret Pre-Distribution Models . . 59
3.4.1 Security of LBKP .................. ......... .. 59
3.4.2 A Hexagon Cell Model .................. ..... .. 60
3.4.3 Edge-Based Secret Pre-Distribution ................. .. 61
3.4.4 A Triangle Cell Model ................... . ... 63
3.5 Cell-based Pairwise Key Establishment .............. .. .. 64
3.5.1 Node Deployment .................. ......... .. 64
3.5.2 Polynomial distribution .................. ..... .. 64
3.5.3 Pairwise Key Establishment ................... . 65
3.5.4 Node Addition .................. ......... .. .. 66
3.5.5 Node Revocation ............... ........ .. 66
3.6 Analysis and Evaluation ............... ....... .. 67
3.6.1 Security ............... ............ .. 67
3.6.2 Memory Cost ............... ......... .. 70
3.6.3 Connectivity ............... .......... .. 71
3.7 Conclusion .................... ................ .. 74

4 SCALABLE KEY ESTABLISHMENT IN WIRELESS SENSOR NETWORKS 77

4.1 Introduction ...... ........ .. .. ....... ...... 77
4.2 Two Dimension Grid Design for TLK and LLK Establishment ...... ..79
4.2.1 Network Model ............... ......... .. 79
4.2.2 Share Pre-distribution. ..... .......... ... .. 80
4.2.3 Direct Key Calculation .............. ... .. .. 81
4.2.4 Indirect Key Negotiation .............. .. .. 82
4.2.5 LLK Establishment ............... . ... 83
4.2.6 TLK Establishment ............... ....... .. 84









4.2.7 Performance Evaluation. .............. .. .. 85
4.2.7.1 M emory cost ................ ... .. 85
4.2.7.2 Resilience to node compromise . . 87
4.2.7.3 Local secure connectivity .... . . .. 91
4.2.7.4 Computation overhead ............. .. .. .. 93
4.3 Scalable Link-L,-i r Key Agreement in Sensor Networks . .... 94
4.3.1 Network Model ............... ......... .. 94
4.3.2 Share Distribution ............... ........ .. 95
4.3.3 Node Deployment ............... ........ .. 96
4.3.4 Linlk-l1-,r Key Agreement ..... ........... . .. 97
4.3.5 Performance Evaluation. .............. .. .. 100
4.3.5.1 M emory cost ................ ... .. 100
4.3.5.2 Security ............ . . ... 101
4.3.5.3 Local secure connectivity ... . . ... 102
4.4 Conclusion ................ ............. .. 104

5 A LOCATION-BASED NAMING MECHANISM FOR SECURING SENSOR
NETW ORKS .................. .............. .. 105

5.1 Introduction ............... . . ... 105
5.2 Location-based Naming Mechanism ................ 107
5.2.1 Location Determination .............. ... 107
5.2.2 Location-based Name ............... .... .. 108
5.3 Link L -v.r Security .................. ............ .. 110
5.3.1 Establishing Shared Keys ................ ... .. 111
5.3.2 B-Phase Authentication. .............. .. .. 112
5.3.3 C-Phase Authentication. .............. .. .. 114
5.4 Secure Sensor Networks ............... ........ .. 115
5.4.1 The Sybil Attack ............... ........ .. 116
5.4.2 Identity Replication Attacks ................ .. .. 116
5.4.3 Wormhole Attacks ............... ........ .. 117
5.4.4 Sinkhole Attacks. .................... ......... .. 118
5.4.5 HELLO Flood Attacks . . ......... .... 118
5.4.6 The Acknowledgement Spoofing Attack . . 118
5.4.7 The Node-compromise Attack ................ .... .. 119
5.4.8 The Memory Exhaustion Attack ............. .. .. 119
5.5 Discussion ................... ................ .. 120
5.6 Conclusion ................ ............. .. 121

6 ACCESS CONTROL IN WIRELESS SENSOR NETWORKS . ... 122

6.1 Introduction ............... ................ .. 122
6.2 Review of Attacks ................ . . .. 124
6.2.1 Malicious Nodes Deployment ................ 124
6.2.2 The Sybil Attack ............... ........ 124
6.2.3 The Node Replication Attack ................ .... 125









6.2.4 The Wormhole Attack .................. ..... .. 126
6.3 Access Control .................. .............. .. 126
6.3.1 Necessity .. ... .. .. .. .. ... .. .. .. ... .. ..... 126
6.3.2 The State of the Art .................. .. ..... 127
6.4 Our Protocol .................. ............... .. 129
6.4.1 Outline .................. ............... .. 129
6.4.2 Assumptions .................. ............ 130
6.4.2.1 Network model .................. ... 130
6.4.2.2 Adversary model ................ .... .. 131
6.4.3 Cryptographic Primitive ............. .. .. .. 131
6.4.4 P1, 1. i. .Lv-ment Phase ............... .... 132
6.4.4.1 Network parameters ................ .... 132
6.4.4.2 Sensor parameters ............. ... . 133
6.4.5 Node Deployment ............... ........ 134
6.4.6 Node Authentication .... ........... .... 134
6.4.6.1 Handshake between new nodes . . . 134
6.4.6.2 Handshake between a new node and an old node ..... 136
6.4.7 Key Establishment ............... ........ 137
6.5 Security Analysis ............... .......... 138
6.5.1 New Node Deployment ................. .... 138
6.5.2 Eavesdropping and False Reports Injection . . 138
6.5.3 Node Compromise ............... ........ 138
6.5.4 Attacks to Access Control ..... ........... . 139
6.6 Evaluation ............... .............. ..140
6.6.1 ECC vs. RSA .... .............. .... .. ..... .. 140
6.6.2 Comparison with Related Work ............. .. 142
6.7 Conclusion ................ ............. ..144

7 BABRA: BATCH-BASED BROADCAST AUTHENTICATION IN WIRELESS
SENSOR NETWORKS ............... ......... ..146

7.1 Introduction ............... ............. ..146
7.2 pTESLA ................. ................. ........... 147
7.3 BABRA Design ............... ........... 148
7.3.1 Network Model ............... ......... 148
7.3.2 Architecture ............... .......... 149
7.3.3 Bootstrapping .............. . . .... 151
7.3.4 Counteracting Bogus Packets ................ . 151
7.3.5 Countermeasures to Radio Jamming .... . . 152
7.3.5.1 Intermittent jamming ............. .. 152
7.3.5.2 Continuous jamming ................ .... 155
7.4 Discussion ............... ............... ..157
7.5 Conclusion ................ ............. ..158










8 MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE


8.1 Introduction . ..........
8.2 Related Work ..... ..........
8.3 Multicast Authentication Over Lossy C'!i
8.3.1 Assumptions ............
8.3.2 Batch Signature .........
8.4 Batch Signature Construction . .
8.4.1 Batch RSA Signature . .
8.4.1.1 RSA . .. ..
8.4.1.2 Batch RSA . ..
8.4.1.3 Requirements to the sen
8.4.2 Batch BLS Signature . ..
8.4.2.1 BLS . . .
8.4.2.2 Batch BLS . ..
8.4.2.3 Requirements to the sen
8.4.3 Batch DSA Signature . .
8.4.3.1 Harn DSA . ..


1lil. kq







der




der


8.4.3.2 Harn batch DSA


8.4.3.3 The Boyd-Pavlovski attack.
8.4.3.4 Our batch DSA . .
8.4.3.5 Requirements to the sender
8.5 Performance Evaluation . ......
8.5.1 Resilience to Packet Loss . .
8.5.2 Authentication Latency . ..
8.5.3 Computational Overhead . .
8.5.4 Communication Overhead . .
8.6 Counteracting DoS . .........
8.7 Conclusion . . . . .


9 SECURITY OF IEEE 802.16 IN MESH MODE .


. . . . 184


9.1 Introduction ........ ............ ..
9.2 Security Architecture of IEEE 802.16 in Mesh Mode
9.3 Security Threats to IEEE 802.16 in Mesh Mode .
9.3.1 Topological Attacks . ........
9.3.2 Authorization Threats . .......
9.3.3 Threats to Link Establishment . ..
9.3.4 Threats to Teks . ...........
9.3.5 Traffic Threats . ...........
9.4 802.16e Security in Mesh Mode . ......
9.4.1 Security Improvements . .......
9.4.2 Potential Threats . ..........
9.5 New Security Improvements . ........
9.5.1 Neighbor Authentication . ......
9.5.2 Cryptographic Issues . ........


159
161
162
162
162
164
164
164
164
165
166
166
167
168
168
168
169
170
170
171
172
172
173
175
176
177
182


184
186
187
187
188
192
194
195
195
196
196
197
197
198


.. .










9.6 Conclusion . . . . . . . . ... 199

REFERENCES ................... ........... ...... 200

BIOGRAPHICAL SKETCH . ............... ........... .213



















































10









LIST OF TABLES


Table page

2-1 Bound and precise ratios between t* and N1 ................ 40

3-1 The algorithm for polynomial distributing. .................. ... 65

3-2 Memory cost .................. .................. .. 71

4-1 Memory cost of different schemes. .................. ..... 87

4-2 Local secure connectivity of different schemes .................. 93

4-3 Computation overhead of different schemes. ......... . 94

4-4 Memory cost of different schemes .................. ...... .. 101

8-1 Authentication latency of different schemes. .................. 175

8-2 Computation overhead of different schemes for one block. ........... ..176

8-3 Computational overhead of different batch schemes. .............. ..176

8-4 Communication overhead of different schemes for one block. . .... 177

8-5 Communication overhead of signature schemes. ................ 177

8-6 Comparisons between the block-based approach and the batch-based approach. 182











LIST OF FIGURES


Figu

2-1

2-2

2-3

2-4

3-1

3-2

3-3

3-4

3-5

3-6

3-7

3-8

4-1

4-2

4-3


re

Construction of credentials according to the equation (2

An example of key graph in the 3-dimension ID space.

Minimum required polynomial degree. . .....

The communication overhead . .........

A wireless sensor network . ...........

A square cell deployment model . .


A hexagon cell model . .......

A triangle grid model . .......

M = 120 . ..............

M = 240 ..... ...........

The probability that each node resides in its

The probability that each node resides in its

A two-dimension sensor network . .

LLK establishment . .........

M = 240 . ..............


own cell is

own cell is


9). .


0.9.

0.99..


4-4 M 180.


4-5 Topology. A) Before deployment. B) After deployment .. .....

4-6 Deployment strategy. A) Before deployment. B) After deployment .

4-7 Node coverage in one cell ................. . .....

5-1 A square cell deployment model .............. . .....

5-2 Location-based name ................... . .....

6-1 Attacks ... .. .. .. ... .. .. .. ... .. ... . .....

6-2 Handshake between two new nodes.............. . .....

6-3 Handshake between a new node and an old node....... . .

7-1 One batch of broadcast and the batch packet format.. . .


page

. 31

. 35

. 41

. 44

. 52

. 59

. 61

. 64

. 69

. 70

. 75

. 76

. 80

. 84

. 89

. 90

. 98

. 99

. 104

. 108

. 110

. 127

. 136

. 137

. 149









7-2 The authenticated broadcasting stream. .............. . 151

7-3 The key survival probability. ............... ........ .. 154

8-1 Verification rate under the random loss model. .................. 173

8-2 Verification rate under the burst loss model with the maximum burst length 10. 174

8-3 An example of Merkle tree. .................. ......... 180

8-4 MABS architecture including the DoS counter measure. . . 181

9-1 Mesh networks .................. ................. .. 185

9-2 Sinkhole attacks .................. ................ .. 188

9-3 Wormhole attacks. .................. ............... .. 189

9-4 Node authorization. ................... ............... .. 190

9-5 Replay attacks .................. ................. .. 192

9-6 False base station. .................. ............... .. 193

9-7 Link establishment. .................. .............. .. 194

9-8 TEK update .................. .................. .. 195









LIST OF ABBREVIATIONS


AK Authorization key

ASM Authorization state machine

BABRA Batch-based broadcast authentication

BIBD Balanced incomplete block design

BS Base station

CRC Cyclic redundancy checksum

DOCSIS Data over cable service interface specifications

DoS Denial of service

DSA Digital signature algorithm

ECC Elliptic curve cryptography

ECDLP Elliptic curve discrete logarithm problem

ECDSA Elliptic curve digital signature algorithm

FEC Forward error correction

GPS Global positioning system

ID Identifier or identity

IV Initialization vector

KDC Key distribution center

KTC Key translation center

LAKE Two-1i v-r key establishment

LBN Location-based naming

LBKP Location-based key pre-distribution

LLA Link l,-v-r authentication

LLK Link l,-v-r key

MABS Multicast authentication based on batch signature

MAC Message authentication code in cryptography or medium access control in the

networking theory









MSKP Multiple-space key pre-distribution

OHC One-way hash chain

OSS Operator shared secret

OWA One-way accumulator

PIKE Peer intermediaries for key establishment

PKE Pairwise key establishment

PKM Privacy and key management

PMP Point-to-multi-point

PPKP Polynomial pool-based key pre-distribution

QoS Quality of service

RKP Random key pre-distribution

RPK Random-pairwise key

RSA A cryptography algorithm named after its inventors Ron Rivest, Adi Shamir and

Leonard Adleman

SA Security association

SPINS Security protocols for sensor networks

SS Subscriber station

TEK Traffic encryption key

TESLA Timed efficient stream loss-tolerant authentication

TLK Transport l-v-r key

TSM TEK state machine

WiMAX Worldwide interoperability for microwave access

WLAN Wireless local area network

WMAN Wireless metropolitan area networks

WSN Wireless sensor network









Abstract of Dissertation Presented to the Graduate School
of the University of Florida in Partial Fulfillment of the
Requirements for the Degree of Doctor of Philosophy

SECURITY IN WIRELESS SENSOR NETWORKS

By

Yun Zhou

August 2007

C'!I ,i: Yuguang Fang
Major: Electrical and Computer Engineering

Rapid advances in wired/wireless networking technology are gradually expanding the

realm of ubiquitous high-speed network access. Such a process also encounters more and

more threats and attacks from those who exploit vulnerabilities in networks. This has

been motivating research on security in wireless networks.

Key establishment is the first step to develop all the other security mechanisms,

because most security protocols depend on keys to operate correctly and provide desirable

security performance. In my research, a scalable and deterministic key agreement model

based on a multivariate polynomial and a multidimensional grid-based network topology

was developed to enable key establishment in large scale networks with very low memory

cost. I will show that my model can achieve the memory cost of several orders lower than

the number of nodes in the network, while traditional models have the memory cost at

the same order as the network size. My model has found applications in wireless sensor

networks to establish hop-to-hop keys and end-to-end keys. In addition, I also proposed

an access control protocol based on elliptic curve cryptography (ECC) for wireless sensor

networks, which accomplishes node authentication and key establishment for new nodes.

Different from conventional authentication methods, my protocol can defend against most

well-recognized attacks in wireless sensor networks, and achieve better computation and

communication performance due to the more efficient algorithms based on ECC.









Authentication is critical to ensure the origin of a multicast stream in hostile

environments. Conventional block-based schemes suffer from drawbacks such as vulnerability

to packet loss, authentication latency and Denial of Service (DoS) attacks. In my

research, I developed a novel multicast authentication scheme based on batch signatures.

In particular, each packet in a stream is attached with a signature. The receiver

authenticates multiple packets by checking their signatures through only one verification

operation. I proposed three implementations including two novel batch signature schemes.

My approach can achieve computational efficiency while avoiding the drawbacks of

conventional block-based schemes. I also proposed a broadcast authentication protocol

for wireless sensor networks based on symmetric key techniques. Compared with the

conventional symmetric key solutions, my scheme does not require time synchronization,

eliminates the requirement of key chain, supports broadcast for infinite rounds, and is

efficient due to the use of symmetric key techniques.

IEEE 802.16 (worldwide interoperability for microwave access, or WiMAX) is

seen as a promising technology for next generation broadband wireless access, while

security issues also draw the intentions in the literature. In my research, I analyzed the

IEEE 802.16 standard and found out that though IEEE 802.16 provides some security

measures in conventional one-hop networks, it is very vulnerable to malicious attacks in

multihop environments such as wireless mesh networks. In order to strength the defense

of IEEE 802.16 in mesh networks, I proposed a mesh-certificate-based access control and

authentication scheme for WiMAX-based mesh networks.









CHAPTER 1
INTRODUCTION

Rapid advances in wired/wireless networking technology are gradually expanding the

realm of ubiquitous high-speed network access. At the same time, however, such a process

also encounters more and more threats and attacks from those who exploit vulnerabilities

in networks on a widespread basis. The situation is deteriorating with the increasing

popularity of wireless networks, which facilitate uncontrolled network access due to the

shared wireless medium. This motivates my research on security in wireless networks. My

overall goal is not only to make networked systems resilient to malicious attacks, but also

to promote proactive security in network and protocol design.

Key establishment is the first step to develop all the other security mechanisms,

because most security protocols depends on keys to operate correctly and provide desirable

security performance. In C'! lpter 2, a scalable and deterministic key agreement model

based on a multivariate polynomial and a multidimensional grid-based network topology is

introduced to enable key establishment in large scale networks with very low memory cost.

We will show that our model can achieve the memory cost of several orders lower than the

number of nodes in the network, while traditional models have the memory cost at the

same order as the network size.

Existing key agreement models can be used to establish keys in wireless sensor

networks (WSN). A problem, however, comes as the communication overhead is significant

when two neighboring nodes do not have correlated key material and thus have to

rely on a multihop path to negotiate a shared key. This problem can be alleviated by

leveraging node deployment knowledge in the sense that two nodes that will be deploy, -1

close to each other can be preloaded with correlated key material so that they have a

higher probability of establishing a shared key. In C'! lpter 3, we show that by leveraging

deployment knowledge we can achieve much better performance.









In C'! ipter 4, we combine our key agreement model and deployment knowledge and

propose a novel key establishment scheme for WSNs. We will show that our scheme can

not only achieve efficient key establishment between neighboring nodes but also establish

end-to-end keys between two nodes far away from each other.

Conventional WSN designs name every node with an identifier from a one-dimension

name space that has no meaning but has identification function. However, it is much more

useful to let every node identifier carry more characteristics of the node itself. Chapter 5

introduces the naming problem and proposes a location-based naming (LBN) mechanism

for WSNs, in which deployment knowledge is embedded into node identifier and acts as

an inherent node characteristic to provide authentication service in local access control.

When LBN is enforced, the impacts of many attacks to WSN topology can be limited in a

small area. A link 1-v. r authentication (LLA) scheme is also proposed to further decrease

the impacts of those attacks. Our LBN and LLA can be combined and act as an efficient

solution against a wide range of attacks in WSNs.

To extend the lifetime of a WSN, new node deployment is necessary. In military

scenarios, adversaries may directly deploy malicious nodes or manipulate existing nodes

to introduce malicious i, v.-" nodes through many kinds of attacks. To prevent malicious

nodes from joining the network, access control is required in the design of WSN protocols.

In C'! lpter 6, we propose an access control protocol based on elliptic curve cryptography

(ECC) for WSNs. Our access control protocol accomplishes node authentication and key

establishment for new nodes. Different from conventional authentication methods based on

the node identity, our access control protocol includes both the node identity and the node

bootstrapping time into the authentication procedure. Hence our access control protocol

can not only identify the identity of each node but also differentiate between old nodes

and new nodes. In addition, each new node can establish shared keys with its neighbors

during the node authentication procedure. Compared with conventional security solutions,

our access control protocol can defend against most well-recognized attacks in WSNs, and









achieve better computation and communication performance due to the more efficient

algorithms based on ECC than those based on RSA.

To prevent adversaries from injecting bogus messages, authentication is required for

broadcast in WSNs. pTESLA (timed efficient stream loss-tolerant authentication) is a

light-weight broadcast authentication protocol, which uses a one-way hash chain and the

d.1 i-, -1 disclosure of keys to provide the authentication service. However, it suffers from

several drawbacks in terms of time synchronization, limited broadcast rounds, key chain

management at the source node, etc. In C'! lpter 7, we propose a novel protocol, called

batch-based broadcast authentication (BABRA) for WSNs. BABRA does not require

time synchronization, eliminates the requirement of key chain, and supports broadcast for

infinite rounds. Like /TESLA, BABRA is also efficient due to the use of symmetric key

techniques.

Authentication is critical to ensure the origin of a multicast stream in hostile

environments. To avoid computationally expensive signature operations on each packet,

conventional schemes divide a multicast stream into blocks, associate each block with

a signature, and spread the effect of the signature across all the packets in the block

through some efficient operations such as hash or coding. However, most of conventional

schemes suffer from drawbacks such as vulnerability to packet loss and DoS attacks.

Moreover, most of them require the entire block with its signature be collected before

authenticating each packet in the block. This authentication latency can lead to the

jitter effect to realtime applications at the receiver. Unlike the block-based approach, we

develop a novel multicast authentication scheme based on batch signature ( !ABS) in

C'! lpter 8. Particularly, each packet in a stream is attached with a signature. The receiver

authenticates multiple packets by checking their signatures through only one verification

operation. We propose two batch signature schemes based on BLS and DSA that are more

efficient than batch RSA signature scheme. MABS can achieve computational efficiency

while avoiding the drawbacks of conventional block-based schemes.









IEEE 802.16 (WiMAX) is seen as a promising technology for next generation

broadband wireless access. Compared with IEEE 802.11, IEEE 802.16 operates at

larger frequency band up to 66GHZ, covers longer distance up to 50km, and supports

QoS (quality of service). Therefore, 802.16 becomes an ideal choice for broadband

wireless access systems. Based on the lessons from IEEE 802.11 networks, people start

looking into the security issues in wireless access networks. In ('! Ilpter 9, we analyzed the

IEEE 802.16 standard and found out that though IEEE 802.16 provides some security

measures in conventional one-hop networks, it is very vulnerable to malicious attacks in

multihop environments such as wireless mesh networks. In order to strength the defense

of IEEE 802.16 in mesh networks, we proposed a mesh-certificate-based access control and

authentication scheme for WiMAX-based mesh networks.









CHAPTER 2
KEY AGREEMENT FOR LARGE SCALE NETWORKS

2.1 Introduction

Key agreement is a central problem to build up secure infrastructures for networks,

because most security protocols and cryptography algorithms, such as encryption or

signature, require a secret key to be fed into some standard algorithms with public-known

messages to generate some outputs used in a specific secure context.

In his classic paper "Communication theory of secrecy systems" [1], Claude Shannon,

who had established information theory, developed the theoretical framework for the

symmetric key based cryptography. In his cryptographical system model, there are two

information sources, i.e., a message source and a key source, at the transmission end. The

key source produces a particular key K from among those which are usable in the system.

This key K is transmitted by some means, supposedly not interceptable, for example by

a messenger, to the receiving end. The message source produces a message M (in the

"clear") which is enciphered by the encipherer TK. The resulting ciphertext E is sent to

the receiving end by a possibly interceptable means, for example radio. At the receiving

end the ciphertext E and the key K are combined in the decipherer TK1 to recover the

message M. The transformation TK and its inverse TK1 are possibly known to the public.

The Diffie-Hellman [2] and the RSA [3] algorithms mark the establishment of the

.,i- ii,. I lic key based cryptography. Unlike a single key used by both the transmission

end and the receiving end in symmetric key systems, there are two keys for each end in

.-i-,iiiii. I ic key systems. The transmission end encrypts a message M into a ciphertext

E by an encryption key K that belongs to the receiving end. The receiving end decrypts

the ciphertext E to get the message M by a decryption key K-1 that also belongs to

himself1 Here the encryption key K and the decryption key K-1 are different. Though



1 In this dissertation, we does not consider the gender difference.









the decryption key is kept secret by the receiving end, the encryption key is usually

known to the public so that .,.,i one can send messages using the encryption key to the

receiving end. Asymmetric key systems, therefore, is also called public key systems, and

the encryption key and decryption key are called public key and private key, respectively.

In a cryptographical system, the message source and the ciphertext space are usually

accessible by an attacker. The encryption and the decryption transforms are also seen

to be accessible to the attacker. Though in some specific systems the cryptographical

algorithms can be kept secret, this approach may increase the system vulnerability,

because an algorithm that is not inspected carefully by critical experts may have some

potential defects that can be utilized by hackers. Therefore most "secure" algorithms are

public so that they could be carefully inspected. In this case, the security of the entire

system mainly relies on the secrecy of the keys it uses.

If an attacker can find the key, the entire system is broken. The attacker can

achieve the goal by cryptanalysis. Most cryptographical systems are vulnerable to

cryptanalysis due to the existence of the redundancy of message source in the real world.

The redundancy can alv--,v- provide the attacker a possible tool for cryptanalysis over

intercepted ciphertexts during their transmission. Moreover, the attacker knows the

system being used, i.e., the message space, the transformation Ti, and the probabilities

of choosing various keys, and has unlimited time and staff available for the analysis

of ciphertexts. The attacker thus can use all these resources to find the key if the

time is not important for him. Another way is to directly intercept the key during its

transmission between the message source and receiving end. Therefore, how to achieve the

key agreement between the source and sink securely is a very important issue.

Generally, to establish keys includes two steps. At first, the source and sink should

be configured with some key materials. Second, those materials are used to establish a

shared symmetric key between the source and sink. In symmetric key systems, those

key materials can be a shared symmetric key or parameters used to calculate the









symmetric key. In .i-vmmetric key systems, they are parameters associated with the

chosen .-i-ii", li ic key algorithm, e.g., Diffie-Hellman or RSA, and the source and sink

can negotiate a shared symmetric key by using the .,i-vii ii, li ic key algorithm.

Asymmetric key algorithms outperform symmetric key algorithms in terms of

flexible manageability, but their efficacy relies on the authenticity of public keys.

Hence, .,-mmetric key algorithms are usually applicable in the networks including

fixed authorities who are in charge of the authentication of public keys. However, there are

many scenarios, e.g., dynamic conferences or ad hoc networks, where such authorities are

not available. In addition, .,-i-iiii., li ic key algorithms require more computation resources

than symmetric key algorithms. Therefore, symmetric key algorithms are pretty suitable

for low-end devices because of their efficiency. In this chapter, we mainly focus on how to

achieve key agreement by using symmetric key algorithms.

2.2 Key Agreement Models

A network consists of many nodes. In order to secure communication between nodes,

we need some methods to establish a share key for each pair of nodes. In this section, we

review several models for key agreement in a network.

2.2.1 Global Key

The simplest symmetric key model is to use a global key, which is shared by all the

nodes in a network. Usually each node is configured with the global key by an off-line

authority before joining the network. After the node join the network, it can communicate

with other nodes securely. In order to avoid the key exposal by an attacher through

security analysis, the global key needs to be updated periodically. In each period, a key

manager generates and distributes a new global key to all the nodes in the network. One

example of the global key model used in WSNs can be found in [4].

The global key model assumes all the nodes in the network are trustful, and thus this

model can effectively prevent external attackers from accessing critical information that is

secured by the global key. However, this assumption can fail in some scenarios when an









attacker can get the global key by compromising only one node whereby to break into the

entire network.

2.2.2 Key Server

A special node in a network can be selected as a key distribution center (KDC) or key

translation center (KTC) models [5]. Each of other nodes has a shared key, which could be

pre-configured, with the KDC/KTC, which is a central trusted server. KDC/KTC helps to

establish a shared key between any two nodes. An example of applying KDC in WSNs is

SPINS (security protocols for sensor networks) [6].

The KDC/KTC model has a merit of low memory cost for storing key material. Each

node keeps only one key shared with the KDC/KTC. When a new node joins the network,

it can negotiate a shared key with any other node as long as the new node is configured

with a key shared with the KDC/KTC. On the other hand, the centralized model also

makes the KDC/KTC a potential failure point in the sense that the entire network is

broken down if the KDC/KTC is corrupted by an attacker.

2.2.3 Pairwise Key

The pairwise key model is a distributed model. It assumes that a pair of nodes can

be configured with a unique shared secret key. In the full pairwise key model, each pair of

nodes in a network is configured with a distinct shared key, so that they can communicate

securely right after they join the network. In a partial pairwise key model, each node is

configured with pairwise keys for a portion of the other nodes in the network. Therefore,

a pair of nodes may not have a shared key in advance. They, however, may rely on a

multihop path to negotiate a shared key online, where the path is secured by consecutive

pairwise keys.

The pairwise key model is perfect secure in the sense that no matter how many nodes

collude with each other they know nothing about the pairwise keys held by other normal

nodes. Therefore, this model is resilient to node compromise, compared with the global

key model and the KDC/KTC model. The tradeoff, however, is that each node must be









pre-configured with multiple keys. Consider the full pairwise key model in a network of

N nodes. Each node needs to keep N 1 keys, and the overall number of keys in the

network, which may need to be centrally backed up, is then N(N-1). As the size of the
2
network increases, this number becomes unacceptably large. Therefore, the pairwise key

model is usually suitable for small networks.

2.2.4 Matrix

Blom [7] proposed a matrix-based model based on. For a network of N nodes, an

offline central authority first constructs a (t + 1) x N public matrix P over a finite field Fq,

where t is a security threshold. Then the central authority selects a random (t + 1) x (t+ 1)

symmetric matrix S over Fq, where S is secret and only known to the central authority.

An N x (t+1) matrix A= (S.P)T is computed, where (.)T denotes the transpose operator.

The central authority pre-configures the i-th row of A and the i-th column of P to node i,

for i 1, 2,..., N. After the network is set up, nodes i and j can agree on a shared key by

exchanging their columns of P and computing the key. In particular, node i computes a

key Kij as the product of its own row of A and the j-th column of P and node j computes

Kji as the product of its own row of A and the i-th column of P. Because S is symmetric,

it is easy to see:


K =AP (SP)T.P pT. ST.p

PT. S. P =(A P)T K (21)


Therefore, nodes pair (i,j) will use Ki = Kji, as a shared key.

The matrix model has a t-secure property in the sense that in a network of N nodes

the collusion of less than t + 1 nodes cannot reveal any key shared by other pairs of nodes.

This is because as least t + 1 rows of A and t + 1 columns of P are required to solve the

secret symmetric matrix S. Therefore, the matrix model can tolerate up to t compromised

nodes.









The memory cost per node in this model is t + 1. To guarantee perfect security, the

value of t should be set as (N 2), which means the memory cost per node is N 1.

Therefore, the matrix model also has large memory cost as the pairwise key model.

2.2.5 Polynomial

In [8], Blundo et al. I.., -1 to use a t-degree bivariate symmetric polynomial to

achieve key agreement. It is a special case of the matrix model in the sense that the public

matrix P is composed with node identifiers as:

1 1 1 *.. 1

nf n 2 n3 N

P n12 n2 2n32 ... nN 2 (2-2)



n1t n2t n3t Nt

where ni, for i = 1, 2,..., N, is the identifier of the i-th node. It is easy to see that P is

a Vandermonde matrix, and thus any t + 1 columns of P are linearly independent when

ni, i 1, 2,..., N are all distinct.

Like the matrix model, the polynomial model also provides the t-secure property

while features the same memory cost.

2.3 Our Model

Obviously, previous distributed models are not suitable for large networks because

of their memory cost of order N 1 in a network of N nodes. In reality, however, we

often deal with large distributed networks or systems. How to achieve key agreement

in a large network is a very challenging problem. In view of this problem, we propose a

novel key agreement model based on a multivariate symmetric polynomial [9, 10]. It has

three components, i.e. share distribution, direct key calculation, indirect key negotiation.

In the share distribution part, partial information of a global t-degree (k + 1)-variate

polynomial is distributed among nodes. All the partial information cannot reveal the

global polynomial but can help key agreement between nodes. Some nodes may calculate









a shared key directly if they have some partial information in common in the direct key

calculation part. The indirect key negotiation part tells how to negotiate a shared key

between two nodes with help of other nodes if they cannot calculate a direct key.

Our model is scalable for large networks with small memory cost per node. We show

that for a network of N nodes our model has only 0( -N) memory cost per node, where

k > 1. Conventional distributed models can be generated as special cases of our scheme

when k = 1. Unlike the centralized KDC/KTC model, meanwhile, in our scheme every

node may be a KDC to help key agreement between other two nodes, which means more

robust against node compromise. In addition, our model is deterministic in the sense that

any pair of nodes can compute a shared key independently or negotiate one through k 1

agent nodes (k > 1).

2.3.1 Mathematical Tool

Our model is based on a t-degree multivariate symmetric polynomial. A t-degree

(k + 1)-variate polynomial is defined as


f(X1,X2,. ,Xkk+l) ..
ii=0 i2 0
t t

ik=0 ik+l=0

All coefficients of the polynomial are chosen from a finite field Fq, where q is a prime that

is large enough to accommodate a cryptographic key. Without specific statement, all

calculations in this chapter are performed over the finite field Fq.

A (k + 1)-tuple permutation is defined as a bijective mapping


a: [1, k+1 [1, k +]. (2-4)


By choosing all the coefficients according to


'il,i2,...,ik,ik+l ai(1),i(2).-,i.(k),ic (k+1) (2-5)









for any permutation a, we can obtain a symmetric polynomial in that


f(x, 2, ... Xk, Xk+l) f(X,(1), X,(2), -, X,(k), Xa(k+l)) (2-6)

At first, every node should be configured with k credentials, which are positive and

pairwise different integers. Suppose node u has credentials (u1, U2,..., uk) and node v has

credentials (vl, v2,...., ). Before node deployment, we can assign a polynomial share

f(ui, U2,... k, k+1) to u and another share f(vi, v2,..., xk+1) to v. By assigning
polynomial shares, we mean that the coefficients of t-degree univariate polynomials

f(u, U2,..., Uk, xk+1) and f(vi, v2,..., xk+1) are loaded into node u's and v's memory,
respectively.
If the credentials of node u and node v have only one element different, i.e.,

1. for some i E [1, k], ui / and

2. for j = 1, 2,..., k, j / i, uj = vj = cj,

then node u and node v can have a shared key. Node u can take as the input to

its own share f(ui, u2,..., Uk, xk+l), and node v can also take ui as the input to its share

f(vl, v2, ... *, k+l). Due to the polynomial symmetry, the desired shared key between
nodes u and v has been established as


Ku = f(Cl, C2,. ., Ci- i, Ci+I, Ck,' )

(cl,C2,. ,Ci-, Ci+l, Ck ,i) (2-7)

In fact, node u and node v achieve the key agreement by a marginal t-degree bivariate

polynomial, i.e.,


fi(xi, Xk+l) f( ,C1 2,...,Ci-l, i, Ci+l, .. Ck, Xk+l) (2-8)

where i E {1, 2,..., k} is the common credential between nodes u and v.









2.3.2 Assumptions

We assume each node is identified by an index-tuple (ni, n2,..., nk), where n =

0,1,..., Ni 1, i E {1, 2,..., k}, and we may use the index-tuple as the node ID. Hence

each node is mapped into a point in a k-dimension space Si x S2 x ... x Sk, where

ni E Si C Z and the cardinality Sil = Ni, for i = 1, 2,..., k. The maximum number of

nodes that the network can consist of is N H= fl Ni.

Our model targets at the key agreement between any pair of end nodes. Hence we

assume the underlying routing protocol can provide connectivity between any pair of

nodes in the network.

Due to the broadcast characteristics of radio communications, attackers can easily

eavesdrop any messages, either non-encrypted or encrypted, transmitted over the air

between nodes. Moreover, due to cost constraints, it is also unrealistic and uneconomical

to employ tamper-resistant hardware to secure the cryptographic material in each

individual node. Hence attackers may capture any node and compromise the secrets

stored in the node. Furthermore, attackers can use the compromised secrets to derive

more secrets shared between other non-compromised nodes. It means that the node

compromise attack is unavoidable. What we can do is to reduce the impact on other

normal nodes as much as possible. In our model, we try to reduce the probability that the

keys shared between non-compromised nodes are exposed when some nodes have already

been compromised. To further evaluate the impact of node compromise, we assume the

probability of the compromise of a node is p.

2.3.3 Share Distribution

Before network deployment, a global t-degree (k + 1)-variate symmetric polynomial is

constructed as stated in Section 2.3.1. This polynomial is used to derive shares for nodes.

To achieve key agreement, every node n should have k credentials (cl, c2, ..., C),

which are positive and pairwise different as required in Section 2.3.1. These credentials can

be created and preloaded into nodes before deployment. However, it requires additional









I cl I c2 I c3 I I ck
0 N1 N1+N2 ...... N1+...+Nk

Figure 2-1. Construction of credentials according to the equation (2-9).


memory space per node. Fortunately, the k credentials can be derived from the k indices

in node ID (n, n2,..., nk) by a bijection, i.e.,


c = ni + 1

C2 2 + 1 +N1

C3 n3 ++2 (2-9)



Ck-1 nk- +1+ N1 + + Nk-2

Ck = nk + + N1 + + Nk-1

where ni = 0,1,..., i 1 for i = 1, 2,..., k. Thus, the k credentials are drawn from

different zones in that cl E [1, Ni] and c e [NI + + NiI + 1, N1 + N + Ni] for

i 2,... k, which guarantee they are positive and pairwise different (Fig. 2-1).

For a node (ni, n2,..., nk), a polynomial share

t
fk+1 (k+l) = /(, C2,... Ck, Xk+I) bi+ x (2 10)
ik+1 0

is calculated, where

tt t
b- i2,,ikik ccail C il ...- c ik (2-11)
il=02 0 ik=0

and (cI, C2,..., k) is mapped from (n1, n2,..., nk) according to the equations (2-9).

Obviously, the share is a t-degree univariate marginal polynomial of the global polynomial

and has t + 1 coefficients. Then the polynomial share is assigned to the node. Here, the

node only knows the t + 1 coefficients of the univariate polynomial share, but not the

coefficients of the original (k + 1)-variate polynomial. Therefore, even if the marginal









bivariate polynomial is exposed, the global polynomial is still safe if the degree t is chosen

properly.

2.3.4 Direct Key Calculation

According to Section 2.3.1, two nodes can calculate a shared key if their credentials

have k 1 elements in common. Due to the one-to-one mapping in the equations (2-9),

two nodes u with ID (ul, U2,..., Uk) and v with ID (vl, v2,... Uk) can directly calculate a

shared key without any interaction if their IDs (identifier) have k 1 indices in common.

Suppose that the i-th indices of their IDs are different. Then node u can take

, + 1 + N1 + + N-1_ as the input to its own share f(cl, c2,... Xk+1), and node v

can as well take ui + 1 + N1 + + Ni-1 as the input to its share f(c, c2,... q, Xk+1).

Due to the polynomial symmetry, the desired shared key between nodes u and v has been

established as


K,, = f(cl,...,Ui + 1 +---+ 1,

..., k,' +1+N1 + i-1)

f(cl,...,' +1+N + +---+N-1,

... ,Ck,,Ui + + NIV1 +-"" -+ i-1) (2-12)


Because all node credentials of u and v are drawn from different subspaces where any

two subspaces have no intersection and ui / the k + 1 credentials used to calculate

the shared key are pairwise different. Therefore the shared key calculated by the nodes u

and v is unique, i.e., other nodes do not know the shared key. Any two nodes can directly

calculate a unique shared key without any negotiation if there is only one mismatch

between their k-tuple IDs.

2.3.5 Indirect Key Negotiation

If two nodes have more than one mismatch between their IDs, they cannot calculate

a shared key directly. However, they can rely on some intermediate nodes as agents to

negotiate a shared key.









Suppose two nodes u and v have j (j > 2) mismatches in their IDs. For simplicity, let

us omit all the same indices and mark the two nodes with those mismatching indices, -i

node u

(Uil, ui2, ui5 )

and node v



where i1, i2,... ij C [1, k] and are pairwise different. Then they can negotiate a shared key

along a secure path consisting of agents as

I Ni 2 N t3 ;...* ij-l i ij) ,


(, N3 ,Uij_ Uij) ,





because all neighboring nodes along the path have direct keys. It is worth noting that

there are many secure paths between node u and node v. Another example is

(Uil Ui Ui3 ) -1 ) I


(Uil Ui N "" I !3 ) '



( ,',)

The existence of multiple paths indicates the strong resilience of our scheme in the face of

node compromise.

2.4 Analysis

In this Section, we will carry out the analysis of our model when two nodes have j

(j > 2) mismatches in their IDs.









2.4.1 Number of Secure Paths

The number of secure paths can be calculated as follows. Each secure path is

constructed in j steps. Begin from (uil, u2, ui3,. )Uij-1, uj). At each step one of the

indices is replaced with the corresponding one from (, ,' _.,' ,... ,, ,), and thus

we can get an agent at the step. At the first step, any of the j indices of node u may be

replaced, so there are j choices. The second step has j 1 choices. At the j-th step, there

is only one choice left. Hence, the total number of secure paths can calculated as

P j. (j- 1)--- 2-1 j!. (2-13)

2.4.2 Number of Disjoint Secure Paths

Out of the P secure paths some are disjoint, i.e., any two di-i. iil paths have no

common agent nodes except the two end nodes u and v. For nodes u and v which have

j mismatches in their IDs, the number of agent nodes that are the neighbors of the end

nodes u or v is j. Hence the number of di-i, ,iii secure paths is


Pd j. (2-14)

2.4.3 Number of Agent Nodes

For nodes u and v who have j mismatches in their IDs, each agent node along a

secure path between the two nodes has an ID constructed in the following way. Randomly

select 1 positions from j mismatches between u's and v's IDs, draw indices from u's ID at

those positions, and draw indices from v's ID at the positions that are not selected. The

ID of the agent node consists of the two sets of selected indices and the common indices

between u's and v's ID. Hence the number of agent nodes can be calculated as

A -(+)+ j-)i 2+-2. (215)
















(vl,u2,u3)


(ul,u2,u3)


(ul,u2,v3) (ul,v2,v3)
P /

n2




(vl,u2,v3) (vl,v2,v3)


n1

Figure 2-2. An example of key graph in the 3-dimension ID space.


2.4.4 An Example

An example of 3-dimension ID space is given in Fig. 2-2. Suppose node (ul, u2, u3)

needs to establish a shared key with node (vl, v2, 3), where all 3 indices in their IDs are

mismatching. They can determine 6 agent nodes. All these 8 nodes form a cube in the

3-dimension ID space. There are 6 paths from node u to node v, in which 3 are di-i ,iiil

For example, 3 di-i iiilI paths are


(U ,, 2 i- -+ (lI, U2, .) Q ( ,2, (" .) I, V2, 3)


(ul, UU2, U3) (u3 U2, 2,s (U1, U2, UV) (V, 2, 3) ,

and


(,Obviously, the above set of ;-i; paths is not unique.3
Obviously, the above set of (I i-iiI paths is not unique.


(ul,v2,u3)









2.4.5 Security of Direct Keys

All nodes in the network hold partial information of one t-degree (k + 1)-variate

polynomial to achieve key agreement. During the network lifetime, some nodes may be

compromised and then collaborate to expose the polynomial with the partial information

they hold whereby to directly calculate keys between other nodes. Obviously, the

polynomial degree t is an indication of the difficulty to expose the polynomial, and it

is directly related to the security performance. By choosing the value of t properly, we can

guarantee that no matter how many nodes are compromised, their collaboration cannot

expose direct keys held between other non-compromised nodes. In this section, we will

investigate how to choose the polynomial degree.

2.4.5.1 Node compromise in one subspace

Let us consider the malicious collaboration in one subspace. Though in this case

the collaboration can only expose the direct keys between the non-compromised nodes

in the same subspace, this is the easiest attack because adversaries only need to keep

compromising the nodes in one subspace. If they randomly choose a node to compromise,

they have to compromise more nodes to find all nodes in one subspace, which can consume

them more efforts.

Suppose there are Ni nodes in the subspace Si, in which all nodes have same ID

indices in other subspaces, for i = 1, 2,... k. Any pair of nodes Si can achieve key

agreement with a t-degree bivariate polynomial fi(xi, xk+1), which is the marginal of the

global t-degree (k + 1)-variate polynomial f(xi,..., xi, ... xkk+l) (refer to Section

2.3.1). It has been shown in [8] that a t-degree bivariate polynomial is t-secure in that

the coalition between less than (t + 1) nodes holding shares of the t-degree bivariate

polynomial cannot reconstruct it. To guarantee any pair of nodes in Si have a direct key

that is unsolvable by other Ni- 2 nodes, an (Ni 2)-secure bivariate polynomial should be

used. Hence, the degree of polynomial should satisfy











2.4.5.2 Node compromise in all subspaces

Even all nodes in one subspace are corrupted, they cannot expose the global

t-degree (k + 1)-variate polynomial because they only know a marginal of the global

polynomial. In order to expose the direct key belonging to any pair of non-compromised

nodes, adversaries must compromise enough nodes in all subspaces to expose the global

polynomial.

Suppose all Ni nodes in subspace Si are compromised, they can be used to construct

N 2( I equations, i.e.,

f2 (u, '1) = K11




f2(U2, UN2) = K22
f l l(2-17)




f2 (UN,, UN,) = KNN,
where Uj for j = 1, 2,..., N are the ID indices in subspace Si. Kj,,j2, j, / j2 is the

direct key between the ji-th and the j2-th nodes in the subspace, and Kjj is calculated by

inputting the i-th ID index of the j-th node into its own polynomial share.

If all the subspaces are compromised, the total number of equations that adversaries

can construct is

N N NI(N + 1) N N(2 + 1)
SN 2 N2 2
N Nk(Nk + 1)
Nk 2
k k
1( Nj) ( N + k), (2-18)
i=i i=

where the total number of nodes in the network is N = N N2 ".. Nk.

The number of coefficients of a t-degree (k + 1)-variate symmetric polynomial is [8]


N (t+k+)k (2 19)
N k + t 29









Therefore, to guarantee perfect security of the global polynomial, the following

condition should be satisfied, i.e.,
kk
Ne < N ( N)( N + k)< t + (2-20)
i i ii

2.4.5.3 Choose degree t

Given the number of nodes in the network, any polynomial degree t satisfying the
aforementioned conditions (2-16) and (2-20) can be chosen. Each node needs to keep a

t-degree univariate polynomial, which has t + 1 coefficients. Thus, to minimize memory

cost per node, we should use the polynomial which has minimum degree satisfying the
aforementioned conditions.

Here we consider a common case where Ni = N1 for i 1, 2,..., k, i.e., all subspaces

have the same number of indices. Thus, the inequality in (2-20) can be changed to

Nlk(N + 1) < (1


2 1 + t t+) (2-21)

We can prove that when

t > N, k(k + 1)!/2 (2-22)

the inequality (2-21) can be satisfied.








Proof :


( ^ + -( + 1 -- + 1 () + 1)
tk+1 (k + )(k + 2) k
> + t
(k + 1)! 2(k + 1)!
N, k +(kk + ()!)/2 k+
> +
(k + 1)!

( I)k (k + 1) (k+ 2)
N1k +/k(k + 1)!/2
= l + 2 /(k + 1)!l
k k+ 1 ( + ( + )(k + 2) k
N1 + -)N '
2 2 2 /(k (k + t)!
k Nk+l (k + )(k + 2) k

>- Ni + N2
k k+ + 2Nk
2 2
> 2X-k(N1 + 1), (2-23)

where k > 2. 0
Because (t+k+l) is a monotonic increasing function of t, the solution of (2-21) should
be [t*, oo), where t* is the minimum degree satisfying (2-21). Because the solution of
(2-22) is the subset of the solution of (2-21), the minimum global polynomial degree t*
can be bounded as

t* < r N, (224)

where ratio

k+, k(k + 1)! (2 25)
r =. (2-25)
V 2

The second column in Table 2-1 gives some bound ratios when k is small. Figure 2-3
illustrates the precise ratio of t* to N1 respect to N1. We can see when N1 becomes large,
the value of t* becomes stable and the real ratio is bounded by r. Some average ratios are
given in the third column in Table 2-1 when k is small. Obviously when the condition in









Table 2-1. Bound and precise ratios between t* and N1


k r t*/N1
11 1
2 1.8171 1.7715
3 2.4495 2.3919
4 2.9926 2.9219
5 3.4878 3.4058


the inequality (2-20) is satisfied, the condition in the inequality (2-16) is automatically

satisfied.

2.4.6 Security of Indirect Keys

For nodes u and v which have j mismatches in their IDs, the secure path between

them consists of j 1 agent nodes. Suppose the probability that any node is corrupted is

p. The probability that the exchanged indirect shared key between u and v is exposed can

be calculated as


Pc (1 p)j-1. (2-26)


Because the maximum number of mismatches in k-dimension ID space is k, the

maximum probability that the exchanged key is exposed is


Pcmax 1 --_ (1 p)k-1. (2-27)


Obviously, by tuning k, our scheme can achieve a trade-off between security and memory

cost in large scale networks.

2.4.7 Memory Cost

The memory cost per node is mainly related to two parts, i.e., one for node ID

and the other for polynomial share. Remind that each node n is identified by a k-tuple

(ni, n2,..., r k). All indices can be obtained by dividing its node ID into k field. In order
to do this, each node needs to know how many bits are allocated for each field. Hence each

node should keep the values of Ni for i = 1,..., k. The total number of bits should be









































0 20 40 60 80 100 120 140 160
Number of indices N1

Figure 2-3. Minimum required polynomial degree.


used is

k
MID log Ni log N .
i= 1

When all subspaces are equal sized, the memory cost for node ID is


MID k log N .


180 200


(2-28)


(2-29)


In addition, each node in the network keeps a t-degree univariate polynomial share,

which has t + 1 coefficients drawn from the finite field Fq. With the bound calculated

in the previous section, we know the memory cost per node for polynomial share can be









bounded as


S< k(k2 1)! log q. (230)

Due to the large value of q, usually we have MID < 1, Thus, the total memory cost

is


M = MID+3.

< logN+ kVk 2+1)! + 1 log q

S rlog q (2-31)


Obviously, compared with conventional probabilistic distributed models, which have

memory cost at the level of 0(N), our scheme has very small memory cost per node,

which is on the order O( KN) when k is fixed.

2.4.8 Computation Overhead

Our scheme is based on the symmetric key technology. Each sensor node can calculate

a key by using a t-degree univariate polynomial, which is a share of a global polynomial.

To calculate a key, each node should calculate 2t 1 modular multiplications over F*:

t 1 for x2,... ,t and t for blx, b2x2,..., btxt. Under the symmetric key technology, the

length of q is usually 64 bits or 128 bits. Suppose the total number of nodes is N and each

subspace has the same number of nodes. We can estimate that the number of 64-bit or

128-bit modular multiplications each node needs to calculate is


C 2t*- 1 < 2rN + 1 2 V 2( 1! + 1 (2-32)


2.4.9 Communication Overhead

As the establishment of direct keys between a pair of nodes does not require

handshakes between them, the 1i i, ri" communication overhead lies with the establishment

of indirect keys. Just like most existing security schemes that require handshakes between









end nodes to negotiate a shared key, this overhead is inevitable. However, few analytical

results about the overhead are given by current schemes. Most of them rely on simulation

to measure communication overhead. Here, we give an analytical estimation of the

communication overhead of our scheme.

For a pair of nodes with i, for i = 2,..., k, mismatches in their IDs, a secure path

between them involves i 1 agent nodes. If the average path length between a pair of

nodes that have only one mismatch in their IDs is L, the average path length between a

pair of nodes with i mismatches in their IDs is iL. The probability that two nodes have

i mismatches in their IDs is (k) ( 1)/(N 1). Hence the average communication

overhead can be estimated as


C2 = iL
i= 2

i 2
(k N- 1) ( (k)-x) 1)
N-1
k( Nk 1 )(N

i (233)


where N = Nk. Several cases when k is small are depicted in Fig. 2-4.

2.5 Security Enhancement of Indirect Keys

In our model, direct keys are safe because they are calculated by end nodes

without any interaction. On the other hand, indirect keys may be exposed during their

transmission between end nodes if any intermediate agent node is compromised. However,

the existence of multiple secure paths between two nodes can be utilized to enhance the

confidentiality of indirect keys. The idea is to transform an indirect key into many pieces

and transmit those pieces through multiple secure paths in stead of one such that the key

can be recovered if and only if all those secure paths are corrupted [11].











5 ......I..... .. .. .... .. .... ....... ... .... ....... ...... ....



4.5 -



4 ._ ._ - .--. .-- -----------
.j


S3.5 -



0


2.5
O
E I











-. k=4
a 2.5 --' I : : : : . .













k=5
0.5
0 20 40 60 80 100 120 140 160 180 200
Number of indices N1


Figure 2-4. The communication overhead.


Suppose node u needs to negotiate an indirect key with v. Node u may randomly

select a key K,, and construct a new polynomial as


g(x) K,, kx + k2x2 + + k:x (2-34)


Then, Shamir's (s + 1, T) threshold secret sharing scheme [12] can be applied. Specifically,

T shares can be calculated as


g(1),g(2),...,g(T) (2 35)


where T > s + 1.









Next, node u transmits the T shares to node v through multiple secure paths by

following the method proposed in [11]. Suppose u and v have j mismatches in their IDs,

which means there are j disjoint secure paths between them. Then node u may transmit

T/j shares along each secure path to node v. Once node v gets s + 1 out of T shares, it

can recover the polynomial g(x) and get the key K,, by Lagrange interpolation.

The value T should be chosen properly such that the polynomial g(x) cannot be

recovered even if j 1 out of j secure paths are corrupted. Thus T should satisfy


(236)
T T/j < s + 1


A( + 1)
s + i < T < (2-37)
j- 1

By following the procedure, the key K,, may be exposed only if all j secure paths are

corrupted. Hence the probability of the key exposal is reduced to


S Pi ( (1 p)- ) (2-38)

The tradeoff here is the increase of communication overhead. However, we can choose

the number of secure pathes here to achieve a certain level of security while maintaining

an acceptable communication overhead.

2.6 Key Establishment in Wireless Sensor Networks

2.6.1 Random Key Material Distribution

The key agreement models described in this chapter can guarantee that every pair

of nodes in a network of N nodes has a unique shared key, but the cost is that each node

needs to store N 1 keys. It is impractical for WSNs due to the memory constraints of

sensor nodes and the possible large scale of sensor networks. Instead, most recent research

papers in this field loose the security requirement and follow a partial pre-distribution

approach, where key materials are pre-distributed such that some sensor nodes can









establish shared keys directly and they can help to establish indirect shared keys between

other sensor nodes.

A typical scheme is the random key pre-distribution (called RKP hereafter) [13], in

which each node is pre-loaded with a subset of keys, called key ring, randomly selected

from a global pool of keys such that any pair of neighboring nodes can share at least one

key with a certain probability. After deployment, two neighboring nodes can have a shared

key directly or negotiate an indirect key through a secure path, along which every pair of

neighboring nodes has a direct shared key.

The theoretic base of RKP is random graph [14]. A random graph G(n,p) is a graph

of n nodes for which the probability that a link exists between two nodes is p. The graph

does not have any edge if p = 0 or is fully connected if p = 1. There is a transition from

non-connect to fully-connect when p increases. RKP exploits this property by setting p

larger than a certain value such that the network is almost connected. Here the size of

global key pool and the size of key ring for individual node can be tuned to achieve such a

property.

A 1i i' ri" concern of RKP is node compromise. The random selection of key

ring for each node means the reuse of each key by multiple nodes. An attacker may

compromise a node and expose its key ring, out of which some keys may be used by

other non-compromised nodes. This leads to the failures of the links between those

non-compromised nodes.

To mitigate the impact of node compromise, several following schemes are proposed.

q-composite RKP [15] follows RKP except that any pair of neighboring nodes are

required to share at lest q keys with a certain probability. q-composite RKP can improve

the resilience to node compromise when the number of compromised nodes is small.

Unfortunately, it is not effective when the number is large.

Another problem of RKP is the lack of authentication because of the reuse of the

same key by multiple nodes. To solve the problem, node identity information is used to









derive key rings for sensor nodes [16]. A similar approach is taken in the random-pairwise

key (RPK) [15] scheme, where each node keeps a set of keys, each of which is uniquely

shared with another node. Du et al. developed the multiple-space key pre-distribution

(\!SIS\P) scheme in [17], where the global key pool in [13] is replaced by a pool of

Blom's matrices [7]. Liu and Ning [18, 19] presented the polynomial pool-based key

pre-distribution (PPKP) scheme, which is basically the same as MSKP, but each Blom's

matrix is replaced by a polynomial [8]. In those schemes, each key is tied to the identities

of the nodes sharing it. In this way, the identity of a node can be verified through the

normal challenge-response approach by other nodes that share the unique key with it.

Particularly, a verifier node can send an encrypted random number, called a challenge, to

the suspect node, and the suspect node can prove its identity by returning the decrypted

result to the verifier node.

RKP requires the storage of a key ring by each node to make the network almost

connected. In some cases where sensor nodes do not have enough memory resource,

this becomes a problem. Hwang and Kim [20] revisited RKP and its follow-up schemes

and proposed to reduce the amount of key material that each node keeps while still

maintaining a certain probability of sharing a key between two nodes. The probability

can assure that there is a largest component of the network connecting most nodes. The

trade-off is that some small sets of nodes may be isolated because they do not share keys

with the largest component.

2.6.2 Deterministic Key Material Distribution

The probabilistic nature of the random distribution of key material cannot guarantee

that two neighboring nodes establish a shared key according to the underlying random

graph theory. This is not desirable because some sensor nodes may not be able to establish

shared keys with their neighbors and thus are isolated. In order to solve the problem, two

deterministic approaches have been developed.









One approach is to use a strongly regular graph or a complete graph to replace the

random graph to do key pre-distribution [21-23]. In a (n, r, A, p) strongly regular graph,

there are n nodes, each of which has a degree of r and any pair of which has A common

neighbors when they are .,l1i i:ent and p common neighbors when they are n1.. Ii i.:ent.

In the strongly regular graph, every pair of nodes is connected through a path. Each link

(edge) can be assigned with a unique key which is preloaded into the two end vertices

(nodes). Besides the regular graph, the block design in set theory can be used in key

predistribution, in which all the nodes form a complete graph at the network 1 ,-r. The

tool is the balanced incomplete block design (BIBD). A (v, r, A)-BIBD is an arrangement

of v objects into many blocks such that each block contains r distinct objects and every

pair of objects occurs in exactly A blocks. For example, when an (n2 + n+1, n+ 1, 1)-BIBD

is applied in a WSN, each sensor node is preloaded with n + 1 keys, which form a block

out of a pool of n2 + n + 1 keys, and every pair of nodes have one common key. In [24], the

BIBD design is combined with the polynomial model [8] in the sense that each sensor node

is preloaded with polynomials. Their scheme enables authentication in addition to those

properties provided by the original BIBD design.

The other approach is to use a multi-dimension grid to replace the random graph,

which is followed by our model [9, 10]. Particularly, each sensor node is assigned an ID

(ni, n2, ... nk) such that all the nodes form a k-dimension grid. Each node is preloaded
with some key material such that it can establish direct shared keys with other nodes

along the same dimension and negotiate indirect keys with other nodes in different

dimensions. There are also several similar work following the grid approach. PIKE [25]

simply assigns a unique key for each pair of nodes along each dimension. Hypercube

[18, 19] is the same as PIKE except that it uses bivariate polynomials instead of keys to

achieve key agreement between nodes along each dimension. Delgosha and Fekri [26, 27]

follow Hypercube [18, 19] but use multiple multivariate polynomials to establish multiple

common keys between each pair of nodes along each dimension.









In those deterministic schemes, a node can find whether it has a direct shared key

with another node based on the identity of that node. This can provide an authentication

service in that the identity of a node can be challenged based on its keys that are related

to its identity.

2.6.3 Comparisons With Related Work

Centralized schemes, such as SPINS [6], need a trusted server to facilitate key

agreement between any two nodes. The trusted server can be a potential failure point.

Distributed methods are more secure due to the elimination of the failure point.

Distributed models such as pairwise key, matrix [7] and polynomial [8] lack scalability

because of their large memory cost of N 1 in a network of N nodes and thus only

suitable in small networks.

Probabilistic schemes [13, 15-19] can provide a certain level of scalability with the

tradeoff that they can not guarantee that every pair of nodes establish a shared key.

Though the memory cost of those schemes is less than standard distributed models

including pairwise key, matrix [7] and polynomial [8], the memory cost still increases

linearly with respect to the total number of nodes if they need to achieve a certain level of

security or communication efficiency [25] and thus is at the order of 0(N). Key reuse is of

fatal under the node compromise attack. Moreover, those schemes are targeted at the key

establishment between neighboring nodes, while our model can achieve the end-to-end key

agreement.

Graph-based design [21-23] can ensure key sharing directly or indirectly between any

pair of nodes. In their schemes, however, each key is also reused by many sensor nodes as

in the probabilistic schemes. This leads to poor resilience to node compromise in that one

compromised node can expose keys belongs to other non-compromised nodes. In addition,

the memory cost of their schemes is roughly O(/N) where N is the total number of

nodes, while the memory cost of our scheme can be O(-N), which is more scalable.









In other grid-based designs [19, 25-27], the memory cost is at the level of k(-N 1)

where N is the total number of nodes. In comparison, our model has the memory cost of

SN A+ )! + 1 and can achieve more memory efficiency when k increases.

Another merit of our model is that the communication overhead tends to be a

constant (oc L, where L is the average path length between a pair of nodes that have only

one mismatch in their IDs) when the network size is larger than a certain threshold (refer

to Fig. 2-4). This means our scheme can provide a good scalability. On the other hand,

the communication overhead can be reduced if we could reduce the value of L. We will

show in C'i !pters 3 and 4 that in static networks (such as sensor networks) deployment

information can be used to reduce the value of L and thus reduce the communication

overhead.

2.7 Conclusion

In this chapter, we discussed several traditional distributed key agreement models

and pointed out that they are not suitable for large networks because of their memory

cost of order N 1 in a network of N nodes. We proposed a novel key agreement model

based on a multivariate symmetric polynomial [9, 10]. Our model is scalable for large

networks with small memory cost per node. We show that our model has only O(-KN)

memory cost per node, where k > 1. The dimension of the ID space k is a parameter we

can control to achieve the trade-off between overhead per node and security performance.

Our model is also deterministic in the sense that any pair of nodes can compute a shared

key independently or negotiate one through k 1 agent nodes (k > 1).









CHAPTER 3
KEY ESTABLISHMENT USING DEPLOYMENT KNOWLEDGE IN WIRELESS
SENSOR NETWORKS

3.1 Introduction

The significant advances of hardware manufacturing technology and efficient software

algorithms make a network of a large number of small and low-cost sensors through

wireless communications, i.e., wireless sensor networks (WSN) [28-30], a promising

network infrastructure for many applications, such as environmental monitoring, medical

< iii.J home appliance managements. This is particularly true for battlefield surveillance

and homeland security scenarios, because WSNs are easy to deploy and self-configured

for those applications. In many hostile tactical scenarios and important commercial

applications, however, security mechanisms are necessary to protect WSNs from malicious

attacks, and thus the security in WSNs becomes an important and a challenging design

task.

3.1.1 Sensor Network Model

A WSN is a large network of resource-constrained sensor nodes with multiple preset

functions such as sensing and processing to fulfill different application objectives [28-30].

Usually, sensor nodes are deploy, 1. in a designated area by an authority such as

government or military unit, and then automatically form a network through wireless

communications. Sensor nodes are static most time, while mobile nodes can also be

deploi-, 1 according to application requirements. One or several base stations (BS) are

deploy, 1 together with the network. A BS can be either static or mobile. Sensor nodes

keep monitoring the network area after being deploy, 1 Once an event of interest occurs,

one of the surrounding sensor nodes may detect it, generate a report and transmit the

report to a BS through multihop wireless links. Collaboration can be carried out if

multiple surrounding nodes detect the same event. In this case, one of them generates a

final report after collaborating with the other nodes. The BS may process the report and

then forward it through either high quality wireless or wired links to the external world













Sensor Nodes


O Event
0 0
Base Station -
0 0 0
S
S\ Wireless Link
0 \\ 0
o o


SBase Station

External Network
High Quality Link



Figure 3-1. A wireless sensor network.


for further processing. The WSN authority may send commands or queries to a BS, which

spreads those commands or queries into the network. Hence BSs act as gate --,v between

the WSN and the external world. An example is illustrated in Fig. 3-1.

Since a WSN consists of a large number of sensor nodes, each sensor node is usually

limited in its resource due to the cost consideration in manufacturing. For example,

MICA2 MPR400CB [31], which is the most popular sensor node platform, has only 128

KB program memory and an 8-bit ATmegal28L CPU [32]. Its data rate is 38.4 KBaud in

500 ft, and it is powered by only 2 AA batteries. The constrained resource cannot support

complicated applications. On the other hand, BSs are usually well-designed and have more

resource since they are directly attached to the external world.

3.1.2 Security Challenges

Though key management problem has been investigated thoroughly in conventional

wired networks such as the Internet and wireless networks such as cellular networks,

wireless local area networks (WLAN) or ad hoc networks, the existing solutions can hardly









be transplanted into WSNs due to their unique characteristics, which make them very

vulnerable to malicious attacks in hostile environments such as military battlegrounds:

1. In wired networks, the key materials transmitted over shielded wired lines during the
negotiation phase between the source and sink are more difficult to intercept. But
wireless channel is open to eavesdroppers. With a radio interface configured at the
same frequency band, everyone can monitor or participate in communications. This
provides a convenient way for attackers to capture key materials transmitted over
the air to expose corresponding keys. In addition, attackers can also intercept the
encrypted ciphertexts so that they can analyze the eavesdropped packets to get some
key information whereby to derive keys between sensor nodes.

2. In cellular networks and WLANs, the communication pattern is one-hop between
the base station or the access point and the mobile node, but in WSNs, all the nodes
are involved into multi-hop communications. Most centralized secure protocols can
not be directly applied in distributed WSNs. Though ad hoc networks bear more
similarities with WSNs, the nodes in ad hoc networks are more powerful than those
in WSNs, thus being able to support more secure, more complex protocols.

3. Moreover, wireless channel is very dynamic. Key establishment protocols may endure
frequent interruptions when channel condition varies. Though link li.-r protocols
can have some error control mechanisms, the cost of establishing keys is inevitable
increased.

4. Like in the Internet, most protocols for WSNs do not include potential security
considerations at their design stage. Due to the standard activity, most protocols are
publicly known. Therefore, attackers can easily launch attacks by exploiting security
holes in those protocols.

5. The constrained resource makes it very difficult to implement strong security
algorithms on a sensor platform due to their complexity. Most time symmetric
key cryptography is the first choice to design a security protocol for WSNs,
though public key cryptography is possible under careful optimization in design
and implementation.

6. A WSN may scale up to thousands of sensor nodes. Moreover, during the lifetime of
the WSN, some nodes may run out of power, and some new nodes may be inserted to
increase the network processing capability. Therefore, the number of nodes can vary
from time to time. This node dynamics poses the demand for simple, flexible and
scalable security protocols. However, to design such security protocols is not an easy
task. A stronger security protocol costs more resource on sensor nodes, which can
lead to the performance degradation of applications. In most cases, a trade-off has to
be made between security and performance. However, weak security protocols may be
easily broken by attackers.









7. A WSN is usually deplo-, .1 in hostile areas without any fixed infrastructure. It is
difficult to perform continuous surveillance after network deployment. Therefore, it
may face various attacks.

3.1.3 Attacks

There are various attacks against WSNs, which can be classified from different points

of view.

3.1.3.1 Attack techniques

Attackers can disrupt a WSN by utilizing various techniques [33]. Since most

communication protocols are publicly known, attackers can eavesdrop the packets

transmitted over the air for further crypi i, ,! i--i or traffic wi_, .i,-i- The eavesdropped

packets can be re 1l li-, II at a later time or at another place to incur inconsistency. False

packets can be injected into the network to confuse sensor nodes. Malicious nodes can also

modify received packets before forwarding them.

Node compromise is one of the most detrimental attacks to WSNs [33]. Since WSNs

are usually deploi-, .1 in a hostile environment without continuous monitoring, an attacker

can capture a sensor node and use proper devices to dig into sensor hardware and find

key material. Due to cost constraints, it is also unrealistic and uneconomical to employ

tamper-resistant hardware to secure the cryptographic material in each individual node.

Even if tamper resistant devices are available, they are still not able to guarantee perfect

security of secret material [34]. It means that the node compromise attack is unavoidable

in WSNs. The exposed key material renders the attacker more capabilities to launch other

severe attacks, such as deriving the keys used by other non-compromised nodes. What we

can do with node compromise is to reduce the impact on other normal nodes as much as

possible. When a certain number of nodes are compromised, for instance, the probability

that a key used by other normal nodes is exposed should be as small as possible.

Sometimes attackers are not interested in data content in the network. They may

simply introduce radio jamming interference into the same radio bands to disrupt

communications between nodes [35], leading to the denial of service (DoS) attack.









If an attacker has infinite power supply, he can keep jamming the wireless channel

continuously whereby to stop normal communications. Otherwise, the attacker can

introduce intermittent jamming interference to deteriorate channel condition and cause

packet loss. If communication protocols are known by the attacker, the intermittent

jamming can be more efficient because the attacker knows which part of one packet is of

high value for the jamming attack.

3.1.3.2 Passive vs. active

According to operation mode, attacks can be passive or active. In a passive attack,

the attacker's goal is to get some information without being detected. Usually, the

attacker just keeps quiet to eavesdrop traffic. If he knows the communication protocols,

he can follow those protocols like normal sensor nodes. By passively participating in the

network, the attacker collects a large volume of traffic data and carries out analysis on

them such that some secret information can be extracted. Those exposed secrets can be

used for various purposes. Usually, the passive attack is very difficult to detect, since the

attacker does not leave too much evidence.

In an active attack, the attacker exploits the security holes in the network protocol

stack to launch various attacks such as packet modification, injection or replaying. The

impact of active attacks is more severe than passive attacks. However, more anomalies can

be the evidence of malicious attacks, because the attacker is actively involved in network

communications.

3.1.3.3 External vs. internal

Usually, a WSN is deploy, '1 and managed by one authority. All the nodes in the

network can be seen as honest and cooperative entities, while attackers are precluded from

the network and have no right to access the network. Those external attackers can launch

attacks only from the outside scope of network. The impact of attack is limited.

If an attacker can get the authorization to access the network, he becomes an internal

attacker. In this case, the attacker can cause more severe damage because he is seen as









a legitimate entity. Usually, an attacker can become an internal one by compromising

a legitimate node, or by deploying malicious nodes which can pass the network access

control mechanism.

WSNs are usually deploy, 1 in hostile environments, such as battle fields or disaster

locations, where fixed infrastructures are not available. After deployment, it is infeasible

to provide constant surveillance and protection on a WSN. Therefore node compromise is

easy to launch by attackers.

A compromised node can be used as a platform to launch other tricky attacks. The

adversary can let the compromised node impersonate another normal node to establish

secure communications with other normal nodes. Therefore, node authentication should be

considered during the key establishment procedure. If the compromised node is involved as

a router between a pair of source and sink nodes, the key negotiation procedure may fail

just because the compromised node intentionally drops some packets for the negotiation

between the source and sink.

3.1.4 Security Requirements

The harsh environments and the existence of threats demand more careful security

considerations in the design of WSN protocols. Typically, one or more of the following

security services should be provided:

1. Confidentiality is a basic security service to keep the secrecy of important data
transmitted between sensor nodes. Usually, critical parts of a packet is encrypted
before the packet is transmitted from the source node and then decrypted at the
sink node. Without the corresponding decryption keys, attackers are prevented from
accessing those critical information. What kind of information needs to be encrypted
depends on applications. In some cases only data part of a packet is encrypted, and
in the other cases the packet header is also encrypted to protect node identities.

2. Authenticity is critical to provide the assurance of the identities of communicating
nodes. Every node should check whether a received message comes from a real
sender. Without authentication, attackers may easily spoof node identities to spread
false information into the WSN. Usually, an attached message authentication code
(\!AC) can be used to authenticate the origin of a message.









3. Integrity should be provided to guarantee that the transmitted messages are
not modified by attackers. Attackers may introduce interference to some bits of
transmitted packets to change their polarities. A malicious routing node may also
change important data in packets before forwarding them. Like cyclic redundancy
checksum (CRC) can be used to detect random errors during packet transmissions, a
keyed checksum, such as MAC, can protect packets against modification.

4. Availability indicates another important capability of a WSN to provide services
whenever they are needed. However, attackers may launch attacks to degrade the
network performance or even destroy the entire network. Denial of Service (DoS)
attacks [35] are the most detrimental threat to the network availability, where
adversaries cause the network loss of ability to provide services by sending radio
interference, disrupting network protocols or depleting nodes' power through some
tricky methods.

3.2 Uniform Key Material Distribution

As is shown in C'! lpter 1 and C'! lpter 2, key establishment is the first step to set up

a secure infrastructure for WSNs. We also shew that the distributed key agreement models

such as pairwise key, matrix [7] and polynomial [8] described in C'! plter 2 can guarantee

that every pair of nodes in a network of N nodes has a unique shared key, but the cost is

that each node needs to store N 1 keys. It is impractical for WSNs due to the memory

constraints of sensor nodes and the possible large scale of sensor networks. Instead, most

recent research papers [13, 15-19] in this field loose the security requirement and follow a

partial pre-distribution approach, where key materials are pre-distributed such that some

sensor nodes can establish shared keys directly and they can help to establish indirect

shared keys between other sensor nodes.

The partial pre-distribution can reduce the memory cost for each node. The

less pre-distributed key material, however, also implies a smaller probability that

two neighboring nodes can establish a direct shared key, thus leading to lower secure

connectivity, which is the probability that two neighboring nodes establish a direct shared

key. The result of low secure connectivity is that two neighboring nodes have higher

probability of negotiating an indirect key through a multihop path, which means higher

communication overhead.









The reason behind this contradiction is that previous schemes [13, 15-19] assume that

all the key materials are uniformly pre-distributed in the entire network. Therefore, two

nodes with correlated key material may not be in the neighborhood of each other.

We observe that in many practical scenarios certain deployment knowledge may be

known a priori. Hence, the problem not well addressed is that which deployment model we

should adopt to obtain as much gain as possible. Existing schemes either assume a simple

square cell deployment model [36-38] or use group-based pre-distribution [39-44].

In this chapter, we study how to leverage deployment knowledge to facilitate key

establishment in WSNs. We make the following contributions. First, we propose new

hexagon [45] and triangle [46] cell based deployment models and demonstrate that

they are much better choices than a square cell deployment model for facilitating key

establishment. Second, we propose a novel edge-based secret pre-distribution model to

reduce the memory costs of sensor nodes. Last, we use extensive analytical results and

simulation study to show that the proposed schemes can provide perfect resilience to node

capture attacks, high secure connectivity, and high energy efficiency with much smaller

memory costs.

3.3 A Square Cell Deployment Model

The schemes in [36-38] use square cells to model node deployment. The entire

network is divided into many non-overlapping square cells, each of which is centered at a

predefined deployment point. In each square cell a group of nodes is deploy, l1 Based on

the square cell model, different secret pre-distribution models and key agreement models

can be applied. In particular, the location-based key pre-distribution (LBKP) scheme [36]

can achieve better performance due to its polynomial-based resistance to node compromise

attacks and high secure connectivity. In LBKP each deployment point is associated with a

unique t-degree bivariate polynomial, and all nodes destined to the same deployment point

are preloaded with a partial information of the corresponding polynomial. To guarantee

a certain secure connectivity, each polynomial is also assigned to the horizontal and the











-G23
032 G33-G34
043 *



Figure 3-2. A square cell deployment model.


vertical neighboring cells. For example, in Fig. 3-2, the polynomial of cell C33 is also

assigned to cells C32, C34, C23, and C43. The polynomials of other cells are assigned in the

same way. As a result, a node in C33 has some common polynomial information with other

nodes in the shadow areas. We refer readers to [36] for more technical details.

3.4 New Deployment and Secret Pre-Distribution Models

Compared with the uniform deployment model in [13, 15-19], the square cell model

in LBKP [36] is able to localize the impact of node compromise attacks in that each set

of secrets is pre-distributed on a cell-scale instead of a network-scale. Even when some

nodes are compromised and their preloaded secrets are revealed to attackers, it would

only gracefully degrade the security of the home cell or .,ili ient cells of compromised

nodes, so the square cell model outperforms the uniform deployment model in terms of

security. However, can we do better? To answer this question, below we first analyze the

security of t-degree bivariate polynomials, then we propose a hexagon cell model and an

edge-based secret pre-distribution model. Last, we present a triangle cell model featuring

higher security and lower memory cost.

3.4.1 Security of LBKP

LBKP [36] is based on the polynomial model [8], in which a t-degree bivariate

symmetric polynomial is t-secure, meaning that adversaries have to compromise no less

than t + 1 nodes holding shares of a same polynomial to reconstruct it. Consider node

compromise attacks. If t + 1 out of x compromised nodes share a common t-degree

bivariate polynomial, the polynomial itself can be compromised and thus the directly









shared keys between non-compromised nodes using the same polynomial can be exposed.

Let N, denote the number of nodes sharing a t-degree bivariate polynomial and N be the

number of nodes in the attacked area. Given x compromised nodes, the probability that i

out of Ns nodes are compromised is

(N,\ (N-N.,i
Pcl= i (3)1)

and thus the probability that the polynomial is compromised is given by
N,
Pc= Pci). (3-2)
i=t+l

Suppose each node has a memory size of M units for cryptographic materials and each

memory unit can accommodate a cryptographic key or a polynomial coefficient. Provided

that each node needs to store N, t-degree bivariate polynomial shares, the maximum

allowed polynomial degree is

tM = L w -1 (3-3)
Np

Then the probability of exposing a polynomial can be rewritten as

N.
Pc= Pc (i) (3-4)



3.4.2 A Hexagon Cell Model

If the attacked area is fixed, we have two controllable parameters, i.e., N, and Np,

which can be adjusted to achieve different security performance. Intuitively, if we could

decrease the values) of Ns and/or Np, the probability Pc of polynomial exposure would

be reduced as well. How can we utilize deployment models to adjust the parameters?

Motivated by the hexagon cell used in cellular networks, we propose the following hexagon

cell deployment model [45] for key establishment in sensor networks.

Here we design a deployment model such that each deployment point is enclosed in a

hexagon cell, as shown in Fig. 3-3. Each deployment point, or hexagon cell, is associated
















(a) Hex-v (b) Hex-e


Figure 3-3. A hexagon cell model.


with a unique t-degree bivariate polynomial and all nodes destined to the deployment

point are preloaded with shares of the polynomial. All nodes destined to a cell are usually

deploy, -1 as a group and are supposed to reside at the deployment point of their home cell.

Due to deployment errors and randomness, however, the real resident point of each node

may follow some probability distribution function(PDF), such as Gaussian distribution or

Uniform distribution, in an area, which may be a circle or a square, around its deployment

point.

In addition, the polynomial of each cell is also assigned to 3 out of its 6 neighboring

cells intermittently. For example, in Fig. 3-3(a), the polynomial associated with cell Co is

also assigned to cells C1, C3, and C5. Hence, each polynomial is used in 4 cells. A node

in Co has some common polynomial information with other nodes in the shadow areas.

Assume that both areas of a hexagon cell and a square cell are (approximately) equal to a

and node density p remains unchanged. By using the hexagon grid model, the number N,

of nodes sharing one polynomial is reduced from 5pa to 4pa as compared to LBKP [36].

Another benefit is that the number Np of polynomial shares each node needs to store is

reduced from 5 to 4 at the same time. It means that we can decrease the probability of

polynomial exposure, leading to the favorable security improvement. We will discuss more

about this issue in Section 3.6.

3.4.3 Edge-Based Secret Pre-Distribution

When designing a cell-based PKE (pairwise key establishment) scheme, we are often

concerned with two indices, namely, intra-cell connectivity and inter-cell connectivity. As









the names -i-..-. -1 the former indicates the secure connectivity inside a cell, while the

latter means the secure connectivity between .,.i i'.ent cells. Schemes [37, 38] use random

secret pre-distribution [13, 17] in each cell to achieve a certain intra-cell connectivity. To

attain a certain inter-cell connectivity, [37] lets the key subsets of two neighboring cells

have a intersection, and [38] uses random-pairwise secret pre-distribution scheme [15]

between two neighboring cells. However, the inter-cell connectivity of both schemes is still

unsatisfactory. By contrast, LBKP [36] assigns each cell a unique polynomial and thus can

guarantee a high intra-cell connectivity. It also assigns a polynomial of one cell to its four

neighboring cells so as to achieve a certain inter-cell connectivity. The similar polynomial

pre-distribution model is used as well for our proposed hexagon cell model.

Let us depict a deployment model using a graph G(D, 8), where the vertex set D

consists of all deployment points, and the edge set S comprises .,i.i i.ent deployment

points. Previous schemes [36-38] and our proposed hexagon grid approach give more

emphasis to the intra-cell connectivity and leave the inter-cell connectivity in the

secondary place. That is because they all use a vertex-based secret pre-distribution

model in which a unique key subset or polynomial is associated with each deployment

point.

In this chapter, we also switch to another strategy by putting more efforts on

guaranteeing a high inter-cell connectivity. Particularly, we propose a new edge-based

secret pre-distribution model, in which a unique t-degree bivariate polynomial is

affiliated with each edge in S and assigned to two end deployment points of that edge.

For example, in Fig. 3-3(b), each double headed arrow means the cells connected by

the arrow are assigned with a same unique t-degree bivariate polynomial. For ease of

presentation, hereafter we denote by HEX-V the hexagon grid model with vertex-based

secret pre-distribution and by HEX-E with edge-based secret pre-distribution. We will see

in Section 3.6.3 that HEX-E can guarantee high intra-cell and inter-cell connectivity at the

same time.









By using HEX-E, the number of nodes sharing one polynomial is further reduced to

2pa, which is the least bound of N, that is necessary for both inter-cell connectivity and

intra-cell connectivity. As will be explained later, the security of a cell-based PKE scheme

is mainly related to Ns x Np. Though Np is increased to 6 with HEX-E, the overall security

will still be improved because of the relatively larger decrease of Ns (cf. Section 3.6).

3.4.4 A Triangle Cell Model

As discussed previously, given a memory constraint of M units, if we could decrease

the value of Np, the maximum allowed polynomial degree would be increased, which

implies higher security. We have shown that HEX-E would increase Np from 4 to 6 as

compared to HEX-V. Although the overall security is still improved, it is still worthy to

investigate whether we can as well reduce Np by using edge-based secret pre-distribution.

It is interesting to notice that edge-based secret pre-distribution requires each node

to keep Np bivariate polynomial shares, each corresponding to a neighboring cell. This

observation motivates us to find a cell-based deployment model for which each cell has as

small number of neighboring cells as possible. An intuitive solution is to use a triangle cell

model [46], which has least number of neighbors for each cell.

In the triangle cell model, each deployment point is enclosed in a triangle cell, as

shown in Fig. 3-4. When using edge-based secret pre-distribution, each pair of neighboring

deployment points are assigned a unique pairwise t-degree bivariate polynomial. As

before, sensor nodes are deploy, ,1 in groups and the group of nodes destined to the same

deployment point are preloaded with shares of the corresponding polynomials. We will

denote our new scheme by TRI-E hereafter. In TRI-E, each node is preloaded with 3

polynomial shares, which is the least bound of Np. Then each node in Co might be able to

establish pairwise keys with nodes in the shadow area in Fig. 3-4.

It is worth pointing out that in TRI-E we only consider 3 neighboring cells CI/C2/C3

that have common boundaries with Co because these cells usually have more connections

with Co. We can distribute more polynomials to make Co be directly connected to more
















Figure 3-4. A triangle grid model.


neighboring cells. However, it would result in the notable increase of memory cost and

the sharp degradation of security due to the increase of N,, both of which are undesirable

in security-sensitive sensor networks. Moreover, we will show in Section 3.6.3 that TRI-E

may still achieve high network connectivity with focus on only 3 neighboring cells.

3.5 Cell-based Pairwise Key Establishment

In this section, we present a general cell-based pairwise key establishment protocol, in

which any of the aforementioned grid models can be applied.

3.5.1 Node Deployment

We assume that every sensor node has a predetermined deployment point where it

is supposed to reside. Each deployment point should be enclosed in a unique cell, either

square or hexagon or triangle. So the entire deployment area is divided into Ux V ."l.i ient

non-overlapping cells C,, for row index u = 1,..., U and column index v = 1,..., V. We

assume that sensor nodes are deploy, ,1 in equally-sized, non-overlapping groups G,,, for

u = 1,..., U and v = 1,..., V. Each group is uniquely associated with a cell and will be

deploiv, 1 around the deployment point of the cell. In addition, every node is preloaded

with the coordinate of the deployment point of its home cell and assigned a unique,

positive, integer-valued ID.

3.5.2 Polynomial distribution

Before deployment, we construct a global polynomial pool F with enough t-degree

bivariate polynomials. Each polynomial has a unique polynomial ID and is assigned

to several groups of nodes according to a specific secret pre-distribution scheme. The

algorithm for polynomial pre-distribution is summarized in Table 3-1.









Table 3-1. The algorithm for polynomial distributing.


Function VertexDistributing(Deployment Model) {
For each G,, {
Assign a f(x, y) to G,,;
Assign the f(x, y) to some neighboring G('
according to the Deployment Model;
Remove the f(x, y) from F;
}
}

Function EdgeDistributing(Deployment model){
For each Guv {
For each neighboring group G' of Gu {
If G' and Gu, do not share a polynomial {
Assign a f(x, y) to G, and GC;
Remove the f(x, y) from F;
}
}
}
}


3.5.3 Pairwise Key Establishment

After deployment, every node broadcasts its node ID and the coordinate of the

deployment point of its home cell. The broadcasted information can be in plaintext

because the adversary would learn nothing about either the polynomial shares associated
with the overheard IDs or the polynomial associated with the overheard coordinates. If

the secrecy of the deployment point is desired, three methods may be used. One is to
broadcast polynomial IDs instead. The second is to use the normal challenge-response

method [5]. The third is to use the Merkle puzzle [47], which is -ii-:.- -I, '1 by [15].

However, these methods would incur too much computation and communication overhead,
which is undesirable in resource-constrained sensor networks.

If two neighboring nodes find that they are destined to the same deployment point or

two neighboring deployment points, they can establish a direct pairwise key by evaluating
their own corresponding polynomial shares with the ID of each other as input. Since









each node ID is unique, the established pairwise key is also unique. This property is

particularly useful for secure communications in that it can provide mutual authentication

through the normal challenge-response method.

It is possible that two neighboring nodes do not have shares of the same polynomial(s)

for instance due to deployment errors. In this case, they can rely on any secure multi-hop

path between them to establish an indirect pairwise key. Suppose there is a path

consisting of nodes n1, 2, ..., ni between nodes a and b. It is called a secure multi-hop

path if and only if each pair of neighboring nodes on the path have established a direct

pairwise key. If so, it would be safe to exchange a pairwise key between a and b along

this path. However, the exchanged key would be exposed to adversaries if any of the

nodes on the path is compromised. To deal with this situation, multi-path routing such as

SPREAD [11] can be applied to exchange a pairwise key between a and b through multiple

node-disjoint or edge-disjoint paths. For the lack of space, the further investigation on this

issue is left to the extension of this paper.

However, as we will show in Section 3.6.3, our schemes have pretty high connectivity

in that every node can establish direct keys with almost all its neighbors, so we do not

need to spend much energy on the establishment of indirect keys.

3.5.4 Node Addition

We may need to add new nodes into the network in some cases and then we

also need to establish pairwise keys for the new nodes. Before deployment, each new

node is preloaded with the polynomial shares of the cell where the new node is to be

deploy, ,1 After deployment, the new node can initiate the aforementioned pairwise key

establishment procedure to establish pairwise keys with its neighbors.

3.5.5 Node Revocation

During the network operation, it is possible that some nodes might be compromised

by the adversary. Hence the memberships of compromised nodes need to be canceled

and their keys need to be revoked. This can be achieved by deleting the corresponding









pairwise keys from other normal nodes. However, when the number of compromised nodes

sharing a polynomial is larger than t, the polynomial itself would be compromised and

other normal nodes using the same polynomial is under the threat of malicious attacks. To

address the problem, we may use the following method. After pairwise key establishment,

each node assigns a counter for each polynomial it uses and initiates the counter to 0. If a

compromised node is detected, other normal nodes sharing the same polynomials simply

increase the counter for each corresponding polynomial by 1 after they delete the related

shared pairwise keys. When any counter exceeds t, the counter and the corresponding

polynomial should be deleted. Our method is much more memory-efficient than the one

used in LBKP [36] that requires each node to keep IDs of those compromised nodes. After

that, some normal nodes may need to re-initiate the pairwise key establishment procedure

to establish new pairwise keys.

As will be discussed later, by using our proposed deployment and edge-based secret

pre-distribution models, our scheme may achieve perfect resilience to node compromise

attacks. We accomplish this by limiting the total number of nodes sharing one polynomial

to no more than the polynomial degree. Therefore, no matter how many nodes adversaries

compromise, they would be unable to reconstruct any polynomial and thus to utilize

the acquired knowledge to launch attacks on non-compromised nodes. By contrast,

conventional schemes like LBKP [36] are lack of this nice feature because of their large

memory costs, which will be detailed in Section 3.6.2.

3.6 Analysis and Evaluation

Here we evaluate the proposed schemes in terms of security, secure connectivity, and

memory costs, which are widely used in performance evaluation by previous schemes.

3.6.1 Security

An attacker may launch a node compromise attack to reconstruct a t-degree bivariate

polynomial so as to compromise the links between non-compromised nodes using the same

polynomial. We compare the security our schemes with LBKP [36] and E-G (short for









Eschenauer and Gligor) [13] with regard to the link compromise probability that a link is

compromised. Because every link is secured by a t-degree bivariate polynomial, we may

use the probability of polynomial exposal (Equation (3-4) in Section 3.4.1) to evaluate the

link compromise probability.

There are two scales of node compromise attacks in our considerations. In the local

node compromise attack, the adversary tries to compromise nodes in a particular area.

Due to the threshold-based security of polynomials, the attacker must compromise enough

nodes to recover a polynomial. As is shown in Section 3.4, using hexagon and triangle

cells and the edge-based pre-distribution method, our schemes reduce the number of nodes

sharing a polynomial. Hence, our schemes are more resilient compared with LBKP in the

local node compromise attack. Besides, the exposure of one polynomial has no impact on

others areas because each polynomial is used in a small area.

In the random node compromise attack, the attacker randomly select nodes as the

objects of attack. In this random attack, the link compromise probability of E-G may be

calculated as[15, 37]

P 1- 1 t- (3-5)

where each node randomly selects a key subset of size m from a global key set of size M

and the number of compromised nodes is x.

Suppose node deployment density is p = 0.0025 nodes/m2, the network size is

2000m x 2000m, the total number of nodes is \Ji = 10000, and the node transmission

range is 50m. For E-G, the size of the global key pool is set to 100000, while for our

schemes and LBKP, the inter-cell distance, which is the distance between the centers of

neighboring cells, is set to 100m.

Fig. 3-5 and Fig. 3-6 depict their respective link compromise probability versus the

fraction of compromised nodes for different numbers (M) of memory units allocated for

storing pre-distributed secrets. From Fig. 3-5 and Fig. 3-6, we can clearly see that E-G

scheme has the worst security performance in almost all scenarios. Every time adversaries





















2 0.8-

E
E 0.6
_j.

0.4


0.2-



0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Fraction of compromised nodes

Figure 3-5. M = 120.


compromise one more node, they would increase their chances of compromising more links

between non-compromise nodes. If M is increased, -v from 120 to 240, the security of

E-G would degrade more dramatically with the increase of compromised nodes. This is

because adversaries would get more information of the global key pool after compromising

a node. It is of no surprise that LBKP have better security performance than E-G because

of its (t + 1)-compromise resistant property. We can also observe that our schemes

outperform both E-G and LBKP. For example, when M is equal to 240, LBKP can only

tolerate the compromise of :I,'. nodes, while all our schemes can tolerate the compromise

of over 50'. nodes. In addition, TRI-E scheme exhibits the best security performance of

having perfect resilience to node compromise attacks when M is equal to 240.





















.0.8

E
E 0.6


0.4


0.2






Figure 3-6. M = 240.


3.6.2 Memory Cost

The different security performance of LBKP and our schemes result from the fact

that different schemes require each node to store different number of polynomial shares.

A share of a t-degree bivariate polynomial is a t-degree univariate polynomial with t + 1

coefficients. The Column A of Table 3-2 gives the memory cost of those schemes.

Intuitively, we could get perfect resilience to node compromise attacks by limiting the

number of nodes sharing one polynomial to be less than (t + 1). However, to achieve this,

different schemes may incur different memory costs. Let p still be the node deployment

density and D be the inter-cell distance in meters. We calculated the different memory

costs of LBKP and our schemes for achieving perfect resilience to node compromise

attacks, which are given in the Column B of Table 3-2. We can easily find the following









Table 3-2. Memory cost.


scheme A B
LBKP 5(t + 1) 5(5pD2 + 1)
HEX-V 4(t + 1) 4(2v3pD2 + 1)
HEX-E 6(t + 1) 6(v3pD2 + 1)
TRI-E 3(t + 1) 3( pD2 + )


relationship that

LBKP > HEX-V > HEX-E > TRI-E.

Given the same memory constraint M, our schemes have better security performance

because of the much less memory requirements which imply larger polynomial degrees

and thus higher security. Among our schemes, TRI-E has the best security performance

because of its smallest memory cost, which renders it the most attractive candidate for

sensor networks where the memory of each node is very tight.

3.6.3 Connectivity

If two neighboring nodes can establish a pairwise key, they are able to communicate

in a secure manner. However, not every pair of neighboring nodes could establish a

pairwise key directly. That is because deployment errors may render a node unlucky

to find no neighboring node that shares the same polynomial with it. Let us define

connectivity as the probability that any pair of neighboring nodes can establish a direct

pairwise key after deployment. In resource-constrained sensor networks, high connectivity

is preferred because it means that each node does not need to spend too much scarce

energy in establishing indirect pairwise keys through multi-hop routing.

Suppose node n1" E G,, resides at (x, y). Let A(n''"', n1v) be the event that node

'L"v' E Gu,C is a neighbor of n"", B(nu'"' nu") be the event that node nYr"' is a secure

neighbor of n"", and C(nJ'v', n"") be the event that node n'j"' is in the same group as n"

or one of the neighboring groups of n"u. By secure neighbors, we mean those neighboring

nodes of one given node, -i n"", that can establish direct keys with it. The probability









that n1"' C G ,, is a neighbor of node n" is the integral of the PDF p""' (x, y) over the

circle around node n"", i.e.,


P(A(n ', n//")) puv (x, y) dxdy ,

where R is the node transmission range which is the same for all the sensor nodes,

In "' n denotes the distance between nodes nj"' and n"", and p"' '(x, y) is the

distribution of the resident point of the nodes in Gu,,. If we assume a general distribution

p(x, y) of node resident points, then the distribution p" (x, y) for a particular group G.u

can be p(x x,, y yv), where (xu, yv) is the coordinate of the deployment point of G,,.

Let TU 'v be the experiment:


T 1 A(nf'', n"u) happens;

0 otherwise.

Then the average number of neighbors of node n"i located at (x, y) is:


N"(uvx, y)= E [Tf''] P(A(n ""', n)),
7 3

where E[T2u"'] indicates the expectation of TulV'.

We can calculate the average number of secure neighbors of node n"u located at (x, y)

in the similar way, i.e.,


I /(x, y ) P(B(n'v', nUV

P(A(nuj"', n ) C(n )
f U/ / UV

Then the average number of neighbors of one node is


N -= P(n" c Guv) Nuv (x, y)pv (x, y) dxdy
u,v

u Z NUV(x,y)p(x- u,- yv)dxdy,
u'v









and the average number of secure neighbors of one node is:


M = P(nU C G,,) (x, y)p(x, y) dxdy


i L ii'' (x,y)p(x-x1,y-yvdxdy.
uv

Hence, the network connectivity p can be calculated as

M
p -= (36)
N

To evaluate the connectivity, we need the distribution of node resident points. A

reasonable assumption is that the PDF of node resident points follows a two dimensional

Gaussian distribution,
1 -(x2 +Y2)
p(x,y) 2 exp 22 (37)
27jo2 2o

where we assume the corresponding deployment point to be the origin of coordinate

system.

Using the same configuration parameters given in Section 3.6.1, we can calculate

the probability (denoted by pr) that a node resides in its home cell after deployment.

pr is computed by choosing appropriate variance of Gaussian distribution such that the

node would reside in the circle that has the same diameter with its home cell. Fig. 3-7

and Fig. 3-8 plot the connectivity versus the inter-cell distance, which is normalized by

node transmission range, for pr = 0.9 and pr = 0.99, respectively. When the cell size

is small, a node transmission range may not only cover its home cell and neighboring

cells but also cover other non-neighboring cells, which means the node may have many

neighbors with which it can not establish direct pairwise keys. Hence, the connectivity is

small. With the increase of the inter-cell distance, the connectivity of both vertex-based

and edge-based schemes would increase dramatically, because the number of neighbors

with which a node can not establish direct pairwise keys decreases quickly. In particular,

when the inter-cell distance is larger than two times of the node transmission range,









the connectivity of all schemes becomes stable at a very high level, because most of the

neighbors of a node are from its home cell or neighboring cells. It means that every node

can establish direct pairwise keys with almost all its neighbors. However, the cell size

should not be set too large. Otherwise, the number of nodes in one cell would be too large

when the node density is (approximately) constant, leading to the large number of nodes

sharing one polynomial. In this case, to maintain a certain security, the polynomial degree

should be increased, which means more memory cost. Hence, to achieve the tradeoff

between the security and the connectivity, the cell size should be set the value at which

the connectivity achieves the first desirable point.

It is well known that energy consumption is of paramount importance for resource-constrained

sensor networks. It is, therefore, wise to minimize radio transmissions and receptions.

Random distribution schemes [13, 1519] have low connectivity and thus have to rely

on multi-hop and/or multi-path routing to establish indirect keys for maintaining an

acceptable global network connectivity. Although the square-grid-based schemes [37, 38]

may improve the connectivity, they still use random distribution in each cell and thus

can not guarantee a full connectivity between two neighboring cells, thus leading to

unfavorable energy consumption in establishing indirect pairwise keys. By contrast, our

schemes are of high energy efficiency and thus pretty suitable for resource-constrained

sensor networks in that there is almost no need for establishing indirect pairwise keys.

3.7 Conclusion

In this chapter, we investigated different deployment models for their use in pairwise

key establishment for wireless sensor networks. We demonstrated that the hexagon

and the triangle grid deployment models have much better security performance than

the square one used in previous proposals. We also proposed a novel edge-based secret

pre-distribution model which can greatly reduce the memory costs of sensor nodes.

Our proposed pairwise key establishment protocol features perfect resilience to node

compromise attacks with much smaller memory costs. In addition, it can guarantee a

























S0.7 -


O /
0 0.6 -



0.5



0.4
0.4 --- LBKP
-e- HEX-V
H- HEX-E
TRI-E

0.5 1 1.5 2 2.5 3 3.5
Normalized inter-grid distance

Figure 3-7. The probability that each node resides in its own cell is 0.9.


high network connectivity and thus greatly reduce the communication overhead and

transmission energy consumption incurred in establishing indirect pairwise keys through

multi-hop and/or multi-path routing. To summarize, we propose a lightweight, simple, and

secure solution to establish pairwise keys in resource-constrained sensor networks.





















1 i -- W p-- p- --p- -- -- -- -- -- < --3 --




0.9



0.8(



> 0.7 -



0 0.6




0.5



0.4 -x- LBKP
-e- HEX-V
-[- HEX-E
STRI-E
0.3
0.5 1 1.5 2 2.5 3 3.5 4
Normalized inter-grid distance

Figure 3-8. The probability that each node resides in its own cell is 0.99.









CHAPTER 4
SCALABLE KEY ESTABLISHMENT IN WIRELESS SENSOR NETWORKS

4.1 Introduction

We have shown in previous chapters that key management is very critical to security

protocols, because encryption and authentication services are based on the operations

involving keys. One of the fundamental problems of key management is how to set up keys

to protect connections between sensor nodes. Generally, two kinds of connections can be

formed in a network. One is the one-hop connection between a pair of neighboring nodes.

In the network stack, this one-hop connection is managed by the link l1- -r protocol. In

order to secure the link l1-,-r connection, a shared link l1-,-r key (called LLK hereafter)

needs to be established between the neighboring nodes. The other type of connection can

be formed between two nodes over a multihop path. Because the two nodes are out of the

neighborhood of each other, this end-to-end connection is managed by the transport li,-,r

protocol in stead of the link 1,--r protocol. Therefore, a transport 1,i-r key (called TLK

hereafter) needs to be established to provide the end-to-end security.

As is shown in C'! lpter 2, the TLK establishment is not an easy problem. In a

network of N nodes, theoretically, each node can be preloaded with N 1 keys uniquely

shared with other nodes, but the feasibility can be challenged because of the contradictory

requirements between the scarce memory of sensor nodes and the large scale of sensor

networks. Instead, most recent solutions [13, 15-19] relax the security requirement and

target at the establishment of link l1- -r keys (LLK) between any pair of neighboring

nodes. In a large scale sensor network, the number of neighbors of a node is usually a

small constant. Thus it is more feasible to establish an LLK infrastructure whereby to

save memory resource. Based on this LLK infrastructure, two end nodes can perform

secure communications over a multi-hop path with the help of intermediate nodes, and

can negotiate a TLK on demand, if needed, through the secure handshake. The LLK

infrastructure can effectively prevent external attackers from accessing the network, but









cannot counteract internal attackers, such as compromised nodes. Therefore, a TLK

negotiated along a multi-link path can be exposed if any of the intermediate nodes is

compromised. Because the number of hops along a path can be large, the possibility of the

TLK exposure is rather high.

Moreover, the previous LLK schemes [13, 15-19] themselves are also vulnerable to

node compromise. An adversary can use the secrets in compromised nodes to derive the

secrets shared between other non-compromised nodes. Hence some compromised nodes

may cause many failure points in the network and destroy the entire LLK infrastructure.

Another drawback of the previous LLK schemes is that they have a large memory

requirement to maintain a certain level of security or connectivity.
Based on our work in [9], here we introduce a novel scheme key establishment scheme
by combining deployment knowledge. First, we consider a two dimensional grid model,
which leads to LAKE (two-LAyer Key Establishment) [48], for the establishment of both
TLKs and LLKs in sensor networks. Particularly, all sensor nodes are organized into a
two dimensional space, and a tri-variate polynomial is pre-distributed to facilitate the
establishment of TLKs and LLKs in the space. To increase connectivity and reduce
communication overhead, the nodes close to each other are preloaded with correlated
secrets, called shares, derived from the tri-variate polynomials. Second, we extend our
scheme into the multi-dimension case and propose an efficient LLK scheme [49]. The main
contributions are as follows:

1. Our LAKE effectively addresses the TLK establishment problem for sensor networks.
Any two nodes can negotiate a TLK on demand directly or with the help of only
one intermediate node. Though in conventional LLK schemes two nodes can also
negotiate a TLK through a multi-hop path, there are more than one intermediate
node that can learn the TLK. Hence LAKE is much more secure under the node
compromise attack compared with the conventional proposals;

2. Compared with the conventional LLK schemes, our scheme features much less
memory cost;

3. By utilizing location information, our scheme guarantees that two neighboring nodes
can establish a direct LLK with high probability. This provides energy efficiency
compared with the conventional LLK schemes because the probability of indirect
LLKs establishment through multi-hop paths between two neighboring nodes is
reduced.









4.2 Two Dimension Grid Design for TLK and LLK Establishment

In LAKE, a t-degree tri-variate polynomial is pre-distributed to facilitate key

establishment in a two-dimensional space, which is a special case of our model discussed

in C'! Filter 2. We will show that LAKE can efficiently establish both LLKs and TLKs

between sensor nodes. An LLK infrastructure can be established just after network

deployment. TLKs are established on demand when two end nodes need to communicate

with each other.

4.2.1 Network Model

It has been shown in C'! lpter 3 that utilizing deployment information can achieve

higher connectivity. So, even our key agreement model can achieve deterministic key

agreement between any pair of nodes, as is shown in [9], we consider incorporating

deployment information into LAKE.

The entire network is divided into N1 non-overlapping square cells and each cell

includes N2 sensor nodes. Each node in the network is identified by a coordinate (ni, n2)

in the two-dimensional space, where ni = 0,1,... Ni 1i {1, 2}, and we may use the

coordinate (ni, n2) as the node ID and the index n, as the cell ID.

Cell IDs are assigned in a fixed order such that each cell ID acts like a coordinate in a

two-dimensional plane. We may allocate 2h higher bits from the node ID field for the cell

ID. The 2h bits are divided into a pair of integers (i,j), where i is the row index and j is

the column index of the cell. Hence, each cell ID reflects the location information of the

corresponding nodes. This information is coarse, so we only can tell in which area a node

with a given cell ID resides. The node deployment in each cell may follow any probabilistic

distribution, such as Gaussian [17, 45, 50] or uniform [36, 38, 46]. We assume Gaussian

distribution here.

Our key agreement model is deterministic, so every node knows with which of other

nodes it can establish a shared key directly. If two nodes cannot calculate a shared key

directly, they rely on one intermediate node to negotiate an indirect key. Just like previous










(O,n2)

(8,n2)

(18,6)
(18,4) -








(56,n2)


S(7,n2)






(37,6)
(37,4)




(63,n2)


Figure 4-1. A two-dimension sensor network.


work [13, 15-19], we assume the underlying routing protocol can correctly route key

negotiation messages over multihop paths between those peer nodes.

Fig. 4-1 illustrates an example of the network model. There are 64 cells in the

network. Each cell consists of N2 nodes. We assign cell IDs in an order from left to

right and from top to down. Every node can be located by the cell ID in its node ID.

For example, node (0, n2) is in the most up-left cell, and node (63, n2) is in the most

down-right cell. Other examples of nodes are also depicted in Fig. 4-1.

4.2.2 Share Pre-distribution

Before network deployment, a global t-degree tri-variate polynomial is chosen. This

polynomial is used to derive shares for sensor nodes.

To establish keys, every node should have two credentials (c6, c2), which are positive

and pairwise different. These credentials can be created and preloaded into nodes before

deployment. However, it requires additional memory space per node. Fortunately, the two

credentials can be derived from node ID by a bijection, i.e.,


ci ni+1+N2
(4-1
c2 n2 + 1









where ni = 0, 1,..., Ni 1 for i = 1, 2. Thus, the two credentials are drawn from different

zones [N2 + 1, N1 + N2] and [1, N2] respectively, which guarantee they are positive and

pairwise different. Besides, by doing this mapping, each node needs to store only N2

instead of two credentials.

Every node in the network is assigned a polynomial share


f (cl,C2, X3) f(ni + 1 + N2, n2 + 1, x3)
t t t

il=0 i2=0 i3=0

Hence, every node in the network needs to keep only a t-degree univariate polynomial

that has t + 1 coefficients over a finite field Fq. Those coefficients are preloaded into every

node's memory before deployment and used to establish keys after deployment.

4.2.3 Direct Key Calculation

Two nodes can calculate a shared key directly if they have a credential in common,

i.e., a common index in their node IDs. We will call one of the two nodes a level-i

neighbor of the other if their i-th indices in their IDs are different and the other indices

are the same. Obviously, every node can establish shared keys with its neighbors at level 1

(inter-cell) and level 2 (intra-cell).

In the two-dimensional network, all nodes in each cell are level-2 neighbors because

they have the same cell ID, and each node has a level-1 neighbor in each of other cells.

For example, in the two-dimension network in Fig. 4-1, node (18,4) and node (18, 6) are

level-2 neighbors and they can calculate a shared key directly. Node (18, 4) and node

(37, 4) are level-1 neighbors and they can also calculate a shared key directly.

All nodes can calculate direct keys by itself without interaction with other logical

neighbors. Each direct key between two logical neighboring nodes is only secret to

them. An adversary cannot learn the direct key unless he/she knows the corresponding

polynomial share.









4.2.4 Indirect Key Negotiation

If two nodes have no common indices in their IDs, they cannot calculate a shared

key directly because they are not logical neighbors. This happens when the two nodes

reside in different cells and they have different indices in their cells, respectively. In this

case, one node can find in its cell a level-2 neighbor, which is also a level-1 neighbor of

the other node. Then the intermediate node can act as an agent to facilitate a shared key

negotiation between the two end nodes.

There are two agent nodes that can help the indirect key negotiation. Suppose node u

with ID (ul, u2) and node v with ID (v1, v2), where ul / vi and u2 / v2, need to negotiate

a shared key. Any of the node (ul, v2) or node (V1, u2) can act as an agent, because either

one is the common neighbor of nodes u and v. Then an indirect key can be established

through the following protocol:


u a : (a, u, n,, {(v, u, K )}K, H(a || u

|| n, I (|v, u,Kv)}K,, || Kua)) ,

a iv : (v, a, na, {(v, u, K,,,)}K H(v || a

I|| II {(V, u,Kv),} | Kv)) ,

where a is an agent node, n, and na are nonces used to counteract replay attacks, K,,

is the indirect key between node u and node v, K,, and Ka, are direct keys shared with

the agent a, "{.}{.}" is the encryption operation, H(-) is a hash function that generates

a message authentication code for authentication and integrity checking, and I| is the

concatenation operator. After verifying the authenticity and the integrity of the key K,,,

the agent node a forwards the key to node v and immediately deletes it so that it cannot

be revealed later.

For example in Fig. 4-1, there are two secure paths between node (18, 6) and node

(37, 4) and a shared key can be negotiated through either of the secure paths with the help

of the agent nodes (18, 4) or (37,6).









4.2.5 LLK Establishment

Given node density and radio radius in a large scale sensor network, the number of

neighbors of a node is usually small. Each node may establish LLKs for all neighbors

and keep those LLKs in its memory for future use. This can be done just after node

deployment because each node has been preloaded with a polynomial share which can help

key establishment.

When two neighboring nodes are from the same cell, i.e., have the same cell index,

they can apply the direct key calculation to establish an LLK. Due to the deployment

knowledge, we can expect that each node can establish LLKs directly with most of its

neighboring nodes because they are almost from the same cell.

If two neighboring nodes are from different cells but they are level-1 neighbors, then

they can calculate a direct LLK, just like nodes (1, 2) and (2, 2) in Fig. 4-2. Even if two

level-1 neighbors are far away from each other, like nodes (1,5) and (2,5), they can alv--i-

calculate a shared key independently.

The keys between level-1 neighbors can act as bridges between two cells. A node

in one cell can go through any of the bridges to negotiate keys with nodes in the other

cell. In Fig. 4-2, for example, node (1, 2) can negotiate an indirect LLK with node (2, 6)

through either node (2, 2) or node (1, 6).

Due to the deployment error, some nodes may reside outside of their supposed cells.

In Fig. 4-2, for example, node (1, 7) needs to establish LLKs with neighboring nodes (2, 2),

(2, 5), (2, 6). In this case, node (1, 7) can carry out indirect key negotiation through its

level-1 neighbor (2, 7). Of course, node (2, 7) may be multihop away from node (1, 7), but

the underlying routing protocol can route key negotiation messages between them, just as

is shown in previous work.

Communication overhead is a concern in the indirect LLKs negotiation. LAKE

includes deployment information into the establishment of LLKs, thus each node

may calculate direct LLKs with almost all of its neighbors. This high local secure















2,5)

(1,
(1,6) (2,7)

cell boundary

Figure 4-2. LLK establishment.


connectivity is desirable because it means that each node does not need to spend too

much energy on the establishment of indirect LLKs with neighbors through multi-hop

routing. Conventional LLK schemes with uniform key pre-distribution have more energy

consumption in terms of lower local secure connectivity. In next section, we will evaluate

the secure connectivity assuming Gaussian distribution for node location in each cell.

4.2.6 TLK Establishment

Due to the huge number of nodes in the network, it is impossible to establish a

TLK for each pair of nodes and store the TLK in the pair of nodes during network

initialization phase. A dynamic establishment of TLKs is much promising in large scale

sensor networks. Generally, a TLK should be dynamically established on demand during

the handshake procedure between any pair of nodes when they want to communicate with

each other.

Similar to the LLK establishment, each node can establish a direct TLK for each of

the other nodes in its cell because they are level-2 neighbors. As each node has a level-1

neighbor in each of other cells in the network, it can establish a direct TLK for the level-1

neighbor in that cell (like nodes (18, 6) and (37, 6) in Fig. 4-1). Then it can rely on the

level-1 neighbor as an agent to establish indirect TLKs with other nodes in that cell (in

Fig. 4-1), node (18, 6) can negotiate an indirect TLK with node (37, 4) through node









(37, 6)). Due to the deployment error, there is a possibility that node (37, 6) is not in cell

37, but the underlying routing protocol can relay key negotiation messages between these

nodes as is assumed in previous work.

If a secure link is defined as the communication path between two nodes that have

a shared key, where the secure link may be one-hop or multi-hop, LAKE can achieve the

TLK agreement through a secure path consisting of no more than two secure links, which

means that at most one agent is needed to facilitate the TLK establishment between any

two end nodes. Each secure path in most conventional schemes, which target at LLKs

establishment, usually consists of more than two secure links, and the length of secure

path is difficult to determine because it depends on not only the underlying routing

protocol but also the establishment of direct keys between neighboring nodes, especially

in large scale networks. Thus most conventional schemes are more vulnerable to the node

compromise attack than LAKE.

4.2.7 Performance Evaluation

In this section, we carry out some performance evaluation on the memory cost,

the resilience to the node compromise attack, the local secure connectivity, and the

computation overhead.

4.2.7.1 Memory cost

According to C'! lpter 2, we can simple get the minimum polynomial degree t* as


t* < N =1 1.8171 N1. (4-3)


Because each node keeps t + 1 coefficients of a t-degree univariate polynomial, the memory

cost per node is less than 1.8171\/N + 1, where N is the total number of nodes in the

network.

We compare the memory cost per node of our LAKE with some typical schemes

in Table 4-1. The second column in Table 4-1 gives the normal memory cost of each

scheme. In key-pool-based schemes [13, 15, 16, 20, 37, 40], each node keeps m keys out









of a global or local key pool. Du's [17], Liu's [18] and Huang's [38] schemes replace key

pools with space pools of matrix or polynomials of degree t. In PIKE [25], each node is

preloaded with unique pairwise keys for 2(/N 1) nodes, where N is the total number of

nodes in the network. Hypercube scheme [19] uses higher dimensional grid. Unlike PIKE,

hypercube uses a t-degree bivariate polynomial for each dimension. For fair comparison,

we assume two-dimensional grid for hypercube. Therefore, the memory cost of hypercube

is 2(t + 1). In LBKP [36] each node is preloaded with 5 polynomial shares, each of which

has a degree of t. HEX [45] and TRI [46] have memory cost of 6(t + 1) and 3(t + 1),

respectively. In LAKE, unlike previous work, each node needs to keep only a t-degree

univariate polynomial and thus the memory cost is only t + 1.

The third column in Table 4-1 gives how many memory units are necessary to provide

secrecy for direct keys, i.e., no matter how many nodes are compromised the direct keys

among non-compromised nodes are still safe. Key-pool-based schemes [13, 15, 16, 20,

37, 40] cannot provide secrecy because each time an adversary compromises one more

node he/she knows more keys in the global or local key pools. In Du's [17], Liu's [18] and

Huang's [38] schemes, the degree of each matrix or polynomial must be set as t = N 2

to avoid the exposure of direct keys. So their memory cost is on the order of N. In PIKE

[25], all those 2(/- 1) keys are preloaded and unique, so any of the keys is secure even
other keys are compromised. In two-dimensional hypercube [19], each dimension has V

nodes. In order to protect direct keys, the polynomial degree must be set as t = N 2

and thus the memory cost is 2(N 1). Suppose LBKP [36], HEX [45] and TRI [46]

and LAKE use the same network configuration, where the entire network is divided into

N cells and each cell consists N nodes. In LBKP [36], to guarantee each bivariate

polynomial is secret, the degree should be no less than 5/N 2 because each bivariate

polynomial is used in its home cell and four adjoining cells. Similarly, the memory costs

of HEX [45] and TRI [46] are 6(2\/ 1) and 3(2/N 1), respectively. However, the

memory cost of LAKE is less than 1.8171-N + 1.









Table 4-1. Memory cost of different schemes.


Schemes Memory Cost For Secrecy
key-pool-based [13, 15, 16, 20, 37, 40] m
space-pool-based [17, 18, 38] O(A(t + 1)) O(A(N- 1))
PIKE-2D [25] 2( -N 1) 2(-- 1)
Hypercube-2D [19] 2(t + 1) 2(v 1)
LBKP [36] 5(t+ 1) 5(5 1)
HEX [45] 6(t + 1) 6(2 /- 1)
TRI [46] 3(t + 1) 3(2I- 1)
LAKE t + 1 < 1.8171 N + 1

4.2.7.2 Resilience to node compromise

By launching the node compromise attack, an adversary may easily obtain all secrets

stored in the compromised nodes. Usually, it is impossible to prevent this kind of attack

due to the lack of tamper-proof hardware. Furthermore, the adversary may use the

compromised secrets to derive the direct keys belonging to other pairs of normal nodes. In

addition, by compromising some nodes, the adversary can also obtain the messages passing

through these nodes. This may also lead to the exposure of indirect keys. Here we can use

the additional key exposure probability to evaluate the resilience to the node compromise

attack.

By choosing the global polynomial degree t, we can achieve the secrecy of the global

polynomial, i.e., no matter how many nodes an adversary compromises, he/she cannot

calculate the direct keys belonging to other pairs of non-compromised nodes. Hence, the

additional direct key exposure probability of LAKE is 0.

In conventional key-pool-based or space-pool-based schemes [13, 15, 16, 20, 37, 40],

every time an adversary compromises one more nodes, he/she obtains more information

about the global key pool or space pool, which means more keys are compromised. For

example, in E-G [13], the additional direct key exposure probability can be calculated as

[15, 37]

Pc 1 1- (4-4)
s









where each node randomly selects a key subset of size M from a global key set of size S

and the number of compromised nodes is x. We can see it is an increasing function of x.

PIKE (peer intermediaries for key establishment) [25] can also achieve the zero

additional direct key exposure probability because of the pre-distribution of unique direct

keys.

Hypercube-2D [19], LBKP [36], HEX [45] and TRI [46] use t-degree bivariate

polynomial to achieve key agreement. Suppose there are A nodes sharing a t-degree

bivariate polynomial and N is the total number of nodes in the network. Given x

compromised nodes, the probability that i out of A nodes were compromised is

P (i)= -i (4-5)


and thus the probability that the polynomial was compromised is given by
A
Pc = Pc(i) (4-6)
i=t+l

Suppose each node has a memory size of M units for cryptographic materials and each

memory unit can accommodate a cryptographic key or a polynomial coefficient, and each

node must keep B polynomial shares, the probability of exposing a polynomial can be

rewritten as
A
Pc= Y Pc () (4-7)
-Lfj
Here the values of A and B are N and 2 for Hypercube-2D [19], 5Nc and 5 for LBKP

[36], 2Nc and 6 for HEX [45], and 2Nc and 3 for TRI [46], where N, is the number of
nodes in one cell.

An example: Suppose 10000 nodes are deploy, 1 in an area 2000 x 2000m2. The global

key pool of E-G [13]is set 100000. PIKE [25] and Hypercube [19] use two-dimensional

grid. For LBKP [36], HEX [45], TRI [46] and LAKE, there are 100 cells and thus the

number of nodes per cell is 100. Suppose each node has a memory size of M units for











I .A
-e- E-G
-- PIKE
-- Hypercube
1.2 LBKP
-- HEX
TRI
-B- LAKE

S / : = = =


._
2 0.8
0..



E 0.6
O
0
t--

0.4




0.2




0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

Fraction of compromised nodes


Figure 4-3. M = 240.


cryptographic materials and each memory unit can accommodate a cryptographic key or

a polynomial coefficient. Fig. 4-3 and Fig. 4-4 gives the additional direct key exposure

probability according to the fraction of compromised nodes when M 240, 180. We

observe that LAKE outperforms other schemes with the zero probability of the additional

direct key exposure. When there is more memory resource (M = 240), Hypercube-2D [19]

can also give the zero probability of the additional direct key exposure. However, when

memory resource is limited (M 180), Hypercube-2D [19] becomes vulnerable to node

compromise.















1.2- LBKP
-- HEX
TRI
-a- LAKE





2 0.8

E )


E 0.6
0



0.4



0.2




0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

Fraction of compromised nodes

Figure 4-4. M = 180.


Every node needs an agent node to establish indirect LLKs and TLKs with other

nodes. If the agent node is compromised, the indirect keys are exposed. Suppose x out of

N nodes in the network are compromised. The probability of the indirect key exposure is

(N-1
PPc 1 (- (4-8)


PIKE-2D [25] and Hypercube-2D [19] can achieve the same probability of the indirect

key exposure because it also relies one agent node to establish pairwise keys between

neighboring nodes. In other schemes [13, 15, 16, 20, 37, 40], two nodes have to rely on









a secure path consisting of multiple agent nodes to establish an indirect key. It is very

difficult to determine those agent nodes because it depends on not only the underlying

routing protocol but also the establishment of direct keys between neighboring nodes,

especially in large scale networks. For example, in E-G [13] the secure path between two

neighboring nodes consists of 2 or 3 agent nodes and the secure path between any two

end nodes consists of more than 11 agent nodes on average [13]. Suppose the secure path

between two nodes in E-G and LBKP consists of h agent nodes. The probability that the

indirect key between the two end nodes is exposed can be calculated as

p( ) 1 (4-9)
Pf) N '

where N > h > 1. Thus, LAKE is more resilient to the node compromise attack.

4.2.7.3 Local secure connectivity

Every node can calculate direct LLKs with some neighbors, and establish indirect

LLKs with other neighbors through one agent node. The local secure connectivity is

directly related to the communication overhead of key establishment. If a node has high

probability to calculate direct LLKs, it can save a lot of communication overhead on

the establishment of indirect LLKs through multi-hop routing. Hence, high local secure

connectivity, which is the probability of establishment of direct LLKs, is desirable in

sensor networks.

In the schemes [13, 15, 16, 20], key materials are uniformly pre-distributed in the

network. It is highly possible that two nodes with correlated key materials cannot

establish a direct LLK because they are far away from each other. For example, in

E-G scheme [13], each node randomly selects M keys from S keys, thus the local secure

connectivity of E-G is 1 ("MM)/() r 1 (1- )M -, where S > In PIKE-2D

[25] and Hypercube-2D [19], each node keeps pairwise keys with 2({/ 1) nodes, thus the

local secure connectivity of these two schemes is 2(-N- 1)/IN -2. The low connectivity

will incur significant communication overhead.









It has been shown that deployment knowledge can be used to increase the connectivity

[36-38, 45, 46]. By intentionally pre-distributing the same set of secrets in small cells, they

can achieve much higher connectivity than uniform pre-distribution schemes. Though

our key agreement model still work in uniform pre-distribution scenarios, we consider

deployment knowledge here to further increase the local secure connectivity.

Due to deployment errors, we cannot expect each node resides at the predetermined

location. Rather, the node deployment in each cell follows some probabilistic distribution.

In order to evaluate the influence of deployment knowledge, we use the Gaussian

distribution [17, 45, 50] in our simulation. Particularly, the location of each node follows

the distribution,
1 -((x x)2 ( tc)2)
p(x, y) = 2 exp 2 (4-10)
27j(2 2j2

where (xe, yc) is the center of the cell in which the node resides and (x, y) is the real

location of the node.

We use the same configuration parameters in Section 4.2.7.2 in our simulation.

There are 10000 nodes deploy, 1 in an area 2000 x 2000m2. All the schemes evaluated

here can store M = 200 keys. Node radio radius is 150m, which is corresponding to

MICA2 capability [31]. The global key pool of E-G [13] is set 100000. The schemes

E-G [13], PIKE-2D [25] and Hypercube [19] use the uniform pre-distribution. As for

the location-based schemes LBKP [36], HEX [45], TRI [46] and LAKE, there are 100

cells and thus the number of nodes per cell is 100. The inter-cell distance (the distance

between the centers of neighboring cells) is set 200m. The standard derivation is set to

a = 50m. Under these configurations, we simulate a sensor network, find the local secure

connectivity of each node, and average it over all the nodes. The average local secure

connectivity is given in Table 4-2.

We observe that the local secure connectivity for the uniform pre-distribution

schemes [13, 19, 25] is very low. The location-based schemes [36, 45, 46] have much higher

connectivity because all the nodes in neighboring cells are pre-distributed with correlated









Table 4-2. Local secure connectivity of different schemes


Schemes Local Connectivity
E-G [13] 0.2797
PIKE-2D [25], Hypercube-2D [19] 0.0276
LBKP [36] 0.9999
HEX [45] 0.9960
TRI [46] 0.9985
LAKE 0.5317


key materials. LAKE has lower local secure connectivity than the location-based schemes

[36, 45, 46], because in LAKE only the nodes in one cell have correlated key materials and

each node can establish a direct key with only one node in another cell. However, LAKE

still has much higher local secure connectivity than the uniform pre-distribution schemes

such as E-G [13], PIKE-2D [25] and Hypercube [19].

4.2.7.4 Computation overhead

LAKE is based on the symmetric key technology, where a global t-degree tri-variate

symmetric polynomial is used to build up a secure infrastructure. Each sensor node

can calculate a key by using a t-degree univariate polynomial, which is a share of the

global polynomial. It has been shown in Hypercube [19] that the polynomial evaluation is

comparable with conventional symmetric key primitives such as Message Authentication

Code based on RC5 or SkipJack. To calculate a key, each node should calculate 2t 1

modular multiplications over Z*: t 1 for x2,... t and t for b5x, b5x2,..., btxt. Under the

symmetric key technology, the length of q is usually 64 bits or 128 bits. Suppose the same

configuration parameters in Section 4.2.7.2 is used here, where total number of nodes is

N = 10000, the number of nodes per cell is 100, and the number of cells is 100. According

to the Table 4-1, the t is less than 181. Hence, each node needs to perform only 361 64-bit

or 128-bit modular multiplications. Similarly, the number of modular multiplications of

other polynomial-based schemes is given in Table 4-3. Obviously LAKE is more efficient

than most conventional symmetric key schemes.









Table 4-3. Computation overhead of different schemes.


Schemes #. of shares degree #. of multiplications
Hypercube-2D [19] 2 98 390
LBKP [36] 5 498 3875
HEX [45] 6 198 2370
TRI [46] 3 198 1185
LAKE 1 < 181 < 361


Public key techniques such as RSA and Diffie-Hellman can also achieve key

agreement. The basic operation of RSA and Diffie-Hellman is the modular exponentiation

of the form y' (mod q). One modular exponentiation needs | log2 q log2 q-bit modular

multiplications on average [5]. To guarantee the same level of security, here q is usually

1024 bits and y and x are drawn from Z*. Thus public key based operation requires

1536 1024-bit modular multiplications on average. A 1024-bit modular multiplication is

(1024)2 = 256 times more expensive than a 64-bit modular multiplication [17]. Hence the
public key techniques are 256 x 1536 1089 times more expensive than LAKE if 64-bit

symmetric keys are used in LAKE.

4.3 Scalable Link-Layer Key Agreement in Sensor Networks

In this section, we extend our LAKE into the multi-dimension case [49]. Our scheme

is based on a method we have developed in [9]. Each sensor node carries a share of

a global t-degree multivariate symmetric polynomial. If the shares of two nodes are

correlated, the two nodes can calculate a shared key directly. Otherwise, they can

negotiate an indirect key with the help of an intermediate node. We utilize node

deployment knowledge such that nodes with correlated shares are deploy, l1 as close as

possible. In this way, each node can directly calculate LLKs with most of its neighbors. In

this section, we will elaborate the details of our scheme.

4.3.1 Network Model

We assume each node is identified by an index-tuple (ni, n2,..., nk), where ni

0,1,..., Ni 1,i E {1, 2,..., k}, and we may use the index-tuple as the node ID. Hence









each node is mapped into a point in a k-dimension vector set S1 x S2 x .. x Sk, where

ni E Si C Z and the cardinality |Sil = Ni, for i = 1, 2,..., k. The maximum number of

nodes that the network can consist of is N = fHi i.

Due to the broadcast characteristics of radio communications, adversaries can easily

eavesdrop any messages, either non-encrypted or encrypted, transmitted over the air

between nodes. Adversaries may capture any node and compromise the secrets stored in

the node. Furthermore, adversaries can use the compromised secrets to derive more secrets

shared between other non-compromised nodes. We try to reduce the probability that the

keys shared between non-compromised nodes are exposed when some nodes have already

been compromised. To further evaluate the impact of node compromise, we assume the

probability of the compromise of a node is p.

4.3.2 Share Distribution

Before network deployment, a global t-degree (k + 1)-variate symmetric polynomial is

constructed as is stated in C'! lpter 2. This polynomial is used to derive shares for sensor

nodes.

To achieve key agreement, every node n should have k credentials (Cl, c2,..., C),

which are positive and pairwise different. These credentials can be created and preloaded

into nodes before deployment. However, it requires additional memory space per node.

Fortunately, the k credentials can be derived from the k indices in node ID (ni, n2,..., nk)

by a bijection, i.e.,
ci = ni + 1

C2 2 + 1 +N

C3 3 + 1 + NI N2
(4-11)


Ck-1 = nk-il+N+ N +Nk-2

Ck = nk + + N1 + + Nk-









where ni = 0, 1,..., Ni 1 for i = 1,2,..., k. Thus, the k credentials are drawn from

different zones in that Ci E [1, Ni] and ci e [N1 + -. + N -1 + 1, N1 + + Ni] for

i 2,... k, which guarantee they are positive and pairwise different.

For a node (ni, n2,..., nk), a polynomial share

t
fk+l(Xk+1) = f(, C2, ..., Cik, Xk+) bi xk (4-12)
ik+l=0

is calculated, where
t t t
jik E E C2 ... Cik. (4 13)
il= 0i20 i=0

and (c, c2,..., Ck) is mapped from (ni, n2,..., nk) according to the equations (4-11).

Then the polynomial share is assigned to the node. Here, the node only knows the t + 1

coefficients of the univariate polynomial share, but not the coefficients of the original

(k + 1)-variate polynomial. Therefore, even if the marginal bivariate polynomial is exposed,

the global polynomial is still safe if the degree t is chosen properly.

4.3.3 Node Deployment

Two nodes can calculate a shared key if their credentials have only one mismatch

in them. Due to the one-to-one mapping in the equations (4-11), two nodes u with ID

(U1, U2,..., Uk) and v with ID (vU, v2,... ,) can directly calculate a shared key without

any interaction if their IDs have only one mismatch. If the two nodes are within the radio

coverage of each, then the key can be used as an LLK. Therefore, we need a deployment

method that intentionally make nodes with only one mismatch in their IDs be deploy, ,1 as

close as possible. In such a way, each node can establish Link-] iV r keys with most of its

neighbors.

Because node ID is an index-tuple (ni, n2,..., nk), where ni 0, 1, ...,Ni 1,i E

{1, 2,..., k}, the network is logically constructed with k levels. The i-th level consists of

N1 x N2 x ... x Ni cells, each of which has Ni+l subcells, i.e., N+l x .. x Nk nodes, where

i = 1,2,..., k 2. The (k 1)-th level consists of N1 x N2 x ". x Nk-1 cells, each of which









has Nk nodes. Here, the notation (ni, n2,..., ni) can be seen as cell ID at the i-th level for

i =1,2,..., k 1. An example is illustrated in Fig. 4-5 (A), where N1 = N2 N3 9.

To facilitate key agreement, the logical network topology is transformed into a real

one, which decides the real node deployment model. Suppose a level-(i 1) cell has

Ni = Ri x Ci subcells. To do the transformation, the following two steps are taken:

1. in the first step, flip the even rows of the level-(i 1) cell vertically;

2. in the second step, flip the even columns of the level-(i 1) cell horizontally.

An example is depicted in Fig. 4-6. A cell at the (i 2)-th level has Ni- = 3 x 5

level-(i 1) subcells (Fig. 4-6 (A)), each of which again has Ni subcells. By the two-step

transformation, we get the real cell topology illustrated in Fig. 4-6 (B).

The entire network topology is constructed based on the two-step transformation. In

this way, the network is divided into N1 x N2 x ... x Nk-1 cells, where cells are located

according to the space order determined by the two-step transformation. All the nodes

are deploy, ,1 into corresponding cells based on their IDs. The real network topology of the

example in Fig. 4-5 (A) is illustrated in Fig. 4-5 (B).

4.3.4 Link-layer Key Agreement

As is stated before, two nodes u with ID (u u2,..., Uk) and v with ID (vU, v2,... ,, )

can directly calculate a shared key without any interaction if there is only one mismatch,

iw the i-th indices, in their IDs. Then node u can take + 1+ N+ +- +N 1i_ as the input

to its own share f(ci, c2,... CXk+1), and node v can as well take ui + 1 + N1 + + Ni-1

as the input to its share f(ci, C2,..., k, X k+1). The direct shared key between nodes u and

v is then calculated as


K,, = f(cl,...,ui + 1 +---+N _1,

... ,Ck,' + + + 1 Ni-1)

f(cl,...,' +1 +N1 +---+Ni1,

... Ck, Ui + N1 +-" + Ni-1) (4-14)











00 01 02 10 11 12 20 21 22


03 04 05 13 14 15 23 24 25


06 07 08 16 17 18 26 27 28


30 31 32 40 41 42 50 51 52


33 34 35 43 44 45 53 54 55


36 37 38 46 47 48 56 57 58


60 61 62 70 71 72 80 81 82


63 64 65 73 74 75 83 84 85


66 67 68 76 77 78 86 87 88


A

00 01 02 12 11 10 20 21 22


03 04 05 15 14 13 23 24 25


06 07 08 18 17 16 26 27 28


36 37 38 48 47 46 56 57 58


33 34 35 45 44 43 53 54 55


30 31 32 42 41 40 50 51 52


60 61 62 72 71 70 80 81 82


63 64 65 75 74 73 83 84 85


66 67 68 78 77 76 86 87 88


B

Figure 4-5. Topology. A) Before deployment. B) After deployment.
98










0 0 0


N,-1 N,-1 N,-1 N,-1 N,-1
0 0 0 0 0


N,-1 N,-1 N,-1 N,-1 N,-1
0 0 0 0 0



A
0o oo0 00


N,-1 N,-1 N,-1 N,-1 N,-1
N,-1 N,-1 N,-1 N,-1 N,-1


0 00 00
0 0 0 00


N-1 N-1 N, N N-1

B

Figure 4-6. Deployment strategy. A) Before deployment. B) After deployment.


Because all node credentials of u and v are drawn from different subsets where any

two subsets have no intersection and ui / the k + 1 credentials used to calculate the

shared key are pairwise different, and the set of credentials is unique. Therefore the shared

key calculated by the nodes u and v is unique, i.e., other nodes do not know the shared

key.

Consider our deployment model. At the lowest level, the network is divided into

N1 x N2 x ... x Nk-1 cells. All the nodes in each of those cells have common ID prefix,

which is the cell ID, and their node IDs are only different at the k-th position. Therefore,

any pair of nodes in one cell can calculate a direct shared key. For example, two nodes

(041) and (044) in cell (04) (Fig. 4-5 (B)) can calculate a shared key directly.









For two neighboring cells, if their cell IDs has only one mismatch, each node in

one cell can find another node in the other cell such that the two nodes have only one

mismatch in their node IDs, i.e., the two nodes can calculate a shared key directly. In

the example Fig. 4-5 (B), node (041) in cell (04) can calculate a shared key directly with

node (081) in cell (08). With the help of node (081), node (041) can indirectly establish a

shared key with every other node in cell (08).

For two neighboring cells with two mismatches in their cell IDs, they are in the

diagonal direction of each other and have a neighboring cell in common, which has only

one mismatch in cell ID with each of them. In Fig. 4-5 (b), node (081) in cell (08) can

indirectly negotiate a shared key with node (151) in cell (15) through node (181) in cell

(18), because node (181) has direct keys with node (081) and (151) respectively. Then

node (081) can indirectly negotiate a shared key with each of other nodes in cell (15)

through node (151).

In our deployment model, each node can calculate direct LLKs with most of its

neighbors because most of its neighbors are in the same cell as it, and negotiate indirect

LLKs with the rest neighbors with the help of only one intermediate node. Moreover, each

node can even establish shared keys with other nodes multi-hop away.

4.3.5 Performance Evaluation

In this section, we will carry out some analysis and evaluate our scheme in comparison

with some typical schemes including [13, 21, 23, 25, 36].

4.3.5.1 Memory cost

It has been proved in [9] that to guarantee the security of the global polynomial, the

minimum degree t* can be bound as [9]


t* < r N (415)









Table 4-4. Memory cost of different schemes


Schemes Memory Cost
E-G [13] m
LBKP [36] 5(t + 1)
PIKE [25] 2( 1)
Combinatorial [21, 23] O(/ )
Ours O( N)


where ratio

kk 1! (4-16)
S2

We compare the memory cost per node of our schemes with other schemes in Table

4-4. In E-G scheme [13] each node has a subset of m keys, where m may be more than

100 if it needs to maintain a certain security or connectivity. In LBKP [36] each node is

preloaded with 5 polynomial shares, each of which has a degree of t. However, in order to

maintain strong security, the value of t is very high. So its memory cost is much higher

than ours. In PIKE [25], each node must store 2(\/ 1) keys where N is the network

size. Combinatorial design techniques are proposed in [21, 23]. They are similar to E-G

[13], but they can ensure key sharing between any pair of nodes. The memory cost of their
schemes is roughly O(v-N) where N is the total number of nodes. However, the memory

cost of our scheme can be O(K-N), which is much less.

4.3.5.2 Security

In our scheme, each node can calculate direct LLKs with most of its neighbors. Each

direct LLK is only known by the pair of nodes that shares it, and the key can not be

derived by other nodes, because we choose the value of t such that the global polynomial

is secure in case of node compromise. As for other neighbors, each node can negotiate an

indirect LLK with each of them through only one intermediate node. So if the probability

of node compromise is p, then the probability of the exposure of the indirect key is just p.









In conventional schemes [13, 21, 23, 36], when the number of compromised nodes

is large, the direct keys among non-compromised nodes can be exposed. Moreover, the

indirect keys are as well insecure because each indirect key has to be established with the

help of several intermediate nodes along a path. If such a path involve h intermediate

nodes, then the probability that an indirect key is exposed can be calculated as


P 1 (1 p)h. (417)


PIKE [25] is similar to our scheme in that any pair of nodes can establish a shared

key through no more than one intermediate node. The difference is that it does not

utilize deployment knowledge to facilitate LLK agreement and thus is more expensive in

communication. Moreover, its memory cost per node is higher than ours. Obviously, our

scheme is more secure than conventional schemes.

4.3.5.3 Local secure connectivity

Every node can calculate direct LLKs with some neighbors, and establish indirect

LLKs with other neighbors through one intermediate node. The local secure connectivity

is directly related to the communication overhead of key establishments. If a node has

high probability to calculate direct LLKs, it can save a lot of communication overhead on

the establishment of indirect LLKs through multi-hop routing. Hence, high local secure

connectivity, which is the probability of establishment of direct LLKs, is desirable in

sensor networks.

Suppose nodes are uniformly deploy, -1 in each cell. The local secure connectivity

can be calculated as the ratio of node coverage in its cell to the node transmission area.

Suppose the side length of each cell is 2D, node radio radius is R. Due to the symmetry

of square cell, we only consider the first quadrant in the Cartesian coordinate plane (Fig.

4-7), where the center of cell is located at the origin of the plane. The first quadrant is

divided into five areas, each of which is corresponding to different node coverage A(xo, yo)









in the cell, where (xo, yo) is the location of node. The A(xo, yo) can be calculated as

A(xo, yo)


where Xo D-= Y
RY


rR2, when 0
R2( arccos(2Yo2 1) + Y/- Y2)

when 0
R2(T arccos(2Xo2 1) + Xo1 Xo2)

when D- R< xo R2( Tarccos(2Xo2 1) arTcos(2 1)

+Xo 1 Xo+ Y yo2)

when D-R
(x, D)2 + (, D)2 > R2
R2((Xo + 1- Yo2(Y + 1 Xo2)

+ arccos(-XoJ 1 Yo2 Yo1 Xo2)

-/(1 X- 2)(1 Yo2) Xo) ,

when D-R
(x D)2 + (y D)2 < R2
D -. Thus the local secure connectivity can be calculated as

1 1D YD
C = tp2 j / A(xo, yo) dxodo (
7 R2D2 0


In scheme [13], each node selects M keys from S keys, thus the local secure

connectivity is roughly 1 I- (SM)S) -, where S > M. In PIKE [25], each

node keeps unique pairwise keys with 2(N 1) nodes, thus the local secure connectivity

of PIKE is about 2/vN. Schemes [21, 23] are similar to PIKE [25] in that the local

secure connectivity is roughly O(1/vN). LBKP scheme [36] uses location information

to facilitate key pre-distribution so that each node can establish direct LLKs with all


4-18)















4-19)









y
D


D-R








o D-R D x

Figure 4-7. Node coverage in one cell.


neighbors in its cell and in neighboring cells, leading the local secure connectivity to about

1 if all the nodes are uniformly deploy, ,1 in their home cell.

The low local secure connectivity of schemes [13, 21, 23, 25] is because each node

cannot store too much keys to increase the local secure connectivity. However, in ours

scheme the local secure connectivity is unrelated to memory cost. For example, suppose

the size of cell size is 200 x 200m2 and node radio radius is 25m. The local secure

connectivity of ours scheme is 0.89, which is much higher than that of [13, 21, 23, 25],

which is usually much less than 0.5.

4.4 Conclusion

In this C'! lpter, we proposed novel LLK and TLK establishments schemes, which is

scalable for large networks with small memory cost. Compared with conventional schemes

which have memory cost of at least O( /N) in a network with N nodes, our scheme has

only O( -N) memory cost per node, where k > 1. Moreover, we utilize node deployment

knowledge to facilitate direct LLK agreement so that the local secure connectivity is very

high. In this way, the communication overhead of establishing indirect LLKs is reduced

significantly. The security of our scheme is very strong in that most LLKs are established

directly, and the other indirect LLKs are established through only one intermediate node.









CHAPTER 5
A LOCATION-BASED NAMING MECHANISM FOR SECURING SENSOR
NETWORKS

5.1 Introduction

Every node in a network has a name. We usually call it identifier, because it helps

us to identify each individual node. Besides identification function, the name may tell us

some useful information about the node, and the information is much helpful in many

network activities. For example, in the social network, we may infer a person's family

background from his last name, and the IP address in the Internet consists of network

identifier and host identifier which are used in routing protocols. However, if we deprive

the name of those meaningful information, we need to assign every node some additional

attributions to reflect those required information in some scenarios, which means extra

storage. Unfortunately, current naming mechanism in sensor networks gives us a bad

example, in which every node's identifier is taken from a one dimension name space that

has no meaning but the identification function.

Obviously, it is more beneficial if every node's identifier reflects more information

about itself. In this chapter, we propose a location-based naming (LBN) mechanism

for sensor networks [51, 52]. The idea is to embed some location information into node

identifier (ID) and use the location information to facilitate many applications in sensor

networks. Particularly, the entire network is divided into many cells, and each cell is

marked by a cell index. All sensor nodes are deploy, .1 in groups such that each cell is

deploy, .1 with a group of nodes. Hence, the nodes in one cell have the same cell index. To

distinguish each individual node in one cell, each node is assigned a node index, which is

unique in the cell. In this way each node ID has two parts: the cell index that tells which

cell in the network the node resides, and the node index that acts like the conventional

identifier for the identification of the node in the cell. Thus location information is

embedded into node IDs by the one-to-one mapping between cell indices and the locations

of cells.









This LBN mechanism may find many applications in sensor networks, such as

geographic routing, target tracking, environment surveillance, etc. However, our focus is

the security applications in sensor networks. Because it is embedded into node IDs, the

location information may act like an inherent node characteristic in stationary sensor

networks, thus it can be used to provide authentication services in local access control

[53]. For example, every node participates in the network though a neighbor-to-neighbor

communication mode, so every node should accept the packets only from the nodes in its

neighborhood. The LBN mechanism is pretty suitable in this scenario in that every node

may identify whether a packet comes from a neighbor or another distant node based on

the node ID in the packet.

S11 :v attacks in sensor networks try to raise havoc by skewing network topology [33].

For example, a malicious node may impersonate other normal nodes by changing its node

ID, thus cause severe topological distortion leading to the failure of routing protocols.

However, by binding location information with node IDs, LBN can be used to detect

those topological distortions. When LBN is employ, 1l a malicious node can not change

its ID into those in the cells far away from its own cell, because the malicious node may

be detected if its ID does not belong to its own cell. However, the malicious node may

still impersonate the IDs in its neighborhood, because all IDs in one cell has the same cell

index. In this case, some neighborhood authentication service should be applied to detect

the malicious node.
We make the following contributions in this chapter:

1. We introduce the naming problem for sensor networks in the literature for the first
time;

2. We propose a location-based naming mechanism LBN and explore its security value
for sensor networks;

3. We propose a link liv, r authentication scheme LLA, which incorporates LBN, to
provide a neighborhood authentication service;









4. We will show that our LBN mechanism and LLA scheme can be combined to provide
an efficient defense against many notorious attacks in sensor networks.

The rest of this chapter is organized as follows. In Section 5.2 we propose the

location-based naming mechanism LBN to fulfill our idea on network naming system. In

Section 5.3 we describe the link l1v. r authentication scheme LLA, and show how it acts

as a reenforcement of our LBN mechanism by providing neighborhood authentication. We

will discuss how our LBN mechanism and LLA scheme can be combined to defend against

many notorious attacks in sensor networks in Section 5.4. Some discussions are given in

Section 5.5, and conclusion is given in Section 5.6.

5.2 Location-based Naming Mechanism

5.2.1 Location Determination

To utilize location information, it is the first requirement to acquire location

information. The location determination is not a trivial task in stationary sensor networks.

It is infeasible to install every node with a GPS (global positioning system) due to the

desire for low price sensor nodes. Though there are some post-deployment facilitating

methods [53-55], they rely on the cooperation between sensor nodes, which leads to a large

amount of communication overhead.

However, when a sensor network is deploy, l in an area, some location information

is known a priori. Hence, if we deploy a group of nodes into an area, we may preload

the location information of the area into the nodes' memory. This a-priori location

information can be used in many scenarios such as key management [36-41]. Due to

deployment errors, the a-priori location information is less precise than that of posterior

measurements, however, it obviates the need to use expensive positioning devices and

complex distributed location determination algorithms, thus it is pretty suitable for

some applications in resource constrained sensor networks. In this paper, we uses the

course-grained a-priori location information to develop a security scheme to defend against

many attacks to network topology.




















Figure 5-1. A square cell deployment model.

Before deploying a group of sensor nodes, we should decide which place the

group should reside. Thus the entire deployment area is divided into many .ii ,i:ent

non-overlapping cells. Every cell is centered with a deployment point. Based on specific

deployment models, the contour of cell may be square [36-38, 48, 49], hexagon [45] or

triangle [46]. For simplicity, square cell (Fig. 5-1) is used as an instance in this paper.

However, other shapes are still applicable with a few modifications.

Each group of nodes is intended to be deploy, -l in a predefined cell. Due to

deployment errors, every node will be deploy, ,1 around the deployment point of its cell

according to some probability distribution function(PDF), such as Gaussian distribution

or Uniform distribution. It is necessary to point out that the area where the node resides

does not necessarily have the same shape as its cell. For example, the area where the node

resides may be a circle because of the centralized Gaussian distribution while its cell is

a square. However, we may improve deployment precision so that the probability that a

node resides out of its cell is very small [45, 46, 48, 49].

5.2.2 Location-based Name

When the deployment model is defined, the location of each deployment point is

known. By associating each group of nodes with a specific cell, we may know in which

cell of the network each node will reside. In a large scale sensor network, the coordinates

of deployment points usually have length of several bytes. However, in current link 1-v r


(i-1, j-1) (i-1, j) (i-1, j+1


(i, j-1) (i, j) (i, j+1)


i+1, j-1) (i+1 j) Ii+1, j+ 1









protocols for sensor networks, the node ID field length is usually less than 4 bytes. For

example, in TinyOS packet format, the node ID field length is only 16 bits [56]. It is

impossible to include the location coordinates of deployment points directly into node ID

field in large scale sensor networks. However, our scheme does not rely on precise location

information, we only count on the relative location information between sensor nodes.

Hence, we tend to use indices.

In our deployment model, each cell is marked with a cell index, which is a pair of

integers (i,j), where i is the row index and j is the column index. Thus we can identify

each cell and its associated group of nodes by cell index. The indices are not absolute

location coordinates, so they could be very small integers. With this benefit, we may

allocate several bits from the node ID field for cell index, and the rest bits from the node

ID field as node index in the associated cell. In this way each node is identified by a pair

(cell index, node index). For example, we may allocate 10 bits from a 16 bits ID field for

cell index, and the rest of 6 bits for node index (Fig. 5-2). Then the maximum affordable

network may consist of cells of 32 rows and 32 columns, where each cell contains 64 nodes,

and the total number of nodes is 65536.

Only index can not provide more information other than cell identification. What we

care about is how the indices describe the relationship between nodes. In our deployment

model all cells are indexed according a fixed order from top to right and from left to right

such that each cell index (i,j) acts like a coordinate in a two dimensional plane (Fig. 5-1).

In other words, cell indices are normalized coordinates of cells. Hence, the indices reflect

the spatial relationship between nodes. By checking node ID fields in received packets,

a node may tell whether the sources of packets come from its own cell or neighboring

cells or other distant cells. If we treat each node as a kind of resource, and the packets

reception by the node as a kind of resource access, then the orderly naming mechanism

may provide an authentication service for the access control at link 1-V-r. Because link

1-,-r-- communications run between neighboring nodes and in our scheme the neighbors










cell index node index

MSB LSB


Figure 5-2. Location-based name.


of one node most likely come from its cell or neighboring cells, every node should only

accept the packets from the nodes in its cell or neighboring cells, and deny the packets

from other distant cells' Obviously, our LBN mechanism has its significance for securing

sensor networks. An example is that most ID-spoofing attacks may be defeated because

of inherent location information in node IDs. We will show in Section 5.4 that our LBN

mechanism may defend against a wide range of attacks in sensor networks.

5.3 Link Layer Security

Sensor networks are vulnerable to malicious attacks in unattended and hostile

environments such as battlefield surveillance and homeland security monitoring [57, 58].

Adversaries can easily eavesdrop messages transmitted over the air between nodes, or

disable the entire network by launching physical attacks to sensor nodes or logical attacks

to communication protocols [33, 35]. Under such circumstances, security services such as

encryption and authentication are indispensable for guaranteeing the proper operation of

sensor networks.

In the overall network security infrastructure, link 1iv-cr security is the basic tile,

because all communications are established on the neighbor-to-neighbor communication

mode. A node should only accept the packets from authenticated neighboring nodes. To

establish trustiness between neighboring nodes, authentication services at link l-,- -r are



1 Due to deployment errors, some nodes may accidently run into distant cells other than
its destined cell. Thus these nodes may be precluded because they do not belong to the
cells where they reside. However, it is shown in [36, 45, 46, 48, 49] that this probability
is very small. We could treat it as the trade-off of the usage of a-priori deployment
knowledge.









required. To prevent eavesdropping attacks, two neighboring nodes need to negotiate a

shared key used for encryptions at the link l~ .I-r. Some proposals [36-41] use location

information in key management in sensor networks, which may be used to establish link

l-1v-r encryption keys. However, they have not addressed the authentication problem.

Motivated by their work, we propose a link 1-v.r authentication (LLA) scheme in this

section, which incorporates the LBN mechanism to provide a neighborhood authentication

service.

Our LLA scheme consists two phases. The first one is the bootstrapping phase

(B-Phase), which is the initial time period after network deployment. The second is the

normal communication phase (C-Phase) during which nodes communicate normal packets

to fulfill kinds of applications.

In each phase a two-step authentication is enforced. The first step is the ID-based

authentication, in which every node decides to accept or reject a packet by checking

the packet ID field according to LBN. The second step is the key-based authentication,

in which the two communicating nodes verify the IDs of each other by the shared key

between them. The underlying techniques we use here are something inherent and

something known [5]. Something inherent means an entity is authenticated by its inherent

characteristic, which is the location-based node ID in our scheme. Something known

means an entity is authenticated by the secrets it knows, which are shared keys in our

scheme.

5.3.1 Establishing Shared Keys

Any distributed key agreement model discussed in C'! lpter 2 can be used to establish

keys in WSNs, and they all require the exchange of node IDs as the inputs to the key

agreement model. For simplicity, we assume t-degree bivariate polynomials to establish

shared keys between neighboring nodes, i.e.,
t t
YjO xiy (51)
i=0 j=0









over a finite field Fq.

We use the method proposed in [36] to predistribute polynomials so that two nodes

in the same cell and neighboring cells hold shares of the same set of polynomial(s)2 Each

cell is associated with a unique t-degree bivariate polynomial, and the nodes destined

to the cell are preloaded with shares of the corresponding polynomial. Besides, the

polynomial is also assigned to the horizontal and the vertical neighboring cells. For

example, in Fig. 5-1, the polynomial of cell (i,j) is also assigned to cells (i,j 1),

(i,j + 1), (i 1,j), and (i + 1,j). Thus a node in cell (i,j) may establish shared keys
with nodes in it cells and all neighboring cells. We refer readers to [36] for more technical

details.

After the polynomials distribution, every pair of nodes has a shared polynomials set

P, which is used to derive polynomial shares for the pair of nodes. The set P is decided by

the cell indices of the two nodes. For two nodes in the same cell or neighboring cells, P is

non-empty, but for two nodes from two distant cells, P is empty. It is different from [36] in

that [36] requires every node to keep the coordinates of its cell while our scheme does not

because the location information is in the node ID field. So a node may know instantly

whether it has the shares of the same set of polynomials as another node only from its

node ID.

5.3.2 B-Phase Authentication

After deployment, the network is in the bootstrapping phase. In this phase, a

trustiness should be set up between nodes so that other high li.-r protocols may begin to

work on this trustworthy infrastructure. This is achieved by B-phase authentication.



2 We have developed a more efficient scheme in [45, 46] using hexagon and triangle cells.
It can also be used in LBN design if we choose to use hexagon or triangle cells in place of
square cells.









At very begin, every node broadcasts its node ID, i.e.,


v : < v > ,


to inform its neighbors its existence. In the schemes [36-38, 45, 46, 48], every node needs

to broadcast both its cell coordinates and its node ID to its neighbors. However, our

scheme is more efficient because the node ID has already included the corresponding

location information.

When node u hears node v, it first checks the cell index field in v's node ID. In LBN

mechanism, the cell index should be the same as that of u or the one of the neighboring

cell indices which may be easily verified because all cell indices are orderly sorted. If it is

not the case, the received ID v may be a spoofed value from a malicious node, and node u

just ignores node v's packets.

If the received ID v is acceptable, node u knows immediately the shared polynomials

set P with node v. Because node u and node v have shares derived from the polynomials

in P, node u may further verify node v through a challenge-response method. Node u

randomly selects a polynomial f(x, y), which has a unique index pf3 from P and uses

the corresponding share f(u, y) to calculate a shared key K, = f(u, v) with node v.

The shared key K,, is unique when all node IDs are distinct. This property is critical

for authentication. Then node u picks a nonce n,, which is a random number, and sends

to node v a challenge packet including the ID u, index of the polynomial f(x, y), and

encrypted n, by f(u, v), i.e.,


U -v : < U,, pf, {nu}K. >,


where {} means encryption operation.



3 Polynomial indices may be preloaded into nodes memory, or may be calculated by a
hash function with cell indices as inputs.









If node v does have the ID it claims, it sure has the shared polynomials set P with

node u. Then node v may use the polynomial index in the received packet to find the

shared key K,, and be able to decrypt the nonce n,,. Next, node v also picks a nonce n,

returns to node u a response packet including the node ID v, nonce n,, and the encrypted

n, by f(u, v), i.e.,

v U U : <, U, u, {n}K., >

After getting the response from v, node u may check the returned value of n,. If it

is the same as that it has sent to node v, then node v is an authenticated node, otherwise

not.

To authenticate itself, node u also decrypts n, and returns it to node v, i.e.,


U -^ v : < u,v, nv > .


Following the three way handshake authentication procedure, every node may set up

trustiness with its neighbors during the bootstrapping phase.

During the B-phase authentication, a shared key is established between neighboring

nodes. This shared key may act as the master key and be used to derive other keys for

different purposes, such as encryption, authentication, etc. Thus, the future communications

between neighboring nodes are secured by the shared key.

5.3.3 C-Phase Authentication

After the bootstrapping phase, normal communications may run between neighboring

nodes to fulfill kinds of applications. During this phase, an adversary may inject, modify,

or spoof packets to raise havoc among the network. To guarantee normal operation of the

network, every packet should be authenticated so that the sink node knows it is talking

with the authenticated source node.

A normal way to achieve packet authentication and integrity is to use message

authentication code (\!AC). MAC is a digest calculated by a one-way and collision-resistant

hash function with messages and some secrets as inputs. An example is HMAC [59]. Every









node may check whether a received packet is tampered by recalculating the MAC and

comparing it with that in the packet.

When a node v needs to send a packet to node u, it constructs the packet like,


v u : < v, u, n, m, H(v || u I| n, I m II K.,) > ,


where n, is a nonce, m is the message, H() is a hash function, I| is the concatenation

operator, and K,, is a shared key between u and v. To protect the master key established

in the bootstrapping phase, it is better to use a derived authentication key here. For

example, we may calculate an authentication key as H(Ku,OI1) and an encryption key as

H(KUV, 0). Here the message m may be in plaintext if only authentication is needed or be

encrypted if both authentication and encryption are desired.

When node u receives the packet from node v, it first checks the cell index field in v's

ID according to LBN. If the ID v is not acceptable, node u simply drops the packet, thus

it does not need to check the MAC field. Moreover, node u may check the cell index field

just after extracting node v's ID from the packet and stop receiving the remaining part of

the packet to save energy if node v's ID is not acceptable, because packet transmission and

reception are the most energy-costly radio operations in sensor nodes. Only if the ID v is

acceptable, node u proceeds to verify the MAC field in the packet and authenticate the

packet.

TinySec [56] defines link l-~ -r packet formats including Auth packet format, in which

only authentication is provided, and AE packet format, in which both authentication and

encryption are provided. It is similar to our scheme, however, it does not address how to

establish authentication and encryption keys. It is obvious that we can combine TinySec

with our scheme to provide a complete solution for link l1.- r security in sensor networks.

5.4 Secure Sensor Networks

By using link liv r encryption, we may prevent eavesdropping attacks. However,

an intelligent adversary may launch many active attacks by utilizing the defects in the









network protocols which are not designed carefully to involve security defenses at the

beginning. Karlof and Wagner [33] classified a series of attacks to sensor networks, which

may cause the rapid deterioration of network performance. Most of the attacks try to

cause topological distortion by spoofing or replaying routing information. However, as we

will show in this section, our LBN has inherent resistance to these topological attacks,

because the location information in node IDs reflects topology of the network. Any attack

that causes serious topological distortions can be detected by our LBN and LLA. In this

section, we discuss many typical attacks as examples.

5.4.1 The Sybil Attack

In the Sybil attack [60], a malicious node illegitimately takes on multiple identities,

which may be fabricated IDs or impersonated IDs. The Sybil attack may pose a serious

threat to routing protocols, data .,-. -regation, voting, fair resource allocation, misbehavior

detection, etc [33, 60]. Several potential defense methods are proposed in [60], including

radio resource -. -1 i.- verification of key sets for random key predistribution, registration,

position verification and code attestation. However, those methods rely on either strict

physical assumptions or cooperation between a bunch of nodes.

In our scheme, every node ID should appear only in a small area of the network

due to the LBN mechanism. If the malicious node claims an ID belonging to distant

cells, it may be easily found out by its neighbors and then be precluded. The only IDs

the malicious node can claim are those in its cell and neighboring cells. Even that, the

malicious node can not pass the link li.-r authentication because it does not have the

corresponding polynomial shares belonging to the node whose ID is claimed by the

malicious node. So the Sybil attack can not get success in our scheme.

5.4.2 Identity Replication Attacks

In the identity replication attack [60], an adversary may put many replicas of a

captured node at many places in the network to incur inconsistency. Like the Sybil

attack, the identity replication attack may lead to the failure of many network functions.









Conventional defenses include centralized computing based on location or number of

simultaneous connections [60], which is communication intensive and lacks of scalability.

In our scheme, the adversary can not put the replicas of the captured node at places

other than its vicinity because the presence of a node ID should be localized due to the

LBN mechanism. The adversary can only put those replicas in a small area where the

captured node originally resides. However, convergence of the replicas of the same node

ID in a small area may be easily detected by surrounding normal nodes. So, the identity

replication attack finds no place in our scheme.

5.4.3 Wormhole Attacks

In the Wormhole attack [61], two malicious nodes collude to tunnel packets from

one place to another distant place in the network. This attack may distort the network

topology by making two distant nodes believe they are neighbors, thus become a serious

attack to routing protocols. Hu et al. proposed to use packet leashes [61] to limit

the maximum range over which packets can be tunneled by the two colluding nodes.

Directional antennas [62] are also used to defend against the Wormhole attack. However,

these defenses are targeted to the Wormhole attack in ad hoc networks, and require

expensive hardware devices, which are infeasible for most resource constrained sensor

networks. Wang and Bhargava [63] proposed to use centralized computing to defend

against the Wormhole attack in sensor networks, in which a controller collects all nodes'

location information to reconstruct the network topology such that any topological

distortion may be visualized. However, this approach causes much communication

overhead and is not realistic if malicious nodes move around in the entire network because

each location change will trigger a new round of execution of the topology reconstruction

algorithm.

By using LBN, a node may check the cell index fields in the received packets and

simply drop those packets coming from a distant place. So the impact of the Wormhole

attack is limited in neighboring cells automatically. Though the two colluding nodes









may tunnel packets in a small area, in this case they can not cause severe network scale

topological distortions and may even be helpful to facilitate local communications. So, the

Wormhole attack may be defeated in our scheme.

5.4.4 Sinkhole Attacks

In the sinkhole attack [33], a malicious node tries to lure nearly all the traffic

from a particular area, creating a metaphorical sinkhole with the malicious node at the

center. This kind of attack typically works by making the malicious node look especially

attractive to surrounding nodes by claiming a lower routing cost to the base station in

the sensor network. If geographical routing protocols are used, every route is found based

on geographical information, which can be extracted from node IDs. In this case, the

malicious node can not cheat other nodes because other nodes may easily find whether

the malicious node is on the route to the base station based on the ID of the malicious

node. If different routing criteria such as reliability are used, it is rather difficult to detect

the sinkhole attack. However, the node ID may still provide some information about the

location of the malicious node, thus if the source node finds the location of the malicious

node is far away from the direction of the base station, it means a potential threat and

some methods may be used to verify the routing information.

5.4.5 HELLO Flood Attacks

In the HELLO flood attack [33], a malicious node may broadcast HELLO packets

with large enough transmission power to convince most nodes in the network that the

malicious node is their neighbor, thus lead the network into the state of confusion. This

attack may be defeated because it is easy to check whether a HELLO packet is acceptable

from its ID field in our scheme.

5.4.6 The Acknowledgement Spoofing Attack

In the acknowledgement spoofing attack [33], a malicious node may spoof link l-- r

acknowledgments for the packets destined to a neighboring node which is dead or the

packets lost due to the bad channel reliability, thus make the source node form a wrong









routing decision based on the belief that the dead destination node is alive or the channel

is reliable. In our scheme, it is easy to detect the attack by LLA because the malicious

node does not have corresponding link l-~.-r keys.

5.4.7 The Node-compromise Attack

In our link liv. r authentication scheme, predistributed polynomials are used to

establish shared keys between nodes. It is under the threat of the node-compromise

attack, in which a small number of compromised nodes may expose a large amount of

secrets in the network. It has been proved in [7, 8] that a t-degree bivariate polynomial

is t-collusion resistant, meaning that the collusion of no more than t nodes can not

expose the polynomial. However if one t-degree bivariate polynomial is used by more

than t nodes, an adversary may compromise more than t nodes holding shares of a same

polynomial to reconstruct it, and then use the reconstructed polynomial to derive shared

keys between non-compromised nodes that hold shares of the same polynomial. We

have proposed efficient schemes [45, 46, 48, 49] that achieve the perfect resilience to the

node-compromise attack. The details have been discussed in previous chapters.

5.4.8 The Memory Exhaustion Attack

The B-phase authentication in our scheme is not stateless, because every node needs

to keep the nonce in its memory so that it can verify the returned nonce value from its

neighbor. For each authentication request, a nonce should be generated. A malicious node

may launch the memory exhaustion attack by sending authentication requests at very

high frequency to neighbors, thus cause its neighbors unusable by exhausting memory

resources of the neighbors. However, it is also easy to detect frequent authentication

requests from a malicious node. To defend against this kind of attack, normal nodes just

need to drop those authentication requests if the frequency of request is too high. Some

countermeasures can also be t i-_-, to punish the malicious node.









5.5 Discussion

To the best of our knowledge, there has been no research on the additional value

of node identifier. Though many schemes [36-38, 45, 46, 48] use node identifiers in

key establishment, they simply use the identification function. Our scheme is the first

investigation that tries to dig out more application values of node identifier. We have

shown that by embedding location information into node identifiers our LBN has intrinsic

immunity from many attacks against network topology. Besides security value, we believe

our LBN can still be used in other applications in sensor networks.

Our LLA scheme incorporates LBN as the first step authentication method, and uses

shared key to further verify node identity. In LLA, predistributed polynomials are used to

achieve key agreement to provide authentication service. However, other shared-key-based

authentication schemes can also work well with LBN in the second authentication step,

as long as they guarantee neighboring nodes can establish a unique shared key. Similar

schemes are SPINS [6], LEAP [64]. The building block SNEP in SPINS [6] can provide

neighbor authentication by a shared key. However, two neighboring nodes rely on the

base station to negotiate a shared key, which is not efficient in terms of communication

overhead. In LEAP [64], a global key is used to derive shared keys to achieve neighbor

authentication, where the underlying assumption is that adversaries can not compromise

any node during network bootstrap phase, thus the global key can be safe. However, our

scheme does not rely on this assumption and is resilient to node compromise attacks.

Zhang et al. [65] proposed to use location-based keys to secure sensor networks. Their

scheme is based on public key cryptography, while our scheme is based on symmetric

key cryptography. Besides, in their scheme each location-based key is tight to a precise

location in the network and the location information should be obtained by mobile robots.

When a node moves, its location-based key associated with its previous location is invalid.

Hence, their scheme is only applicable in stationary sensor networks, where sensor nodes

do not move after deployment. Our scheme only uses course-gained a-priori deployment









knowledge and does not need any positioning devices. Though our scheme is targeted to

stationary sensor networks, low mobility can also be supported as long as nodes only move

in their vicinity.

5.6 Conclusion

In this paper, we have introduced the naming problem for sensor networks in the

literature for the first time. We believe that more benefits can be achieved by endowing

node ID more meaningful information. A location-based naming mechanism LBN

has been proposed to fulfill our idea. By using LBN, the impacts of many attacks to

topology in sensor networks can be limited in a small area. We also proposed a link

lw -r authentication scheme LLA, which incorporates LBN, to provide a neighborhood

authentication service. It has been shown that our LBN and LLA can be an efficient

defense against a wide range of attacks in sensor networks.

We have investigated the security value of our location-based naming mechanism.

However we believe it may also find other applications in sensor networks, such as

geographic routing, target tracking, environment surveillance, etc, especially those

applications in which security is desired. We will develop more efficient solutions in those

applications based on our new idea in our future work.









CHAPTER 6
ACCESS CONTROL IN WIRELESS SENSOR NETWORKS

6.1 Introduction

A WSN usually consists of a large number of sensor nodes. In order to save

manufacturing cost, a sensor node is usually built as a small device, which has limited

memory, a low-end processor, and is powered by a battery [6]. The constrained resources

result in limited computation and communication capabilities. After several weeks or

months of operation, some nodes in the network may exhaust their power because of the

uneven distribution of traffic load. Applications may fail due to the loss of some critical

sensor nodes and become useless. Though power saving technology in the design of both

hardware and software may extend the lifetime of a sensor network, new node deployment

is still necessary in many cases.

Besides the natural loss of sensor nodes, a sensor network is also susceptible to

malicious attacks in unattended and hostile environments. Some sensor nodes may

be destroyed by adversaries. If the number of attacked sensor nodes exceeds a certain

threshold, the entire network may become useless. Hence, new sensor nodes need to be

deploy, ,1 to maintain the normal operation of the sensor network if necessary.

In military scenarios, however, a sensor network is usually lack of careful surveillance

after deployment. Hence an adversary can also deploy malicious nodes into the network.

These malicious nodes may easily eavesdrop messages transmitted over the air between

nodes or insert false reports into the network [6].

In addition, an intelligent attacker may launch tricky attacks from the inside of

the sensor network by manipulating existing sensor nodes. A sensor node may be

compromised due to the lack of tamper resistance [34] so that all the secrets in it are

exposed to the adversary. Then the adversary may use the compromised node to launch

other more serious attacks. For example, in the Sybil attack [60], a malicious node, which

may be a compromised one, impersonates other normal nodes or new nodes. Another









example is the node replication attack [66], where an adversary compromises a node and

deploys many copies of the node into the sensor network. The adversary can also launch

the Wormhole attack [61-63], in which packets are tunneled between two distant places

in the sensor network, thus introducing false nodes in the neighborhood of normal nodes.

These attacks may cause fatal havoc [33, 35] in the sensor network.

Recently, many schemes [6, 13, 15, 17, 18, 56] were proposed to protect sensor

networks. They may prevent external attackers from eavesdropping messages or inserting

false reports. However, they can hardly defend against internal attacks such as the Sybil

attack, the node replication attack and the Wormhole attack. Though several techniques

[60-63, 66] were proposed to counteract the internal attacks, each of them is only targeted

to one specific attack by using different approaches and hardware assumptions. It is

very difficult to integrate those techniques into a uniform hardware platform. Even if

the integration is possible, it may cost a lot of resources and deviate from the low cost

consideration.

In this chapter, we analyze the internal attacks including the Sybil attack, the node

replication attack and the Wormhole attack. We observe that the common trick under

these attacks is that they manipulate existing nodes to introduce malicious i 1.--" nodes,

which are indistinguishable from legitimate new nodes under current sensor network

security technology. Those introduced i, i.-" nodes could be accepted by other normal

nodes as legitimate ones. Based on this observation, we design an access control protocol

[67] for sensor networks to prevent malicious nodes, no matter whether they are directly

deploy, -1 by adversaries or introduced i.--" ones, from participating in sensor networks.

A new node should prove that it not only has correct identity but also is truly new to

be admitted into the sensor network. Besides the node identity which is widely used in

authentication, we introduce the node bootstrapping time, which is the time when the

new node bootstraps itself to join the sensor network, into the authentication procedure

to differentiate malicious i, ,." nodes, which are actually old nodes, from legitimate new









nodes. Unlike the conventional approaches in [60-63, 66] that attempt to detect malicious

nodes after they join sensor networks, our access control protocol can prevent malicious

nodes from joining sensor networks at the very beginning. Moreover, key establishment

is also included in our access control protocol to help the new node establish shared keys

with its neighbors so that it can perform secure communications with them.

The rest of this chapter is organized as follows. We analyze most typical attacks in

Section 6.2 and show why access control is necessary for sensor networks in Section 6.3.

The details of our access control protocol are described in Section 6.4. Some security

analysis and performance evaluations are carried out in Section 6.5 and Section 6.6. We

finally conclude the chapter in Section 6.7.

6.2 Review of Attacks

Sensor networks have high values in military applications, in which they are often

deploy, .1 in hostile environments to perform various kinds of military tasks. Usually,

sensor networks are lack of careful surveillance after deployment. Hence, adversaries have

opportunities to deploy malicious nodes, or launch tricky attacks from the inside of a

sensor network by manipulating existing sensor nodes.

6.2.1 Malicious Nodes Deployment

An attacker can directly deploy malicious nodes into the network. In Fig. 6-1 (a),

for example, a malicious node B is deploy, .1 in the vicinity of existing node A. Node

B may easily eavesdrop messages sent out or received by node A. If node B knows the

communication protocols in the sensor network, it may even inject false reports to disrupt

the network functionalities [6, 33, 35]. Some security measures may be enforced to thwart

this kind of attack, but if the adversary has the capability of breaking into the security

infrastructure, he/she can still deploy as many malicious nodes as possible.

6.2.2 The Sybil Attack

The Sybil attack was first studied in the context of peer-to-peer networks [69].

Then it was found to be a serious threat to sensor networks [60]. In the Sybil attack, a









malicious node illegitimately takes on multiple identities. The impersonated identities

may belong to existing nodes or non-existing nodes. The malicious node may be deploy, 1

directly by adversaries or just a compromised one. In Fig. 6-1 (b), for example, a node

B is compromised by an adversary who then makes node B impersonate other identities,

e.g., node C. From the point of the view of node A, it is just like a new node C coming

out in its vicinity. It has been shown that the Sybil attack may pose a serious threat to

distributed storage (redundant information destined to several nodes may finally be stored

in one malicious node), routing protocols (multipath routing, geographic routing) [33],

and so on. In addition, it may also cause devastating consequences to other applications

such as data ...:regation, voting, fair resource allocation, and misbehavior detection [60].

Several potential defense methods were proposed in [60], including radio resource testing,

verification of key sets for random key predistribution, registration, position verification,

and code attestation. Those methods rely on either strict hardware assumptions or

complicated cooperation between a bunch of nodes.

6.2.3 The Node Replication Attack

In the node replication attack [66], an adversary intentionally puts many replicas

of a compromised node at many places in the network to incur inconsistency. In Fig.

6-1 (c), for example, node B is compromised and one of its copies is deploy, in the

vicinity of node A so that node A may take node B as its new neighbor. Like the Sybil

attack, the node replication attack can also render adversaries the abilities to subvert

data ... regation, misbehavior detection and voting protocols by injecting false data

or suppressing legitimate data [66]. The conventional methods to defend against the

node replication attack usually include centralized computing based on node locations

or number of simultaneous connections, which is vulnerable to the single-point failure.

Distributed detection of the node replication attack was proposed in [66], where the

location of a suspect node is verified by randomly selected witness nodes.









6.2.4 The Wormhole Attack

In the Wormhole attack [61], an adversary tunnels packets between two distant places

in the sensor network. In Fig. 6-1 (d), for example, the adversary deploys two special

devices into the vicinities of node A and node B, respectively. These two devices share

a secret broadband channel, which is invisible to sensor nodes. Then these devices may

record packets sent out by one node, tunnel those packets through the secret broadband

channel to the other end, and replay those packets in the vicinity of the other node. The

consequence is that node A may find a new node B coming out in its neighborhood, and

vice versa. This attack may distort the network topology by making two distant nodes

believe they are neighbors, thus becoming a serious attack to routing protocols [61].

6.3 Access Control

6.3.1 Necessity

New node deployment is inevitable when applications in the sensor network become

instable because of the loss of sensor nodes. The cooperative characteristic of sensor

network applications requires mutual trust among sensor nodes. A deploy, l1 new node,

however, may not be a legitimate one as is shown in Section 6.2. It may be a malicious

node directly deploy, 1 by adversaries, or an introduced i.--" node due to the Sybil

attack, the node replication attack or the Wormhole attack. The underlying trick of the

Sybil attack, the node replication attack and the Wormhole attack is that those malicious

i-, .-" nodes are indistinguishable from legitimate new nodes under current sensor network

security technology, hence those malicious i '.--" nodes will be accepted by other normal

nodes as legitimate ones.

To prevent malicious nodes from joining sensor networks, access control should

be enforced to control sensor node deployment. A sensor node should prove that it

is a legitimate one when deploy-, 1 into the sensor network. Usually, an access control

mechanism should accomplish two tasks:












AO
o A



S0 C



O C


(b)


BO
A


U'-


Figure 6-1. Attacks.


1. Node authentication : Through authentication a deploi-, 1 node proves its identity
(ID) to its neighboring nodes and proves that it has the right to access the sensor
network;

2. Key establishment : Shared keys should be established between a deploy, ,1 node and
its neighboring nodes to protect communications.

6.3.2 The State of the Art

A lot of solutions [6, 13, 15, 17, 18, 68] were proposed in the literature to protect

sensor networks. However, they can hardly address the access control problem in sensor

networks. SPINS [6] and TinySec [56] are vulnerable to the node compromise attack,









where an adversary can simply compromise one node and then use its key to generate and

deploy as many malicious nodes as possible. Randomly predistributed symmetric keys

schemes [13, 15] were proposed to achieve key agreements between neighboring sensor

nodes, but they can not provide the authentication service because of the reuse of the

same keys among many sensor nodes. By compromising a few sensor nodes, an adversary

can get a lot of keys and whereby to manufacture and deploy many malicious nodes.

ID-based symmetric keys schemes [17, 18] involve node IDs into key agreements. They

could provide the authentication service, where a node's identity could be challenged based

on the keys it holds. Those schemes, however, are based on threshold-based symmetric

key techniques, where the security threshold is directly determined by the node memory

resource. Due to the contradiction between the large number of sensor nodes in a network

and the constrained memory resource, they usually can not provide full security. If the

number of compromised nodes exceeds a threshold, an adversary can destroy the security

infrastructure and deploy as many malicious nodes as possible.

With the development of hardware capability, public key techniques become a possible

and promising approach to secure sensor networks because of its flexible key management

and scalability. Very recently, Watro et al. [68] proposed TinyPK protocol, where RSA [3]

certificates are used to authenticate external parties to sensor networks and Diffie-Hellman

[2] key exchanges are used to achieve key agreements between external parties and sensor

nodes. Compared with symmetric key techniques, TinyPK is more resilient to the node

compromise attack. TinyPK could be used in the access control during node deployment.

It may prevent adversaries from deploying malicious nodes, and detect the Sybil attack,

but it can not detect the node replication attack and the Wormhole attack, because the

, iv-" nodes introduced by these two attacks have legitimate certificates.









6.4 Our Protocol


6.4.1 Outline

A preloaded public key certificate which includes ID information or an ID-based

symmetric key can be used to prove the identity of a new node. When the new node is

deploy,, 1 into the sensor network, its neighbors may verify the certificate or challenge the

ID-based symmetric key to check whether the new node has a legitimate identity. By

using this ID authentication, adversaries are prevented from directly deploying malicious

nodes because they do not have corresponding certificates or ID-based symmetric keys.

However, the ID authentication is not enough to protect the sensor network, as is shown

in Section 6.3. In the Sybil attack, the node replication attack and the Wormhole attack,

an adversary in fact could manipulate existing nodes to introduce malicious i ,.-" nodes.

Those old nodes have preloaded certificates or ID-based symmetric keys, so the i "

nodes also have legitimate identities. Hence, we need to differentiate those old nodes from

new nodes to further protect the sensor network.

A solution to solve the problem is to involve a timestamp into the authentication

procedure. It is a common solution to solving the freshness problems in our real lives. For

example, the tickets we buy for movies or football games carry timestamps which show

when the tickets are valid. The similar idea can also be applied to the design of our access

control protocol for sensor networks.

After a sensor node is deploy, ,1 into a sensor network, it will bootstrap itself at

a preset time to join the sensor network. The difference between an old node and

a new node is that they have different bootstrapping times. Hence, we may use the

bootstrapping time as the timestamp into our access control protocol.

Our access control protocol uses a preloaded certificate which includes both ID

information and bootstrapping time to authenticate the identity of a new node. The

certificate is generated by a certification authority (CA), e.g., the administrator of the

sensor network. In the certificate the node ID information and its bootstrapping time









are signed by CA's private key to protect their integrities, so that adversaries can not

falsify the ID and the bootstrapping time. When the new node is deploy, ,1 into the

sensor network, it can show its certificate to its neighbors. The neighbors can verify the

ID and the bootstrapping time with the CA's public key. A new node can be accepted

into the sensor network only if it has a correct identity and its bootstrapping time is

within a tolerance period of current time. Through the authentication of both ID and

bootstrapping time, our access control protocol can prevent malicious nodes from joining

the sensor network because they do not have correct IDs or bootstrapping times.

The Diffie-Hellman algorithm is used to establish shared keys between the new node

with its neighbors. Hence each node is preloaded with a (private key, public key) pair.

After a new node passes the authentication procedure, it exchanges its public key with

those of its neighbors. Then the new node can establish shared keys with its neighbors

according to the Diffie-Hellman algorithm. To prevent nodes from falsifying public

keys, the public key of each sensor node is also signed by the CA and included into its

certificate.

6.4.2 Assumptions

6.4.2.1 Network model

We assume that sensor nodes are stationary so that if a node finds a new node in its

neighborhood, the new node must be either a newly deploy, ,1 node or a node introduced

by adversaries. All sensor nodes have the same transmission range and communicate

with each other via bi-directional wireless links. Each node has a unique, integer-valued,

non-zero ID.

We assume that all sensor nodes are loosely synchronized. Each sensor node has a

preset bootstrapping time. After being deploy, ,1 into the sensor network, each sensor

node bootstraps itself at its bootstrapping time to join the sensor network. Two sensor

nodes may have the same bootstrapping time if they are deploi-y l simultaneously. A

possible collision at the MAC lI- r may occur if the two nodes bootstrap themselves









simultaneously. However, we assume that the MAC-1 ir protocol has collision resolution

mechanisms to solve the problem [65]. Hence, each node can finish bootstrapping within a

tolerance time interval after its bootstrapping time.

6.4.2.2 Adversary model

Due to the broadcast characteristic of radio communications, adversaries may

easily eavesdrop any message, either a ciphertext or a plaintext, transmitted over the

air. Adversaries can not decrypt any ciphertext if they do not have the corresponding

decryption key. Otherwise, a stronger cryptographic primitive should be used to increase

the security.

For the cost consideration, it is not economical to equip every sensor node with

tamper resistant devices. Adversaries may easily compromise a sensor node and extract

all the secrets stored in its memory. Even if tamper resistant devices are available, they

are still not able to guarantee perfect security of secrets [34]. Hence, node compromise is

usually unavoidable in wireless sensor networks. Compromising, however, is not a trivial

job. We assume that each sensor node can sustain a tolerance time interval before it is

compromised, which is also assumed by previous work [34, 64].

6.4.3 Cryptographic Primitive

Compared with symmetric key cryptography, public key cryptography is more

expensive in terms of computational complexity. Hence most of sensor network security

proposals are based on symmetric key cryptography [6, 13, 15, 17, 18, 36]. However, with

the fast development of hardware performance, public key cryptography becomes possible

on low-end devices [68, 70].

Elliptic curve cryptography (ECC) [71, 72] and RSA [3] are mature public-key

techniques that have been researched by the academic community for many years.

Compared to RSA, ECC is seen to be the standard for the next generation cryptographic

technology. The fundamental operation underlying RSA is the modular exponentiation in

integer rings. Its security stems from the difficulty of factorizing large integers. Currently









there only exist sub-exponential algorithms to solve the integer factorization problem1

ECC operates on groups of points over elliptic curves and derives its security from the

hardness of the elliptic curve discrete logarithm problem (ECDLP)2 [71, 72]. The best

algorithms known for solving ECDLP are exponential. Hence, ECDLP is harder than

RSA given the same length of keys. In other words, ECC can achieve the same level of

security with smaller key sizes. It has been shown that 160-bit ECC provides comparable

security to 1024-bit RSA and 224-bit ECC provides comparable security to 2048-bit

RSA [73]. Under the same security level, smaller key sizes of ECC offer merits of faster

computational efficiency, as well as memory, energy and bandwidth savings, thus ECC is

better suited for the resource constrained devices.

Due to the merits of ECC, our access control protocol uses 160-bit ECC as the

underlying cryptographic infrastructure. Particularly, the signature operation in our

protocol is based on the elliptic curve digital signature algorithm (ECDSA) [73], and the

shared key is established according to the Diffie-Hellman algorithm over ECDLP.

6.4.4 Predeployment Phase

6.4.4.1 Network parameters
Before a sensor network is deploy, -1 the CA chooses a set of system parameters
including:

1. a finite field Fq, where q is a large odd prime of at least 160 bits;

2. an elliptic curve E over Fq (denoted by E(Fq) hereafter);

3. a cyclic group G =< G > of points over the elliptic curve E(Fq), where G is the
generator of the group and has an order n of at least 160 bits, with n > 4 v;

4. the CA's private key K E Z* {1,2 2,..., n 1};



1 Given a positive integer n = pq where p and q are large pairwise distinct primes, find p
and q.
2 Given a generator G of a finite cyclic point group G over an elliptic curve E(Fq) and
another point Q in the group, find an element x E IF such that xG = Q.









5. the CA's public key Q = KG e G.

The CA never shares its private key with .invone else. Since ECDLP is a hard

problem [71, 72], no one can derive the CA's private key K from the pair < G, Q >. In

addition, the CA does not get involved in the network operation, so adversaries have no

opportunity to directly attack the CA to get K.

6.4.4.2 Sensor parameters
For each sensor node, -i Ni, the CA preloads it with a set of node parameters
including:

1. the elliptic curve E(Fq);

2. the cyclic group G over E(Fq);

3. the CA's public key Q;

4. the bootstrapping time Ti when node Ni bootstraps itself to join the sensor network;

5. the length of bootstrapping phase Li during which the node is allowed to join the
sensor network;

6. Ni's private key si E Z*;

7. Ni's public key Pi sG = (xpi, ypi) E G, where xpi, ypi E Fq;

8. the signature < Ci, ci > for node Ni, where Ci E G and c E Z ;

9. a hash function H : {0, 1}* -- Z, which translates a binary sequence into an integer
in Z.

The signature is calculated according to ECDSA. The CA first chooses a random

number ki E Z* and then calculates


Ci = kiG = (xyi,yci) (6-1)

ci ki-'(H(Ni || T | LI || Pi) + Kxi) (mod n) (6-2)

where I| is the concatenation operator.









6.4.5 Node Deployment

At the very beginning, a network of sensor nodes, v hundreds or thousands of

nodes, is deploi-y 1 in a designated area. At a preset time, these sensor nodes bootstrap

themselves and then start to establish communications. During the network operation

phase, if some sensor nodes are lost due to the natural power exhaustion or malicious

attacks, new sensor nodes need to be deploy, l1 These new sensor nodes all have a preset

bootstrapping time different from that of the previously deploy, ,1 nodes. Hence, without

loss of generality, we assume that sensor nodes are deploi-y 1 in groups, where sensor nodes

in one group have the same bootstrapping time and the length of bootstrapping phase but

these values for different groups may be different.

6.4.6 Node Authentication

After being deploy, ,1 into the sensor network, every new node should broadcast a

message to inform its neighbors of its existence. For example, a new node Ni bootstraps

itself at time Ti and broadcasts a message:


AN : (, T, L, P C, (6-3)


Then handshakes between the new node and its neighbors can be performed for

authentication. Because the neighbors of the new node may include both new nodes and

old nodes, the handshakes can be divided into two cases: the handshake between new

nodes (Fig. 6-2) and the handshake between a new node and an old node (Fig. 6-3).

6.4.6.1 Handshake between new nodes

If node Ni also hears a broadcasted message from another new node Nj, it verifies

whether Nj is a legitimate new node by doing the following.

Node Ni first compares Nj's bootstrapping time Tj with its own bootstrapping time

Ti. If Tj > Ti, then node Tj might be a new node. Actually Tj = Ti if Ni and Nj are both

new nodes. The reason of using ">" here is to maintain the software compatibility so that

this procedure can also be used by an old node to authenticate a new node (refer to Fig.









6-3). Node Ni proceeds to verify whether node Nj is a new node by comparing Tj with

its current time t. If Tj is out of date (ITj tl > Lj), node Ni simply drops the received

message. If Tj is within a tolerance time interval (|Tj t| < Lj), node Ni continues to

verify Nj's identity by ECDSA. Specifically, node Ni computes

ul = H(Nj | Tj II Lj Pj) (6-4)

U2 = cj- 1 (mod n) (6-5)

,. = j- lcj (mod n) (6-6)

V = 2G + (6-7)

If V = Cj, node Ni can make sure that node Nj is a legitimate new node. This is because

if the signature is valid, the verification equation holds:


V = u2G + u3Q

= C-luG + cy-lxciQ

Scj-(H(N ||II Tj II Lj II|| P) + Kxci)G

SkjG

SC (6-8)

After node Ni verifies the identity of node Nj, it calculates a shared key with its

private key and Nj's public key, i.e.,


Kij = siPj = SisjG. (6-9)

Following the same procedure, node Nj can verify the identity of node Ni after it

hears the broadcasted message from node Ni and calculate a shared key as


Ki = sPi = SisjG (6-10)









N, *, N,, T,, L, P,, C,, c, Nj
if Tj >= T, 4 if T, >= Tj
if ITj tl > Lj, reject Nj; *, Nj, Tj, Lj, Pj, Cj, cj if IT, tl > L,, reject N,;
else { calculate verifier V; else { calculate verifier V;
if V= Cj { if V= C, {
accept Nj; accept N,;
calculate Kj = s,Pj;} calculate K, = sP, ;}
else reject Nj; } Nj, N,, { n, }Ki else reject N,; }

N,, Nj, n,, { nj }KI

Nj, N,, n,


Figure 6-2. Handshake between two new nodes.


Node Ni and node Nj can make sure that each other does have the shared key by

following the challenge-response procedure. Node Ni just selects a nonce ni, encrypts it

and sends it to node Nj. If node Nj has the shared key, it can decrypt the nonce ni. Then

node Nj sends back a message including the nonce ni and an encrypted nonce nj chosen

by itself to node Ni. Node Ni can also decrypt the nonce nj and return it to node Nj. The

handshake between node Ni and node Nj is depicted in Fig. 6-2.

6.4.6.2 Handshake between a new node and an old node

When an old node Nj hears the broadcasted message from the new node Ni, it also

checks the validity of Ni's bootstrapping time and then verifies Ni's identity (Fig. 6-3).

After that, node Nj calculates a shared key with its private key and Ni's public key,

selects a nonce nj, encrypts the nonce with the shared key, and replies with the message:


Ny Ni : (Ni, Ny, Tj, L, PJ, CJ, c, {nj}K,) (6-11)


Node Ni does not need to check the validity of Nj's bootstrapping time because Nj is

not a new node. Adversaries may attack our access control protocol by utilizing this point.

We will ,in i1v. this in Section 6.5. Node Ni simply verifies Nj's identity by following

ECDSA. Then node Ni can decrypt the nonce nj and return it to Nj to show that it is a










N, *, N,, T,, L,, P,, C,, c, NJ
if T, >= Tj
if IT, t| > L,, reject N,;
else { calculate verifier V;
if V = C, {
accept N,;
calculate K, = sP,; }
N,, Nj, Tj, LJ, Pj, Cj, c { n, }Ki else reject N,; }


calculate verifier V;
if V = C, {
accept Nj;
calculate K,j = s,Pj;}
else reject Nj;


Nj, N,, nj, { n, }K,

N,, Nj, n,


Figure 6-3. Handshake between a new node and an old node.


legitimate new node. Node Ni also challenges node Nj by sending an encrypted nonce ni

and requiring Nj to return it. The whole handshake is depicted in Fig. 6-3.

6.4.7 Key Establishment

During the node authentication procedure, the new node Ni has already established

shared keys with its neighbors, e.g., Nj. They calculate the shared key by following the

Diffie-Hellman algorithm based on ECDLP, i.e.,


Kj = siP, = sisG = sjP, = -Kl (6-12)


Because no efficient algorithm can solve ECDLP within less than exponential time,

we can expect that adversaries can not calculate the private keys si and sj given pairs

(G, siG) and (G, sjG). Hence, the shared key is kept secret even if adversaries eavesdrop

transmitted public keys.

The shared key Kij between node Ni and node Nj can be used to derive different keys

for multiple security services, such as message encryption and message authentication [6].

For example, the shared key can be fed into a function f (a hash function or a pseudo









random function [74]) to generate an encryption key as f(Kyi, 1) and an authentication

key f(Kij, 2).

6.5 Security Analysis

6.5.1 New Node Deployment

By authentication, our access control protocol can prevent adversaries from directly

deploying malicious nodes into sensor networks. Because adversaries do not know the

private key of the CA, he/she can not falsify certificates for malicious nodes.

Our access control protocol can effectively defend against the Sybil attack, the node

replication attack, and the Wormhole attack. As is shown in Section 6.2, the underlying

trick of those attacks is that the adversary could manipulate existing nodes to introduce

malicious i ,.-" nodes into the sensor network. By including the bootstrapping time in

our access control protocol, a new node is only allowed to join the sensor network during

its bootstrapping phase. After that it becomes an old node. Hence, malicious ir. .-" nodes

are prevented from joining the sensor network at the very beginning, because they do

not have the proper bootstrapping time, and they are prevented from falsifying the latest

bootstrapping time which does not match their certificates.

6.5.2 Eavesdropping and False Reports Injection

When a new node passes the authentication procedure, it has already established

shared keys with its neighbors by following the Diffie-Hellman algorithm over ECDLP.

The shared keys can be used to secure communications among sensor nodes. Particularly,

different keys can be derived from the shared keys to provide security services such as

message encryption and message authentication. Hence, adversaries are prevented from

eavesdropping or injecting false reports into the sensor network.

6.5.3 Node Compromise

Usually node compromise can not be prevented in sensor networks, unless future

advances of hardware design and manufacturing could provide stronger tamper resistance

[34]. Our access control can not eliminate the node compromise problem, but it can









prevent adversaries from spreading the impact of node compromise across the entire

network. Two direct results of node compromise, the Sybil attack and the node replication

attack, can be prevented by our access control protocol after the node bootstrapping

phase. Moreover, based on the ECC public key infrastructure, each sensor node does

not know the private keys of other nodes, and each shared key is only known to two

neighboring nodes who established it. Even if an adversary compromises a node, he/she

can only know what the compromised node knows, but not the shared keys between other

non-neighboring nodes. Hence, the impact of node compromise is limited to the vicinity of

the compromised node.

If an adversary could compromise a sensor node during its bootstrapping phase,

he/she might use it to launch other attacks. However, node compromising is not a trivial

task. Usually a sensor node is designed to be able to sustain compromise for a certain

time interval [34]. The node bootstrapping phase, however, is usually very short, and in

practice it is reasonable to expect it to be shorter than the time needed to compromise

the node [64]. Hence we do not need to worry about node compromise during the node

bootstrapping phase.

6.5.4 Attacks to Access Control

Our access control protocol tries to solve the new node deployment problem in

hostile environments. During the handshake between a new node and an old node, the

bootstrapping time of the new node is verified by the old node, but the new node does not

check the bootstrapping time of the old node because the old node has been involved in

the sensor network. An adversary may take this opportunity to trick the new node into

establishing communications with malicious old nodes.

One scenario is that an adversary might introduce a malicious node through the Sybil

attack or the node replication attack into the area where the new node is to be deploy, .1

When the new node is deploy, .1 it might establish communications with the malicious

node. To make the attack successful, however, the adversary has to activate the malicious









node at the same time when the new node bootstraps itself and expects that no other

old nodes exist in that area. Otherwise, the introduced malicious node can be detected

by other old nodes because the malicious node is heard by those old nodes as a new node

but it does not have the correct bootstrapping time. Under this strict condition, the

probability of this attack is rather small.

A similar scenario is that an adversary might launch the Wormhole attack to establish

a tunnel between a new node and another distant old node so that these two nodes

might establish communications through handshakes. To make the attack successful, the

adversary still has to establish the tunnel at the same time when the new node bootstraps

itself and expects that no other old nodes exist around the new node. Otherwise, the old

nodes around the new node can detect the Wormhole because they can find a i, '--" node

in their neighborhoods, which is actually an image of the old node at the other end of the

Wormhole. We can expect that the probability of this attack is also very small under the

strict condition.

Another case is that the adversary just compromises an old node without doing any

tricks to spread its impact. The compromised node stays at its original location and

follows the normal network protocols. If the new node is deploy, -1 into the vicinity of the

compromised node, they could establish communications. This attack is just the node

compromise attack and currently no solutions can solve the problem. Our access control

protocol can not prevent this attack, either, but the impact of the attack is limited to the

vicinity of the compromised node.

6.6 Evaluation

6.6.1 ECC vs. RSA

The length of the bootstrapping phase is critical for the security performance of our

access control protocol. The shorter the bootstrapping phase is, the less opportunities

adversaries have to attack the sensor network. Hence a short bootstrapping phase is

desirable to keep the sensor network safe.









Usually, RSA and Diffie-Hellman over DLP3 can also be used in our access control

protocol. The reason that our protocol uses ECC rather than RSA and Diffie-Hellman

over DLP is because ECC is more efficient for the same security level. In our access

control protocol, the most expensive operation is the point multiplication of the form

kP for k E Z* and P E G. Every sensor node needs to perform only three point

multiplications over an elliptic curve: two for node authentication and one for key

establishment. TinyPK [68] uses RSA to authenticate external parties and Diffie-Hellman

over DLP to establish shared keys between external parties and sensor nodes. It requires

three modular exponentiation operations over integer rings for each sensor node: one

RSA public key operation and one RSA private key operation for node authentication

and one DLP operation for key establishment. It has been shown in [68, 70] that a point

mulitplication needs less computation time than a modular exponentiation unless the

exponent is chosen as some specific value. In TinyPK [68], a public exponent e = 3 is

chosen for computational simplicity, and a 1024-bit RSA modular exponentiation with

e = 3 on MICA1 Motes [31] needs 14.5s. The DLP of 2' is evaluated in [68, 70]. It

shows that a 1024-bit modular exponentiation 2', where x is at least 160 bits, needs

more than 50s on both MICA1 and MICA2 Motes [31]. However, a 163-bit point

multiplication of ECC on MICA2 Motes requires only 34s [70]. If assembly languages

are used in implementation, much more decrease of computing time can be achieved.

Gura et al. [75] evaluated the assembly language implementations of ECC and RSA

on the Atmel ATmegal28 processor [32], which is popular for sensor platform such as

Crossbow MICA Motes. In their implementation, a 160-bit point multiplication of ECC

requires only 0.81s, while 1024-bit RSA public key operation and private key operation

require 0.43s and 10.99s, respectively. Obviously, ECC is more computational efficient,



3 Given a generator g of a finite cyclic group Z* and another element p e Z*, find an
integer x, 0 < x < q 2, such that g = p (mod q).









especially for assembly language implementations, which makes ECC realistic on current

sensor hardware platforms. This means every sensor node can finish bootstrapping in a

very short time interval. With the fast advance of hardware technology, we believe the

bootstrapping phase can be further reduced in future.

In wireless sensor networks, the transmission energy consumption rate could be

over three orders of magnitude greater than the energy consumption rates for computing

[76]. Most of the performance overhead is attributable to the increase in packet size [77].

Compared with a 1024-bit RSA signature, our access control protocol only introduces a

480-bit signature when 160-bit ECC is used. Hence by using ECC instead of RSA our

protocol can achieve much more energy and bandwidth savings.

6.6.2 Comparison with Related Work

Because currently no solutions can prevent node compromise in sensor network,

the best we can do is to limit the impact of node compromise to the vicinity of the

compromised nodes, i.e., prevent adversaries from launching network-scale attacks

based on compromised nodes. Most of symmetric key techniques, including randomly

predistributed keys [13, 15], ID-based keys [17, 18], and location-based keys [36, 37, 45]

try to improve the resilience to node compromise by increasing the least number of

sensor nodes that an adversary needs to compromise to destroy the entire network

security architecture. These schemes can tolerate a certain number of compromised

nodes. TinyPK [68] is more resilient to node compromise because of the use of RSA. It

may prevent adversaries from spreading the impact of node compromise by launching

the Sybil attack, but it can not detect the node replication attack because the copies

of the compromised nodes also have legitimate certificates. By including the node

bootstrapping time into access control procedure, our protocol can effectively prevent

adversaries from manipulating compromised nodes to launch the Sybil attack and the node

replication attack, and the impact of node compromise is thus limited to the vicinity of

the compromised nodes.









To defend against the Sybil attack, several potential methods were proposed in [60].

One method is the radio resource testing, in which each node assigns a unique channel

to each of its neighbors including those fake neighbors and tests whether its neighbors

could communicate with it through the assigned channels. This method assumes that

each node has enough radio resources and requires several rounds of broadcasting over

multiple channels, thus leading to a large communication overhead. Another method is to

use the ID-based symmetric keys. Particularly, each sensor node is preloaded with a set of

keys which are selected from a global key pool by its node ID. The ID of a suspect node

is challenged by a set of validating nodes based on the keys shared between the suspect

node and the validating nodes. Besides the large amount of communication overhead, this

method may fail if many sensor nodes are compromised so that most of the keys in the

global key pool are exposed. In our access control protocol, those malicious i v.-" nodes

introduced by the Sybil attack are prevented from joining the sensor network at the very

beginning, because they do not have proper bootstrapping time and corresponding keys

which are challenged during the authentication procedure.

Conventional methods to defend against the node replication attack [66] usually

include centralized computing based on node locations or the number of simultaneous

connections, which is vulnerable to the single-point failure. Distributed detection of the

node replication attack was proposed in [66], where each node is assumed to know its

location and it is required to send its location to a set of witness nodes. If a witness

node finds a contradiction in the location claims of a suspect node, this suspect node

must be a replicated one. Obviously, this method may introduce a lot of communication

overhead. Like the fake nodes in the Sybil attack, the replications of compromised nodes

are also prevented from participating in the sensor network at the very beginning in our

access control protocol. Though those replications have legitimate identities, they do not

have correct bootstrapping times to show they are the new nodes. The authentication









procedure in our protocol is performed locally, thus avoiding much more communication

overhead. Moreover, our protocol does not require each node to know its own location.

To defend against the Wormhole attack, Hu et al. proposed to use packet leashes

[61] to limit the maximum range over which packets can be tunneled. They require

that each node either know its location or have a tightly synchronized clock so that this

information can be used to calculate the maximum distance that a r(, i, .1, packet could

travel. Directional antennas [62] were also used to defend against the Wormhole attack.

However, these defenses are targeted to ad hoc networks and require expensive hardware

devices, which may be infeasible for most resource constrained sensor networks. Our

protocol does not require location information and only needs loose synchronized clock.

Wang and Bhargava [63] proposed to use centralized computing to defend against the

Wormhole attack in sensor networks, in which a controller collects all nodes' location

information to reconstruct the network topology such that any topological distortion may

be visualized. This approach, however, causes much intensive communication overhead

and is only suitable for static Wormhole. If adversaries move around in the entire network,

the location of the Wormhole will change dynamically. Each location change will trigger

a new round of execution of the topology reconstruction algorithm. Our protocol can

prevent dynamic Wormhole by only involving localized authentication, thus can save a lot

of communication overhead.

6.7 Conclusion

Currently little work has been reported to address the access control problem in

sensor networks. Though many proposals [6, 13, 15, 17, 18, 36] try to secure sensor

networks, adversaries can still attack the networks [60-63, 66] by manipulating old nodes

to introduce malicious i, v.-" nodes. In this paper, we analyze most of the well-recognized

attacks targeted at sensor networks, including the Sybil attack, the node replication attack

and the Wormhole attack, and design an access control protocol to prevent malicious

nodes, which may be directly deploy, -l or just old nodes manipulated by adversaries, from









participating in sensor networks. Besides the node identity authentication, we introduce

the node bootstrapping time into the node authentication procedure to differentiate

malicious nodes from legitimate new nodes. Unlike the conventional approaches in

[60-63, 66] that try to detect malicious nodes after they join sensor networks, our access

control protocol can prevent malicious nodes from joining sensor networks at the very

beginning. In addition, key establishment is also realized in our access control protocol to

help the new node establish shared keys with its neighbors so that it can perform secure

communications with them. Compared with the conventional sensor network security

solutions, our access control protocol can defend against most of the notorious attacks in

sensor networks, and achieve better computation and communication performance due

to the usage of the more efficient algorithms based on Elliptic Curve Cryptography than

those based on RSA.









CHAPTER 7
BABRA: BATCH-BASED BROADCAST AUTHENTICATION IN WIRELESS SENSOR
NETWORKS

7.1 Introduction

A WSN consists of hundreds or even thousands cheap sensor nodes, which collaborate

with each other and communicate with external world through one or several powerful

nodes, called base stations.

Broadcast is a common communication pattern to fulfill collaboration among sensor

nodes. For example, the base station may spread messages such as commands or requests

to the entire network through the network broadcast. Each individual node may use the

local broadcast to fulfill some specific functions in its neighborhood, such as exchanging

routing information or cluster head election. Therefore, the correct broadcast is critical

to the collaboration objective of sensor networks. In hostile environments, however,

adversaries may take the advantage of broadcast to inject false information, which can

raise significant havoc in the network. To defeat such an attack, authentication is required.

Each broadcasted packet should carry some authentication information so that the

recipient node can verify its authenticity.

pTESLA [6] is a light-weight broadcast authentication protocol, which uses a

one-way hash key chain and the d. 1 i, '1, disclosure of keys to provide the authentication

service. It is efficient due to the use of symmetric key techniques. However, it requires

synchronization between the source and recipient, which can be a potential security hole

for adversaries [78]. Moreover, the key chain in pTESLA has limited length, and thus can

only support limited rounds of broadcast. If the source node needs to broadcast for a long

period, it has to generate a long key chain. But the management of a long key chain is

difficult for low-end sensor nodes. So pTESLA can only be used by the base stations for

the network broadcast.

In this chapter, we propose a novel protocol, called batch-based broadcast authentication

(BABRA) for wireless sensor networks [79]. BABRA broadcasts packets in batches and









the transmissions of different batches do not require time synchronization. Therefore,

BABRA eliminates the security hole that pTESLA suffers. Moreover, BABRA uses

independent keys instead of a key chain for different batches, and thus supports broadcast

for infinite rounds. In addition, BABRA is also built on symmetric key techniques and

thus is efficient.

The rest of the chapter is organized as follows. Section 7.2 simply describes the

pTESLA protocol. Details of BABRA are given in Section 7.3. Some comparisons between

pTESLA and BABRA are carried out in Section 7.4. The paper is finally ended in Section

7.5.

7.2 /pTESLA

Though public key signatures can provide authentication services, they are too

expensive for sensor networks. Therefore most researchers are seeking symmetric key

solutions. pTESLA is a broadcast authentication protocol, which is a simplified version

of TESLA [80]. It is based on a one-way hash chain (OHC), which is a sequence of keys,

K0, K1,... K, such that Kj_1 = H(Kj), Vj, j > 0, where the hash function H satisfies

two properties:

1. Given x, it is easy to computer y = H(x);

2. Given y, it is computationally infeasible to compute x such that y = H(x).

The first key K0 is unicasted to all the recipient nodes as a commitment in advance.

The entire broadcast stream is divided into continuous time slots. A broadcasted packet

in the t-th time slot carries a message authentication code (\!AC) generated by using the

t-th key Kt of the OHC. All the recipient nodes do not know Kt when they receive the

packet. After d time slots, the source node discloses Kt. Then every node can authenticate

Kt by applying the hash function to Kt several times and checking whether Hk(Kt)

Kt-k holds, where Kt-k is the t k-th key that has been received and authenticated. After

that, the recipient node can use the authenticated Kt to authenticate the packets of the

t-th slot. The d, I'- .1 key release can efficient prevent malicious nodes from impersonating









the source node, because the disclosed key Kt can not be used to spoof packets after the

t-th slot.

Though pTESLA is more efficient compared with other public key signatures

protocols, it has some strong requirements. The slot-based broadcast requires time

synchronization throughout the entire network. The time synchronization procedure may

undergo potential threats leading to the failure of the entire protocol [78]. The distribution

of the key chain commitment K0 to all the nodes is communication expensive because

the commitment has to be unicasted to each node while the network can consist of large

volume of nodes. The OHC length is limited, and thus it can not support broadcast for a

long time. The complex key chain management indicates that /TESLA can be used only

by the base station for the network broadcast.

Multilevel key chains are used to extend the lifetime of authenticated broadcast [81],

but it is still limited by the highest level OHC. The multilevel key chains also require the

source node manage many OHCs at the same time and thus are not suitable for sensor

nodes. Moreover, time synchronization is still a requirement.

7.3 BABRA Design

Unlike pTESLA, BABRA do not require time synchronization, and supports

broadcast for infinite rounds. It can be used in both the network broadcast and the

local broadcast. In this section, we give the details of BABRA.

7.3.1 Network Model

We consider the application scenarios including the network broadcast, where

the base station broadcasts messages into the entire network, and the local broadcast,

where each node broadcasts messages in its one-hop neighborhood. BABRA can provide

authentication services for these broadcast patterns. Though confidentiality is also critical

to group communications, the management of encryption keys is a very challenging task

[82] and is out of our considerations.



















Figure 7-1. One batch of broadcast and the batch packet format.


The main purpose of authenticating broadcast is to prevent adversaries from injecting

bogus packets. BABRA also uses d.1, -i .1 key disclosure to counteract the bogus packet

injection. In addition, adversaries can also inject radio interference at the physical 1li-, r

to disrupt communications, leading to the DoS attack [35]. The intermittent interference

can deteriorate channel condition and cause packet loss. The continuous jamming can even

stop communications. However, due to the large scale of network and cost considerations,

adversaries may not be able to jam the entire network. In this paper, we assume that the

impact of radio jamming only covers a portion of the network at one time.

There are other attacks and corresponding countermeasures discussed in the literature

[33, 35]. They are out of the scope of this paper because most of them are unrelated

to broadcast authentication. We have developed several schemes [9, 45, 46] to establish

pairwise keys to secure point-to-point communications. In this chapter, we simply assume

that every pair of neighboring nodes shares a pairwise key after network initialization.

7.3.2 Architecture

In BABRA, broadcasted packets are sent in batches and each batch is a burst

sequence of packets. There is a key associated with each batch. All the packets in one

batch carry an MAC calculated based on the associated key, and are sent in C time units,

which is the batch period (BP). At the end of the BP, the source node starts a timer of

D units, which is the delay period (DP). During the BP and the DP, the batch key is

kept secret by the source node. When the DP timer expires, the source node discloses









the corresponding batch key in a key disclose period (KP) of E time units. When a

recipient node gets the first packet of the batch, it starts a timer last for C time units.

Only the batch packets that arrive within the period of C time units are accepted by the

recipient. At the end of the period, the recipient starts a new timer for D time units as

the DP. After the DP, the recipient can receive the corresponding batch key and use the

key to recalculate the MAC to check the authenticity of the cached batch packets. Due

to the d. 1 i-, .1 key disclosure, the adversary can not use the disclosed key to inject bogus

batch packets because the source node never sends any packet of this batch after the key

disclosure period.

However, each batch key should be authenticated before being used to authenticate

the corresponding batch packets. BABRA achieves this goal by using an immediate

authentication method proposed in [83]. Particularly, all the packets in one batch also

carry a hash of the key associated with the next batch. Hence, each broadcasted packet

consists of four parts: the batch index, the p loada, the hash of the key of next batch,

and the MAC calculated over the previous three parts and the batch key (Fig. 7-1). The

d. 1 li-, 1 batch key can authenticate the corresponding batch. The hash of the key of next

batch is authenticated at the same time, and can be used to authenticate the key of next

batch.

The entire broadcast stream is depicted in Fig. 7-2. Before broadcast, the source

node bootstraps all the recipient nodes with the hash H(K1) of the first batch key K1.

Depending on the scenarios where BABRA is applied, different methods can be used

to bootstrap the hash value. We will discuss this issue later. After bootstrapping, the

source node can send out batches of broadcasted packets one by one and disclose the

corresponding batch keys lately (Fig. 7-2). Each batch is not necessary to be sent right

after the end of the previous batch. Therefore, BABRA can be adapted to different data

rates.









1 2 ... ... ... ... i-1 ... i .. .. ... ... t
H(Ki) D K1 K,1
S K2 D K,

Figure 7-2. The authenticated broadcasting stream.


In hostile environments, the adversary can inject jamming interference and cause

packet loss. The nodes in the jammed area will seek help from the surrounding neighbors

to recover the lost information such as keys or key hashes. To facilitate such local

collaboration, each recipient node keeps the latest k keys received from the source node.

We will discuss this issue in Section 7.3.5.

7.3.3 Bootstrapping

As is mentioned before, the hash H(K1) of the first batch key K1 needs to be

bootstrapped into all the recipient nodes. To avoid using expensive public key signatures

to authenticate H(K1), we need some methods based on symmetric key techniques.

For the local broadcast, the source node can unicast H(K1) to each of its neighbors.

Each unicast is authenticated with the pairwise key shared between the source and

the corresponding neighbor. Because the number of neighbors is small, such unicast

bootstrapping can be finished in a very short time period.

Though unicast can also be used to bootstrap the network broadcast, the overhead is

too much because there are too many nodes in a network. It takes too much time for the

base station to unicast to each node. A simple way to bootstrap the network broadcast is

to preload each node with H(K1) before deployment. It is easy to achieve this because the

entire sensor network is usually managed under a unique authority, and thus preloading

secure parameters is a common way to establish a secure architecture for the sensor

network [6, 9, 45, 46, 81].

7.3.4 Counteracting Bogus Packets

The parameter DP is critical to the security of the entire broadcasting protocol. If

the value of DP is small, there is a chance that the adversary catches the key before some









nodes get the corresponding batch packets and then sends bogus packets towards these

nodes. Therefore, the value of DP should be large enough for all nodes to get the batch

before the release of the key. For the local broadcast, the DP value Di is larger than

maximum one-hop transmission delay, and thus can be set as


D = ( A R +P (7-1)

where At > 1 is a constant, R is the radius of node coverage, c is the speed of light, and

P is the packet processing d.l1 li. For the network broadcast, the DP value D, should be

larger than the time that a packet is transmitted over the maximum diameter L of the

network, and thus can be set as


Dn = An ( + P (7-2)


where An > 1 is a constant.

7.3.5 Countermeasures to Radio Jamming

The adversary can introduce jamming interference to disrupt communications, leading

to the DoS attack. The intermittent interference can deteriorate channel condition and

cause packet loss. The continuous jamming can even stop communications. Here we

discuss their impacts and countermeasures.

7.3.5.1 Intermittent jamming

Each batch of broadcasting is authenticated by the corresponding batch key. If some

of the batch packets are lost due to j ,:miin1. the recipient just experiences lower quality

of service. But if the batch key is lost, the entire batch is useless. Therefore, to tolerate

the key loss is a very important task. Here we introduce the following two methods to

solve this problem.

To provide resilience to the key loss, the first method in BABRA is to transmit

each batch key several times during the corresponding key disclose period. Suppose the

average packet loss rate is pi, and each batch key is transmitted t times during its KP. The









probability that the key can be received is


P = 1 pt (7-3)


Fig. 7-3 gives the key survival probabilities P versus the key disclose times t when the

packet loss rate pi varies from 0.2 to 0.8. We can see by simply disclosing multiple times,

the batch key can be received with very high probability.

It is worth noting that to disclose key multiple times is the simplest forward error

correction (FEC) method to counteract packet loss in communications. More complex and

robust FEC methods can also be used here to increase the resilience to the key loss. One

example is to use Reed-Solomon codes. We do not discuss this issue here for the sake of

page limit.

The second method is carried out just in case that it is unlucky that all the t

receptions of batch key fail. In such a case, the recipient node will seek help from its

neighbors right after the expiration of the KP timer. For the key loss during the network

broadcast, the node will locally broadcast a message to request its neighbors for the lost

key:

a : (j,H(K,), MAC(j, H(K ), K ,))

where j is the index of the batch of which the key is lost, K' i is the key associated

with the next batch of node a's local broadcast stream, and K, is the key of the current

batch of a's local broadcast stream. Therefore this message is authenticated by the local

broadcast authentication. The adversary can not spoof the message.

If a neighbor node b knows the key Kj, it will reply a message through a local

broadcast message:


b : (Kj, H(K 1+), MAC(Kj, H(K+), K )),


where K i+ is the key associated with the next batch of node b's local broadcast stream,

and K, is the key of the current batch of b's local broadcast stream. This message is also














0.9 -


0.8


/ 0.7-
II
S/


0.6-
13_ /
7- /
S 0.5 /
0) /
(D /
0.4-


0.3-


-- pl=0.2
0.2.... pl=0.4
S-. pl=0.6
pl=0.8
0.1
0 2 4 6 8 10 12
Key Disclose Times t


Figure 7-3. The key survival probability.


authenticated so that it can not be spoofed. In addition, the key Kj is broadcasted, so

node b has no bonus of replying bogus messages because nearby nodes that also have

Kj can check whether node b lies to node a. This local monitoring has been used in

misbehavior detection. One example is discussed in [84].

When node a gets Kj from its neighbor b, it will broadcast Kj again through its local

authenticated broadcast so that its neighbors know that it really gets Kj.

If none of node a's neighbors knows Kj, they will continue the above procedure until

some node can reply with Kj. For example, if node b does not get Kj but its neighbor c

knows Kj, then b can learn Kj from c. Then b can broadcast Kj if it has a request from a.









If multiple nodes in the neighborhood of node a knows Kj, all of them might try to

reply at the same time. But the underlying contention resolving mechanisms at the Media

Access L-. r can guarantee that one of them replies successfully. Other nodes that hear

the replying of Kj stop trying to broadcast Kj.

For the key lost during the local broadcast, it is easy to resend the key from the

source node to the recipient node because it only involves one-hop communication, which

can be encrypted and authenticated by the pairwise key shared between the source and

the recipient.

7.3.5.2 Continuous jamming

Continuous jamming is more severe to broadcast. When the channel is jammed,

the recipient gets nothing. Because the key of each batch is authenticated by its hash

included in the previous batch, the key can not be authenticated if all the packets of the

previous batch are lost due to the continuous jamming. Here we need some measures to

help recipient nodes recover the interrupted broadcast stream when the jamming attack

stops.

When the recipient node a gets a packet in the next batch right after the jamming

attack, node a broadcasts a message including the index, j, of the batch and the

index i of the last batch it receives just before the jamming attack. This message is

authenticated by node a's local broadcast protocol, i.e.,


a -- : (j, i, H(K l), MAC(j, i, H(Kpl), Ka )),


where Ka, is the key associated with the next batch of node a's local broadcast stream,

and K7 is the key of the current batch of a's local broadcast stream. Node a broadcasts

the index j for the hash H(Kj) of the key Kj associated with the batch right after the

jamming attack. In addition, the packets of several batches just before the jamming attack

are cached in a's buffer and not authenticated due to the loss of the corresponding keys

during the jamming attack. So node a also broadcast the index i of the last batch just









before the jamming attack. Because every node will cache the latest k keys disclosed by

the source, if any neighbor finds in its buffer that there are keys associated with some

batches before the jamming attack, it can reply with those keys so that node a can

authenticate the packets of those batches.

When a nearby node b, which is uninfluenced from the jamming attack and has

cached k latest keys Km,..., Km-k+1, replies with an authenticated broadcast message as:


b : (H(K), [K,... ,Km-k+], H(K-1),

MAC(H(Kj), [Kb, ... Km-k+1], H(-K+1), K?)) ,


where K+b, is the key associated with the next batch of node b's local broadcast stream,

and K? is the key of the current batch of b's local broadcast stream. H(Kj) is used to

authenticate the key Kj of the next batch j right after the jamming attack, and then the

key Kj is used to authenticate the packets in the batch. Here the keys Ki, .., Km-k+l

are optional. Node b checks the latest k cached keys Km,... Km-k+1l If the index

i > m-k+1, node b knows that node a needs the keys from Km-k+1 to Ki to authenticate

the packets of the last several batches just before the jamming attack. Then node b replies

with these keys.

Due to the broadcast, the surrounding nodes that also have copies of H(Kj) can

check whether node b lies to node a. Hence node a can get correct H(Kj) and use it to

authenticate Kj later whereby to recover the entire broadcast stream. When node a gets

H(Kj) and/or K, ..., Km-k+l from its neighbor b, it will broadcast them again through its

local authenticated broadcast so that its neighbors know that it really gets them.

If all the neighbors of node a do not know the information that a desires, they will

continue the above procedure until there is at least one node can give those information.

For the local broadcast under the jamming attack, it is easy for the recipient node

to recover after the jamming. Through unicast, the recipient node a can get all the









required information from the source node b, where the communication is encrypted and

authenticated by the pairwise key shared between a and b.

7.4 Discussion

Each packet in BABRA and that in pTESLA both carry an MAC as the authentication

information. The difference is that BABRA replaces the timestamp in the pTESLA packet

with a batch index and a key hash. The batch index is just like the timestamp and thus

can be represented with the same number of bits. However, BABRA does not use limited

key chain and not require each batch to be sent right after the end of the previous batch,

so BABRA can support a longer lifetime of a broadcast stream. Suppose each batch

period be 100ms, which is corresponding to one time slot [81]. A 32-bit batch index

can support a broadcast stream up to 4971 d-,4i if the source keeps sending batches

continuously.

As for the key hash in each BABRA packet, its length should guarantee that no two

keys have the same hash value. Otherwise, the adversary can spoof broadcasted packets.

Considering the 32-bit batch index, the number of keys in BABRA is 232. According to

the birthdli paradox [85], a 64-bit key hash is enough to guarantee that all the 232 keys

generate different hash values with a probability close to 1. Though BABRA introduces

the additional packet overhead for the key hash, it is worth because of the elimination of

the time synchronization requirement.

Like pTESLA, BABRA also requires every node to buffer packets before the

corresponding key is disclosed. The difference is the management of keys. In pTESLA, the

source node has to manage a key chain, which has a length determined by the lifetime of

the broadcast stream. However, to manage such a key chain may not be feasible when the

source wants to broadcast for a long time. In BABRA, all the keys are independent. The

elimination of key chains makes BABRA suitable for both the network broadcast by base

station and the local broadcast by sensor nodes. Each node in BABRA caches the latest









k keys disclosed by the source node. The value k can be adapted according to the buffer

space of each node.

7.5 Conclusion

Though there are many broadcast authentication protocols proposed for conventional

wired networks, few work has been carried out for wireless sensor networks. Though

pTESLA can provide the broadcast authentication service for sensor networks, it still

suffers some drawbacks. BABRA is a batch-based broadcast authentication protocol for

wireless sensor networks. BABRA broadcasts packets in batches and the transmissions of

different batches do not require time synchronization. Therefore BABRA eliminates the

security hole that pTESLA suffers. BABRA uses independent keys in stead of a key chain

for different batches, and thus supports broadcast for infinite rounds. BABRA can support

both the network broadcast and the local broadcast. In addition, BABRA is also built on

symmetric key techniques and thus is efficient.









CHAPTER 8
MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE

8.1 Introduction

Multicast [86] is an efficient method to deliver multimedia content to a group of

receivers and is gaining popular applications such as live show, IPTV, realtime stock

quotes broadcast, video conference or interactive games. Authentication is critical in

securing multicast streams [87-89] because it proves the origin of a multicast stream. An

ideal approach is to attach a signature to each packet and let each receiver verify the

signature to authenticate the packet. However, existing digital signature algorithms are

computationally expensive. For a typical multicast application, the sender is a powerful

server, but receivers can have various computation and communication capabilities and

usually are less powerful than the sender. The ideal approach raises a serious challenge

to the receiver's computational capability and may not be affordable in most realtime

multicast applications.

In order to reduce the number of signature verification operation, conventional

schemes [90-95] divide a multicast stream into blocks, associate each block with a

signature, and spread the effect of the signature across all the packets in the block

through some efficient operations such as hash chains or redundancy codes. In this way,

the computation requirement is reduced to one signature verification plus some hash or

decoding operations per-block instead of per-packet.

The block-based approach suffers from some drawbacks in reality. Some schemes

[90-95] use hash chains to link packets to their block signatures and other schemes

[102-107] use erasure codes or error correction codes to protect block signatures. Hash and

coding establish relationship among all the packets in one block. However the relationship

makes existing schemes vulnerable to packet loss, which is very common in current

Internet and wireless networks. The loss of a certain number of packets can result in

the failure of authentication of other received packets. In an extreme case, the loss of









the signature of one block makes the whole block of packets unable to be authenticated.

Though existing schemes allow increasing the resilience to packet loss by attaching

more authentication information to each packet, this results in more computational and

communication overhead, which is undesirable in resource-constrained scenarios such

as mobile and wireless communications. Moreover, the block design requires the sender

and/or receivers buffer a certain number of packets before processing them. A larger

block size can achieve higher computational efficiency, but incurs longer buffering delay.

This authentication latency at the sender and/or receivers can compromise the realtime

requirements in many multimedia application scenarios such as live video show or stock

quotes delivery. Meanwhile, the block design is vulnerable to the Denial of Service (DoS)

attack. An attacker can inject a large number of forged packets to exhaust the receiving

buffer so that signatures cannot be received by the receiver and cost extra computational

overhead at the receiver.

Unlike the conventional block-based signature approach, we propose a new multicast

authentication scheme using packet-based signatures in this paper. In order to avoid

expensive per-packet-based signature verification, we use an efficient cryptographic

primitive called batch signature [3, 109-113] to verify the signatures of any number of

packets at the same time. Therefore our scheme is called multicast authentication based

on batch signature (\!ABS). The main contributions are made as follows:

1. MABS is perfectly resilient to packet loss in the sense that no matter how many
packets are lost, the rest can also be verified by receivers. In contrast, most
conventional schemes cannot totally solve the packet loss problem;

2. By using batch signatures, MABS can completely eliminate authentication latency at
the sender and receivers. This is a significant improvement to the quality of realtime
applications compared with conventional block-based schemes;

3. We propose three implementations of MABS including two new batch signature
schemes based on BLS [111] and DSA [112], which are more efficient than the existing
one based on RSA [3];









4. MABS can efficiently defeat the DoS attack by using packet filtering, while most
conventional schemes are vulnerable to DoS.

The rest of the chapter is organized as follows. We first briefly review related

work, then describe the details of MABS over lossy channels. Next, we introduce three

implementations including two new batch signature schemes based on BLS and DSA in

addition to the one based on RSA. We will show the performance superiority of our MABS

over conventional schemes. Last we introduce the countermeasure to DoS and conclude the

chapter.

8.2 Related Work

There have been many multicast authentication schemes [90-95] in the literature. In

the hash chain schemes [90-95], a multicast stream is divided into blocks, each of which

is associated with a signature. In each block, the hash of each packet is embedded into

several other packets in a deterministic or probabilistic way. The hashes form chains

linking each packet to the block signature. The receiver verifies the block signature and

authenticates all the packets through hash chains.

A special hash chain scheme is the tree chaining scheme [100, 101], which constructs

a hash tree for each block of messages. The root of the tree is signed by the sender. Each

packet carries the signed root and several hashes. When the receiver receives one packet

in the block, he uses the authentication information in the packet to authenticate it. The

buffered authentication information is further used to authenticate other packets in the

same block. However, without the buffered authentication information, each packet is

independently verifiable with a trade-off of per-packet signature verification.

In the signature amortization schemes [102-107], a signature is generated for the

concatenation of the hashes of all the packets in one block. An erasure coding or forward

error correction coding algorithm is used to chop the block signature into many pieces and

attach each packet with one piece. The coding approach makes the receiver be capable of

recovering the block signature when receiving at least a certain number of pieces.









Some other schemes [79, 119-122] use shared keys between the sender and the receiver

to authenticate multicast streams. Though they are more efficient than those using

signatures, they cannot provide non-repudiation as the signature approach. In this paper,

we focus on the signature approach.

8.3 Multicast Authentication Over Lossy Channels

We discuss the details of MABS hereafter.

8.3.1 Assumptions

Our target is to authenticate multicast streams from a sender to multiple receivers.

Generally, the sender is a powerful multicast server managed by a central authority and

can be trustful. The sender signs each packet or a batch of packets with a signature

and transmits them to multiple receivers through a multicast routing protocol. Each

receiver is a less powerful device with resource constraints and may be managed by an

non-trustworthy person. Each receiver needs to assure that the received packets are

really from the sender (authenticity) and the sender cannot deny the signing operation

(non-repudiation) by verifying the corresponding signatures. As is well known that packet

loss is very common in Internet and even more severe in wireless communications, we

assume a lossy channel where packets can be lost according to different loss models,

such as random loss or burst loss. Though confidentiality is another important issue

for securing multicast, it can be achieved through group key management [82]. In this

chapter, we focus on multicast authentication.

8.3.2 Batch Signature

An ideal approach to authenticate a multicast stream is to let each packet carry

a signature that can be verified by each receiver. However, expensive digital signature

algorithms raise a serious challenge to the receiver's computational capability and may not

be affordable in most realtime multicast applications, since in most application scenarios

the receiver is resource-constrained and has much less computation and communication

power than the sender, which is a powerful server.









Those conventional schemes [90-95] use block-based signatures to reduce the

computational overhead but also incur a trade-off of vulnerability to packet loss and

authentication latency at the sender and/or receivers. Unlike those schemes, we use

packet-based signature as in the ideal approach, because the independency among packets

can totally eliminate the vulnerability to packet loss. Therefore the problem is how to

reduce the computation overhead at receivers.

In order to avoid the expensive packet-based signature verification, we use an efficient

cryptographic primitive called batch signature [3, 109-113] to simultaneously verify the

signatures of any number of packets.

When the receiver collects n packets:


pi= {mi,i}, i= 1,...,n,

where mi is the data p iiload, -i is the corresponding signature and n can be any positive

integer, he can input them into an algorithm


BatchVerify(pi,p2, ... ,pn) {True, False ,


If the output is True, we know the n packets are authentic, and otherwise not.

To support authenticity and efficiency, the BatchVerify() algorithm should satisfy

the following properties:

1. Given a batch of packets that have been signed by the sender, BatchVerify()
outputs True;

2. Given a batch of packets including some unauthentic packets, the probability that
BatchVerify() outputs True is very low;

3. The computation complexity of BatchVerify() is comparable to that of verifying one
signature and is increased gradually when the batch size n is increased.

By BatchVerify(, each receiver can achieve the computational efficiency comparable

to conventional block-based schemes in the sense that a batch of packets can be

authenticated simultaneously through one batch signature verification operation. In









addition, our approach use per-packet signature instead of per-block signature and thus

eliminate the authentication latency at the sender and /or receivers in conventional

schemes. Each receiver can verify the authenticity of all the received packets in its buffer

whenever the high lI-., applications require. This is a significant improvement to the

quality of realtime applications. Moreover, our approach has perfect resilience to packet

loss. No matter how many packets are lost, the rest can also be verified by the receiver.

8.4 Batch Signature Construction

In this section, we propose three schemes to implement the batch signature approach.

Besides the one based on RSA [3], we propose another two schemes based on BLS [111]

and DSA [112], which are more efficient than batch RSA.

8.4.1 Batch RSA Signature

8.4.1.1 RSA

RSA [3] is a very popular cryptographic algorithm in most security protocols. In

order to use RSA, a sender chooses two large random primes P and Q to get N = PQ,

and then calculates two exponents e, d E Z such that ed = 1 mode O(N), where

((N) = (P 1)(Q 1). The sender publishes (e, N) as his public key and keeps d in secret

as his private key. A signature of a message m can be generated as a = (h(m))d mod N,

where h() is a collision-resistant hash function. The sender sends {m, a} to the receiver

that can verify the authenticity of the message m by checking a' = h(m) mod N.

8.4.1.2 Batch RSA

To accelerate the authentication of multiple signatures, the batch verification of RSA

[109, 110] can be used. Given n packets {m, ca}, i = 1,..., n, where mi is the data

p loadd and ai is the corresponding signature, the receiver can first calculate hi = h(mi)

and then perform the following verification:


(j hi mod N. (8-1)
i= 1 i= 1









If all n packets are truly from the sender, the equation holds because


ai] mod N r i mod N
i= 1 i= 1

=fh fmodN = hi modN (8-2)
i=l i=

Before the batch verification, the receiver must ensure all the messages are distinct.

Otherwise the batch RSA is vulnerable to the forgery attack [110]. This is easy to

implement because sequence numbers are widely used in many network protocols and can

ensure all the messages are distinct. It has been proved in [110] that when all the messages

are distinct, the batch RSA is resistant to signature forgery as long as the underlying RSA

algorithm is secure.

The attacker may not forge signatures but manipulate authentic packets to produce

invalid signatures. For example, given two packets {mi, ai} and {mj, aj} for i / j, an

attacker can modify them into {m, aiXA} and {mj, aj/A}. The modified packets can still

pass the batch verification, but the signature of each packet is not correct (that is why

the batch RSA verification is called screening in [110]). However, the attacker can do this

only when he gets {mi, ai} and {mj, ac}, which means the message mi and mj have been

correctly signed by the sender. Therefore, this attack is of no harm to the receiver [110].

8.4.1.3 Requirements to the sender

In most RSA implementations, the public key e is usually small while the private

key d is large. Therefore, the RSA signature verification is efficient while the signature

generation is expensive. This poses a challenge to the computation capability of the

sender because the sender needs to sign each packet. C'! ....-ini a small private key d can

improve the computation efficiency but compromise the security. If the sender does not

have enough resource, a pair of {e, d} with comparable sizes can achieve a certain level of

trade-off between computation efficiency and security at the sender part. If the sender is

a powerful server, then signing each packet can be affordable in this scenario. Next, we









propose two efficient batch signature schemes based on BLS [111] and DSA [112], which

can reduce the computation complexity at the sender.

8.4.2 Batch BLS Signature

Here we propose a batch signature scheme based on the BLS signature in [111].

8.4.2.1 BLS

The BLS signature scheme uses a cryptographic primitive called pairing, which can

be defined as a map over two cyclic groups Gi and G2, e : Gi x Gi -i G2, and satisfy the

following properties:

1. Bilinear: for all u, v E G1 and a, b E Z, we have e(ua, vb) = e(, v)ab;

2. Non-degenerate: for the generator gl of G1, i.e., g = 1 e G1, where p is the order of
G1, we have e(gl, gl) / 1 e G2.

The BLS signature scheme consists of three phases:

In the key generation phase, a sender chooses a random integer x E Zp and computes

y = glz e G1. The private key is x and the public key is y;

1. Given a message m E {0, 1}* in the signing phase, the sender first computes
h = H(m) E G1, where H() is a hash function, then computes a = hx e G1. The
signature of m is a;

2. In the verification phase, the receiver first computes h = H(m) E G1, and then check
whether e(h, y) = e(a, g).

If the verification succeeds, then the message m is authenticated because


e(h, y) = e(h, gl) = e(h, gi) = e(a, gi) (8-3)

One merit of BLS signature is that it can generate a very short signature. It has

been shown in [111] that an n-bit BLS signature can provide a security level equivalent

to solving a discrete log problem (DLP) [113] over a finite field of size approximately

26". Therefore, a 171-bit BLS signature provides the same level of security as a 1024-bit

DLP-based signature scheme such as DSA. This is a very nice choice in the scenario where

communication overhead is an important issue.










8.4.2.2 Batch BLS

Based on BLS, we propose our batch BLS scheme here. Given n packets {mi, i}, i =

1,..., n, the receiver can verify the batch of BLS signatures by first computing hi

H(mi), i = 1,..., n and then checking whether e(H h, y) = e(H i, gi). This is

because if all the messages are authentic, then

n n n n

i 1 i 1 i 1 i=

We can prove that our batch BLS is secure to signature forgery as long as BLS is secure to

signature forgery.

Theorem 1 Suppose an attacker A can break the batch BLS by forging signatures,

another attacker B can break BLS under the chosen message attack by colluding with A.

Proof. Suppose B is given n 1 messages and their valid signatures {mi, o1}, i =

1,..., n 1, B can forge a signature ao for any chosen message m,, such that {m,, a,}

satisfies the BLS signature scheme, by colluding with A in the following steps:

1. B sends n messages mi, i = ,..., n and n 1 signatures ai, i = ,..., n 1 to A;

2. Because A can break the batch BLS scheme, A generates n false signatures ai', i =
1,..., n that pass the batch BLS verification, then returns to B a value V= a1';

3. B computes T, = V/ ] Ti Ii a s the signature for mi, because

n n n
c( hiy) e{V,g ey) > e([a,, gi)
i-l i-i i=l
n-l n-l
= e(fJ h, y)e(hn, y) e( l ju, gi)e(c(,, gi)
i= 1 i 1
C e(h,, y) = e(an, gi) (8-5)




Since BLS is forgery-secure under the chosen message attack [111], our batch BLS

scheme is also secure to forgery under the chosen message attack.









Also like batch RSA, the attacker may not forge signatures but manipulate authentic

packets to produce invalid signatures. For example, two packets {mI ai} and {mj, aj} for

i / j can be replaced with {mi, ajA} and {mj, aj/A} and still pass the batch verification.
However, it does not affect the correctness and the authenticity of mi and mj because they

have been correctly signed by the sender.

8.4.2.3 Requirements to the sender

In our batch BLS, the sender needs to sign each packet. Because BLS signature

can provide a security level equivalent to conventional RSA and DSA with much shorter

signature [111], the signing operation is more efficient than RSA signature generation.

Moreover, BLS can be implemented over elliptic curves [71, 72], which have been shown in

the literature to be more efficient than finite integer fields on which RSA is implemented.

Therefore, we can expect that our batch BLS is more affordable by the sender than batch

RSA and also achieve computation efficiency at the receiver.

8.4.3 Batch DSA Signature

DSA [112] is another popular digital signal algorithm. Unlike RSA, which is based

on hardness of factoring two large primes, DSA is deemed secure based on the difficulty

of solving DLP [113]. A batch DSA signature scheme was proposed in [114] but later was

found insecure [115]. Harn improved the security of [114] in [116, 117]. Unfortunately,

Boyd and Pavlovski pointed out in [118] that Ham's work is still vulnerable to malicious

attacks. Here we propose a batch DSA scheme based on Ham's work and counteract the

attack described in [118].

8.4.3.1 Harn DSA

In Harn DSA [117], some system parameters are defined as:

1. p, a prime longer than 512-bit;

2. q, a 160-bit prime divisor of p 1;

3. g, a generator of Z* with order q, i.e., gq = 1 mod p;









4. x, the private key of the signer, 0 < x < q;


5. y, the public key of the signer, y = gx mod p;

6. H(, a hash function generating an output in Z*.

Given a message m, the signer generates a signature as:

1. randomly selects an integer k with 0 < k < q;

2. computes h = H(m);

3. computes r (gk mod p) mod q;

4. computes s = rk hx mod q.

The signature for m is (r, s).

The receiver can verify the signature by first computing h = H(m) and then checking

whether ((gSr yhr 1) mod p) mod q = r. This is because if the packet is authentic, then


((gsr-1yr-1) mod p) mod q

= ((g(s+h)r- 1) mod p) mod q
(gk mod p) mod q

= r. (8-6)

8.4.3.2 Harn batch DSA

Given n packets {mi, (ri, si)}, i = ,..., n, the receiver can verify the batch of

signatures by first computing hi = H(mi) and then checking whether

(g E -1 S I En 1
((gZ i"'i 1- hir' ) mod p) mod q = ri (8-7)
i= 1









This is because if the batch of packets is authentic, then


((g ii 'E hii ) mod p) mod q

= ((g CLi +h X)r ) mod p) mod q

S(gEl ki mod p) mod q

= Ir (8-8)
i= 1

8.4.3.3 The Boyd-Pavlovski attack

Boyd and Pavlovski [118] pointed out an attack against the Ham batch DSA scheme

[117] where an attacker can forge signatures for any chosen message set that has not been

signed by the sender. The process is:

1. choose B and C, calculate A = (gByC mod p) mod q;

2. for any message set mi, i = 1,..., n, randomly choose ri, i = 1,..., n 2;

3. compute r-,_ and r, to ensure that


Hr r A mod q (8-9)
i=1



Shiri-1 C mod q (8-10)
i=1


4. randomly choose si, i =,..., n 1 and compute s, to ensure that


Sii-1 = B mod q. (8-11)
i= 1

The probability that {mi, ri, s}, i 1,..., n are forged messages satisfying the batch

verification is 1 [118].

8.4.3.4 Our batch DSA

In order to counteract the Boyd-Pavlovski attack, our batch DSA makes an

improvement to the Ham DSA algorithm. We replace the hash operation H(m) in the









signature generation and verification process with H(r, m). All the other steps are the

same as those in Harn's scheme.

Though it is simple, our method can significantly increase the security of batch DSA.

In the Boyd-Pavlovski attack, the attacker can compute ri values according to Eq. (8-9)

and Eq. (8-10) because parameters A, C, hi values are known. By introducing ri into the

hash operation, the hash values hi in Eq. (8-10) are unknown to the attacker. Therefore

the attacker cannot compute ri values and the forgery attack discussed in [118] is defeated.

Like the cases in batch RSA and our batch BLS, the attacker may manipulate

authentic packets {mi, (ri, s) } to produce invalid signatures {mi, (ri', si')}, which can still

pass the batch verification. The attacker can keep ri unchanged, randomly choose si',

i = 1,..., n 1 and solve s,' satisfying


SSi'rir1 mod q = Sfir1 mod q (8-12)
i= 1 i 1

However, this attack does not affect the correctness and authenticity of messages because

they have been really signed by the sender [118]. Therefore, the receiver can still accept

them because the batch verification succeeds.

8.4.3.5 Requirements to the sender

In batch RSA and our batch BLS, the sender needs to compute one modular

exponentiation to sign each packet. In the batch DSA, the sender needs to compute

one modular exponentiation to get r and two modular multiplications to get s. However,

r is independent on the message m. Therefore, the sender can generate many r values

off-line. When the sender starts a multicast session, he can use reserved r values to

compute s values. In this way, only two modular multiplications are necessary to sign a

packet. Therefore, our batch DSA is much more efficient than batch RSA and our batch

BLS at the sender, while also achieve computation efficiency at the receiver.









8.5 Performance Evaluation

In this section, we compare the performance of MABS with some well-known schemes

EMSS [92], augmented chain (Aug('l! .,1,) [96], PiggyBack [94], tree chain (Tree) [101]

and SAIDA [103]. These schemes are representatives of hash chain, tree chain and coding

schemes and are widely used in performance evaluation in the literature.

8.5.1 Resilience to Packet Loss

We use simulation to evaluate the resilience to packet loss. The metric here is the

verification rate, i.e., the ratio of the number of authenticated packets to the number of

received packets.

For EMSS [92], we choose the chain configuration of 5-11-17-24-36-39, which has

the best performance among all the configurations of length 6 as is shown in [92]. For

Aug('l0 iii [96], we choose C3,7 chain configuration. For PiggyBack [94], we choose two

class priorities. For Tree chain [101], we choose binary tree. For SAIDA [103], we choose

the erasure code (256, 128). For all these schemes, we choose the block size of 256 packets

and simulate over 100 blocks. We consider the random loss and the burst loss with a

maximum loss length of 10 packets. The verification rates under different loss rates are

given in Fig. 8-1 and Fig. 8-2.

We can see that the verification rates of EMSS [92], augmented chain (Aug('l! 11ii) [96]

and PiggyBack [94] are decreased quickly when the loss rate is increasing. The reason is

that hash chains result in the correlation among packets and this correlation is vulnerable

to packet loss. SAIDA [103] illustrates a resilience to packet loss up to a certain threshold,

because of the threshold performance of erasure codes. Our MABS and Tree schemes

[101] have perfect resilience to packet loss in the sense that all the received packets can be

authenticated. This is because all the packets in MABS and Tree schemes are independent

from each other. As we will show later, however, Tree achieves this independency by

incurring large overhead and authentication latency at the sender and the receiver, while

our MABS does not have these drawbacks.










p p p pnrn


-e- MABS
-I- Tree


0.9 -0- EMSS
AugChain
-B- PiggyBack
0.8- SAID


0.7


a 0.6-

0
S0.5-


>0.4- -


0.3-


0.2 \


0.1 -


0 I I I I I 1.______
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
Loss rate

Figure 8-1. Verification rate under the random loss model.


8.5.2 Authentication Latency

The block-based hash chains and codes used in conventional scheme incur authentication

latency at the sender and/or receivers. The sender can compute a signature for a

block only after he builds up hash chains or codes for the block, and each receiver can

authenticate the packets in the block only after he verifies the block signature. A larger

block size can achieve higher computation efficiency, but also incur longer latency. This

latency can compromise the realtime requirement in many time-critical applications such

as video live show or stock quotes broadcast.


1













0.9 EMSS
AugChair
-a- PiggyBac
0.8 '\- SAIDA


0.7


a 0.6-


0.5


0.4-


0.3-


0.2 \


0.1 -


01
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
Loss rate

Figure 8-2. Verification rate under the burst loss model with the maximum burst length
10.


We show the latency in different schemes in Table 8-1. In particular, we consider how

many packets need to be buffered for one packet to be signed or verified at the sender or

each receiver. We can see that existing schemes all require that the sender and/or each

receiver buffer up to one block of packets. Our MABS does not have latency at the sender

and the receiver. The sender can send out one packet right after signing it, and each

receiver can verify all the packets he has received whenever the higher w-r application

requires, because there is no relationship among packets and no limit on the number









Table 8-1. Authentication latency of different schemes.


Schemes Sender Receiver
EMSS [92] 1 n
Aug('l iii [96] p n
PiggyBack [94] n 1
Tree [101] n 1
SAIDA [103] n m
MABS 1 1


of packets in each batch verification. This can greatly increase the QoS performance of

multicast streams.

8.5.3 Computational Overhead

Here we compare the computational overhead of our MABS with those of other

schemes. he result is depicted in Table 8-2. All the conventional schemes require one

signature (either signing or verification) operation and at least n hashing operations on a

block of n packets. SAIDA [103] even requires additional coding operation. Our MABS

can achieve the same level computational efficiency at the receiver as conventional schemes

while increasing the computational overhead at the sender. This is affordable because

usually the sender is much more powerful than receivers. Moreover, we propose our batch

BLS and batch DSA that are more efficient than the batch RSA and thus the sender has

more options to choose according to its capability.

We compare the computational overhead of three batch signature schemes in Table

8-3. RSA and BLS require one modular exponentiation at the sender and DSA requires

two modular multiplications when r value is computed off-line. Usually one c-bit modular

exponentiation is equivalent to 1.5c modular multiplications over the same field [110, 118].

Moreover, a c-bit modular exponentiation in DLP is equivalent to a j-bit modular

exponentiation in BLS for the same security level. Therefore, we can estimate that the

computational overhead of one 1024-bit RSA signing operation is roughly equivalent to

that of 768 DSA signing operations (1536 modular multiplications) and that of 6 BLS

signing operations (each one is corresponding to 255 modular multiplications).









Table 8-2. Computation overhead of different schemes for one block.


Schemes Sender Receiver
EMSS [92] 1S + nH+1V nH
Aug('Ch ,i [96] 1S + nH 1V + nH
PiggyBack [94] 1S + nH 1V + nH
Tree [101] S + (2n 1)H V + nlognH
SAIDA [103] 1S + nH + 1EC 1V + nH + lED
MABS nS 1V

Table 8-3. Computational overhead of different batch schemes.

Schemes Sender(per packet) Receiver (per n packets)
Batch RSA 1 E 1 E + (2n 2) M
Batch BLS 1 E 2 P + (2n 2) M
Batch DSA 2 M2 E + 3n M


According to a report [123] on the computational overhead of signature schemes

on PIII 1 GHz CPU, the signing and verification time for 1024-bit RSA with a 1007-bit

private key are 7.9ms and 0.4ms, for 157-bit BLS are 2.75ms and 81ms, and for 1024-bit

DSA with a 160-bit private key (without precomputing r value) are 4.09ms and 4.87ms.

We can observe that for BLS and DSA the signing is efficient but the verification is

expensive, and vice versa for RSA. Therefore, we can save more computational resource at

the receiver by using our batch BLS and batch DSA than batch RSA. It is also meaningful

to use our batch BLS and batch DSA at the receiver to save computation resources.

8.5.4 Communication Overhead

Here we compare the communication overhead of MABS with those of conventional

schemes. Here the communication overhead is computed over one block of n packets. The

result is depicted in Table 8-4. Conventional schemes attach a large number of hashes

plus one signature to each block. MABS requires one signature for each packet, but this

overhead is comparable with conventional schemes considering those hashes.

We also compare the length of two popular hash algorithm MD5 [124] and SHA-1

[125] and the signature length of three signature algorithms in Table 8-5. Given the same









Table 8-4. Communication overhead of different schemes for one block.


Schemes Overhead per Packet
EMSS [92] S + dnH (d > 6)
AugC'l!i ,1i [96] 1S + 2nH
PiggyBack [94] 1S + (2n EY kH)H
Tree [101] nS + nlognH
SAIDA [103] 1S + H
MABS ns

Table 8-5. Communication overhead of signature schemes.

Schemes Length (bits)
MD5 128
SHA-1 160
RSA 1024
BLS 171
DSA 320


security level as 1024-bit RSA, BLS generates a 171-bit signature and DSA a 320-bit

signature. It is clear that by using BLS or DSA, MABS can achieve more bandwidth

efficiency than using RSA, and could be even more efficient than conventional schemes

using a large number of hashes.

8.6 Counteracting DoS

Though batch signature can authenticate many packets at the same time, it fails if

in the batch there are some false packets forged by an attacker. The attacker may take

this opportunity to launch the DoS attack. Particularly, the attacker keeps injecting

forged packets to disrupt the batch signature verification. An naive approach to defeat

this attack is to use smaller batch size in the batch verification, but this incurs more

computation overhead. In the worst case, the attacker can inject forged packets at very

high frequency and expect that the receiver stop the batch operation and recover the

conventional per-packet signature verification.

In order to deal with the DoS attack, we need a method to filter out forged packets.

An option is the one-way accumulators (OWA) [107, 126-130]. An OWA can be used for









membership checking. It consists of four algorithms:


a = Accumulate(S),

w = Witness(s, S),

a = Recover(s,w),

v = Verify(s,w, a),


where S is a set of elements and s E S, a is the accumulator of S and represents S, w is a

mark of the element s and can be combined with s to recover the accumulator a. Given w,

we can verify whether s is in the set S represented by a and the result v is a boolean value

in {Truse, False}.

To support efficient multicast authentication, the OWA should have the following

properties:

1. All the algorithms of OWA are computationally efficient;

2. Given an accumulator a and the set S represented by a, the probability that an
attacker forges an element s' not in S and its witness w' such that Verify(s', w', a) =
True is very low.

When the sender has a set of packets for multicast, he generates an OWA for the set

and attaches a witness to each packet. The attacker may inject large volume of forged

packets that are not in any set from the sender. Therefore, the multicast stream may

consist of many sets, some from the sender and others from the attacker. The receiver

divides received packets into several sets by performing the OWA Recover algorithm.

Particularly, if Recover(pi, i, ) = Recover(pj, wj) for packets (pi,pj) and their witnesses

(,,' wj), then packets pi and pj belong to the same set. The properties of OWA can ensure

that authentic packets and forged packets fall into different sets. Therefore, the receiver

can perform the batch verification over each set. If the verification over one set succeeds,

the set of packets is authentic, and not otherwise. In this way, the receiver can drop a set

of packets when the batch verification over the set fails and do not need to separate the









set into smaller subsets and batch-verify each subset. Therefore, the DoS attack due to

forged packets can be efficiently defeated.

Here we do not use the accumulator a to verify whether a packet comes from the

receiver. The reasons are: (1) If we want to use a to authenticate a packet, then the

sender has to generate a signature for a and transmit the signature. Like conventional

schemes [90-92, 94, 96, 102], this one is vulnerable to packet loss because if the signature

for a is lost, the set of packets cannot be authenticated. (2) We use the batch verification

to authenticate packets and this method is perfectly resilient to packet loss. Therefore,

here we do not need a. We only use the Recover algorithm to check whether two packets

belong to the same set.

An efficient method to construct OWAs is the Merkle hash tree [47]. Here we take a

binary tree for example (Fig. 8-3). The sender constructs a binary tree for 8 packets. Each

leaf is a hash of one packet. Each internal node is the hash value on both its left and right

children and the root is the accumulator of these packets. The witness of one packet is the

set of the siblings of the nodes along the path from the packet to the root. For example,

the witness of the packet P3 is {H4, H1,2, H5,s} and the accumulator can be recovered as

H,8s H((HI,2, (H(P3), H4)), H5,8).

Constructing a Merkle tree is very efficient because only hash operation is performed.

Meanwhile, the one-way property of hash operation ensures that given the root of a

Merkle tree it is infeasible to find out a packet, which is not in the set associated with the

Merkle tree and from which there is a path to the root.

When the sender has a set of packets for broadcast, it generates a Merkle tree for

the set and attaches a witness to each packet. The root can be recovered based on each

packet and its mark. Each receiver can find whether two packets belong to the same set

by checking whether they lead to the same root value. Therefore, the recovered roots

help classify received packets into di- inil sets. Once a set is authentic, the corresponding
























P1 P2 P3 P4 P5 P6 P7 P8

Figure 8-3. An example of Merkle tree.


root can be used to authenticate the rest of packets under the same Merkle tree without

batch-verifying them, which saves computation overhead at each receiver.

Fig. 8-4 illustrates the details of MABS including the DoS countermeasure. At

the sender part, the sender generates a multicast stream. For each message mi, the

sender computes a signature ai according to some signature algorithm. Then the sender

constructs OWAs on {mi, ai} and computes a witness i, based on OWA algorithms.

Therefore each packet is pi = {mi, ai, i, }. These packets are sent over a lossy and hostile

channel to many receivers through multicast routing. At the receiver part, the receiver

gets a stream of packets including both authentic and potentially forged ones. At first,

the receiver uses the OWA Recover algorithm to classify received packets into disjoint

sets. Each set consists of packets pi = {mi, il} where ", is no longer needed. Because the

properties of OWA can ensure that authentic packets and forged packets fall into different

sets, the receiver can perform the BatchVerify algorithm over each set. If the verification

over one set succeeds, the set of packets is authentic. Otherwise, the set of packets is

forged and can be dropped without further verification on each packet.

The traditional block-based approach is vulnerable to DoS. Because there is no

filtering, each receiver has to recover the relationship among authentic packets mixed with










Receiver


MI MI

C TC
Signing Verification

0 ,T 0 T ...T


Pi




Classification




Figure 8-4. MABS architecture including the DoS counter measure.


forged packets, which is very time and computationally intensive. In the extreme case, a

deadlock can form at the receiver when the receiving buffer is exhausted by a mixing of

forged packets and authentic packets without block signatures. Those authentic packets

are waiting for signatures, but signatures cannot be received because the receiving buffer is

exhausted by forged packets.

In our design, authentic packets and forged packets are separated into dl-i. ;il sets.

The batch verification is carried out over each set. Therefore, each batch verification can

authenticate a set of packets and no more is needed. The deadlock experienced by the

block-based protocols can also be eliminated.

If an attacker wants to inject some forged packets into the batch consisting of

authentic packets, he must break the one-way property of Merkle tree. However, this

attempt fails because given the root of a Merkle tree it is infeasible to find out a packet

from which there is a path to the root due to the one-way property of hash functions.

Therefore, by using Merkle tree, our design can efficiently defeat DoS attacks.


Sender









Table 8-6. Comparisons between the block-based approach and the batch-based approach.

Schemes DoS Resilience Computational Overhead Communication Overhead
Hash chains Poor 0(1S + nH) 0(1S + anH), (a > 1)
(m, n)-Coding Poor O(1S + nH + 1C) O(1S + -H)
Batch signature Strong O(1S + nlognH) O(nS + nlognH)


However, the increased DoS resilience comes with more overhead, which is shown in

Table 8-6. For the computational overhead, both the block-based protocols and our design

require one signature verification operation on a block or a batch n packets. In addition,

the protocols using hash chains also require n hashes, and the ones using coding requires

n hashes and one coding operation. Our design requires nlogn hashes, which is more

expensive than the ones using hash chains and less expensive than the ones using coding.

However, the overall computation overhead of all these protocols at each receiver is at the

same level since hash operation is much more efficient (on the order of ps) than signature

operation (on the order of ms).

For the communication overhead over n packets, conventional protocols require an

overhead of one signature and O(n) hashes, while our design requires an overhead of

n signature and O(nlogn) hashes. The increased overhead is a trade-off for increased

security. However, when BLS is used [111], the signature length is 171 bits. A most

well-known hash algorithm SHA-1 generates a hash value of 160 bits. Therefore, our

protocol can also achieve the same level of communication efficiency as conventional

protocols.

8.7 Conclusion

In this paper, we proposed a new multicast authentication scheme called MABS

based on batch signature, which supports one signature verification over multiple packets

at the receiver. Three batch signature implementations were proposed. In particular,

we proposed our batch BLS and batch DSA, which are more efficient than the batch

RSA. Unlike the conventional block-based multicast authentication schemes, MABS can









perfectly tolerate packet loss and completely eliminate the authentication latency at

the sender and receivers. Combining with packet filtering, MABS can also defeat DoS

effectively.









CHAPTER 9
SECURITY OF IEEE 802.16 IN MESH MODE

9.1 Introduction

IEEE 802.16 standard [132], which is the base of WiMAX (worldwide interoperability

for microwave access) [133], is seen as a promising technology for next generation

broadband wireless access. Compared with IEEE 802.11 standard [134], it operates at

larger frequency band up to 66GHZ, covers longer distance up to 50km, and supports QoS

services. Therefore, 802.16 becomes an ideal choice for broadband wireless access systems

such as WLANs (wireless local area networks) or WMANs (wireless metropolitan area

networks).

IEEE 802.16 defines two modes. In the PMP (point-to-multipoint) mode, SSs

(subscriber stations, such as laptops) can reach the BS (base station) in one hop.

Otherwise, SSs shall operate in the Mesh mode such that those SSs form a multihop

network, which is called mesh network [135], to the BS.

Compared with the PMP topology, the mesh topology extends BS coverage, and its

flexibility on installation and configuration make it a promising architecture for future

WLANs and WMANs. In Fig. 9-1, for example, multiple laptops can form a WLAN of a

mesh topology, multiple wireless routers can form a WMAN of a mesh topology, and the

mesh WMAN bridges the gap between WLANs and the Internet.

Among all the topics in wireless networks, security is drawing intense attention

recently. When IEEE 802.11 is getting more and more popular in the deployment of

WLANs, many vulnerabilities have been found in the literature [136-140]. This becomes

a i i"r obstacle to many security-critical wireless applications such as online shopping or

secure communications.

The lessons from IEEE 802.11 make people more cautious and lead to the incorporation

of security design into IEEE 802.16. Based on DOCSIS (data over cable service interface

specifications) [141], which was designed to solve the last mile problem for cable systems,








Base
SStation


S\ MAN
WLANs \ 4^/


\/


Figure 9-1. Mesh networks.

IEEE 802.16 defines a PKM (privacy and key management) protocol. It provides
subscribers with privacy, authentication, or confidentiality across the fixed broadband
wireless network. It does this by applying cryptographic transforms to MPDUs carried
across connections between SS and BS.
However, IEEE 802.16 security still needs to be examined before its deployment.
Since mesh networks are gaining more and more interests and IEEE 802.16 is seen as
one of promising techniques to build up mesh networks, we believe that it is necessary to
analyze the security of IEEE 802.16 in mesh networks. However, there are only a few work
overviewing the potential vulnerabilities of IEEE 802.16 in PMP mode [142-144].
In this chapter, we analyze the security of IEEE 802.16 in mesh mode [145], point out
several potential threats and propose some possible solutions. We find out that though
IEEE 802.16 provides some security measures in conventional one-hop networks, it is very
vulnerable to malicious attacks in multihop environments. We also propose some security
improvements.









9.2 Security Architecture of IEEE 802.16 in Mesh Mode


IEEE 802.16 MAC (\I. '!iii i Access Control) defines a PKM protocol as a sublayer,

providing authentication, key management and data traffic privacy services.

IEEE 802.16 MAC is connection-oriented. Each SS establishes a connection to

associate with a service flow. In PKM, an SA (security association) is shared between

SS and BS for each connection to main its security state such as the cryptographic suite,

TEKs (traffic encryption keys) and IVs initializationn vectors) and managed by a TSM

(TEK state machine). An ASM (authorization state machine) is maintained by each SS

for authorization when entering the network and the initialization of TSMs.
A new SS can join a mesh network by the following process:

1. The SS searches for MSH-NCFG:Network Descriptor messages to synchronize with
the network and build up a list of available BSs and a list of neighboring SSs.

2. The new SS selects from its neighbors a potential Sponsor node. Meanwhile the new
SS becomes a Candidate node.

3. The Candidate node (the new SS) shall be authorized by an Authorization node (a
BS or a backed server) through the PKM protocol. The Sponsor node will tunnel
the PKM-REQ messages from the Candidate node to the Authorization node through
UDP protocol. Upon receiving tunneled PKM-RSP messages from the Authorization
node the Sponsor node forwards them to the Candidate node.

4. The Candidate node shall register itself at a Registration node (a BS or a backed
server) to get a Node ID. The Sponsor node again tunnels the REG-REQ message
from the Candidate node to the Registration node. Upon receiving the tunneled
REG-RSP from the Registration node the Sponsor node forwards it back to the
Candidate node.

5. After authorization the Candidate node becomes a regular node in the mesh network.
Then it will build connectivity at higher Iv-r-.

6. After entering the network, the new SS can establish links with nodes other
than its Sponsor Node by following a Challenge-Response process based on
MSH-NCFG:Neighbor Link Establishment messages.









Upon entering the network, the new SS starts for each neighbor a separate TSM for

each SA authorized by BS. Then the TSM takes charge of the SA maintenance, and the

ASM maintains the reauthorization of the SS.

9.3 Security Threats to IEEE 802.16 in Mesh Mode

In this section, we present the following potential threats to IEEE 802.16 standard in

mesh mode.

9.3.1 Topological Attacks

In the mesh network, every SS broadcasts MSH-NCFG:Network Descriptor messages

regularly. Each MSH-NCFG:Network Descriptor carries some physical lv--r information

for the new SS to acquire coarse synchronization. In addition, each MSH-NCFG:Network

Descriptor provides a list of available BSs and a list of neighboring SSs of the sender.

Those lists include information such as Node ID of BS or neighbors and the corresponding

hop-count. To join the network on initialization or after signal loss, a new SS shall search

for MSH-NCFG:Network Descriptor messages and build a physical neighbor list. Based on

the BS information, the new SS chooses a Sponsor node, which helps the new SS join the

network.

The problem here is that MSH-NCFG messages are not encrypted and authenticated.

This can lead to the attacks against network topology, which has been studied in ad hoc

and sensor networks [46].

By claiming a shorter path to BS, for example, a malicious node has much more

chance to become a Sponsor node. In this way, the Sponsor node can lure the network

entry traffic in the local area like a Sinkhole [33]. Then the Sponsor node can monitor,

modify or spoof the authorization information exchanged between new nodes and BS.

An example is illustrated in Fig. 9-2, where node A can create a sinkhole and becomes

the Sponsor for nodes B and C. In addition, false topological information contained in

MSH-NCFG messages can cheat the new SS into forming an incorrect view of network

topology, which can introduce problems to routing protocols.












S. A
LL \ /-1











Figure 9-2. Sinkhole attacks.

Attackers can even replay MSH-NCFG messages instead of modifying or spoofing.
One example is the Wormhole attack [61]. As is illustrated in Fig. 9-3. Attackers establish
a secret channel, tunnel MSH-NCFG messages from nodes A and B through the channel
and r p, them. In this way, nodes A and B believe they are neighbors of each other.
Attackers can also record MSH-NCFG messages at one place, move and reply them at
another place. Obviously, the distorted network topology can become a serious attack to


9.3.2 Authorization Threats
A Candidate node needs authorization to access the mesh network. This can be
achieved through a handshake between the Candidate node and an Authorization center.
The handshake is carried out by PKM-REQ and PKM-RSP messages (Fig. 9-4).
The Candidate node first sends a PKM-REQ:Auth Info message to the Authorization
center. The message only carries the X.509 certificate o e he manufacturer of the

Candidate node.



















k-BS~


Figure 9-3. Wormhole attacks.

Then the Candidate sends a PKM-REQ:Auth Request message to the Authorization
center. The message contains the Candidate's X.509 certificate issued by its manufacturer,
the Candidate's cryptographic capabilities, the Candidate's Basic CID.
The Authorization center verifies the Candidate's X.509 certificate with its manufacturer's
public key extracted from the PKM-REQ:Auth Info message. If the verification fails, the
Authorization center simply replies to the Candidate a PKM-RSP:Auth Reject message
containing an error-code and a di-!.1 i,--li i-.
If the Candidate is authentic, the Authorization center replies a PKM-RSP:Auth
Reply message. This message contains an AK (authorization key) encrypted with the
Candidate's public key, the AK lifetime, the AK sequence number, SA-descriptors, PKM
configuration, an OSS (operator shared secret), the OSS lifetime, the OSS sequence
number.
In the PMP mode, the AK is used for the Candidate to access the network. In the
Mesh mode, however, the Candidate shall use the OSS to access the network. Here the
OSS is shared by all the nodes in the mesh network.


atoo










Candidate Sponsor
--t UDP


PKM-REQ: Auth Info

PKM-REQ: Auth Request


Authorization
Center


t!


PKM-RSP: Auth Reply, or
PKM-RSP: Auth Reject


Figure 9-4. Node authorization.

Because the Candidate usually cannot communicate with the Authorization center
directly in the Mesh mode, the Sponsor node help to tunnel the PKM-REQ messages
from the Candidate to the Authorization center through UDP protocol and forward the
PKM-RSP messages tunneled back from the Authorization center to the Candidate.
The above process is supposed to guarantee the authenticity of the Candidate before
it joins the network. However, all the messages are not encrypted and authenticated.
Though the AK in PKM-RSP:Auth Reply messages is encrypted, it is useless in the Mesh
mode. Hence, there are several security holes failing the goal of the authorization process.
First, all the messages can be intercepted and modified by attackers between
the Candidate and the Sponsor. Though we can assume the UDP tunnel can prevent
eavesdropping and tampering from attackers between the Sponsor and the Authorization
center because all the links between the Sponsor and the Authorization are secured by
MAC lv,-r TEKs, we cannot guarantee the loyalty of the Sponsor. Therefore, a malicious
Sponsor as an internal attacker can also intercept all the messages and modify them.
In the PKM-REQ:Auth Request message, the Candidate includes its cryptographic
capabilities. The Authorization center chooses from them a set of cryptographic
algorithms that the Candidate node uses to communicate with the network. The


P.









stronger the algorithms are, the secure the traffic is. However, attackers can modify

the PKM-REQ:Auth Request message to prevent a weaker cryptographic setting to the

Authorization center so that a set of weak cryptographic algorithms is used to secure the

communication between the Candidate and the network. This is called the security level

rollback attack, which has been discussed in IEEE 802.11 [140].

In the PKM-RSP:Auth Reply message, the information of all SAs that the Candidate

can access is contained. An authorized SS should get the services to which it has

subscribed. But attackers can modify the SA information and remove any SA so that

the SS gets less or even no service, leading to the DoS (Denial of Service) attack.

In addition, an OSS is included in the PKM-RSP:Auth Reply. The OSS is used as

a global key shared by all the nodes in the network. The Candidate shall use the OSS

to establish links with neighbors and access the network. Unfortunately, the OSS can

be intercepted by attackers such that they can use it to join the network. Attackers can

even modify it so that the new node gets wrong OSS and thus fails to join the network.

Moreover, attackers can reduce the OSS lifetime so that the Candidate has to update its

OSS more frequently, leading to faster energy consumption.

Because the PKM-RSP:Auth Reject message is not authenticated, attackers can spoof

the message such that the Candidate fails in the authorization process, leading to the DoS

attack.

The entire authorization process is carried out in one connection, but there is no clear

definition of Authorization SA that is associated with the connection [142]. Therefore

the Authorization center is incapable of distinguishing the authorization messages from

different authorization processes. All the messages in an authorization process can be

rc 1 l I- 1.

In Fig. 9-5, for example, an attacker can intercept a PKM-REQ:Auth Request

message and later replay it to the BS B. The BS can not distinguish it from new

PKM-REQ:Auth Request messages and then reply with a PKM-RSP:Auth Reply message.









BS A


WA--


Figure 9-5. Replay attacks.


In this way, the attacker can learn the OSS. In another case, the attacker can replay the

intercepted PKM-REQ:Auth Request to another mesh domain registered at BS A. As well

BS A will accept the message and reply with a PKM-RSP:Auth Reply message, which

discloses the OSS used by BS A.

The authorization process is .,-vmmetric in that the Authorization center authenticates

the Candidate but not vice versa. This renders attackers an opportunity to impersonate

the Authorization center 9-6. An attacker can achieve this goal by intercepting PKM-RSP

messages from the Authorization center and replaying them or totally forging those

messages. The Candidate node cannot verify the authenticity of those messages. This will

leave the entire network under the control of the attacker and become a 1i iP r threat to

the authorization process. This is also the case in the PMP mode [142].

9.3.3 Threats to Link Establishment

After entering the network, the new SS can establish links with its neighbors other

than its Sponsor Node. The link establishment follows a Challenge-Response process

based on the OSS of the network (Fig. 9-7). All the messages exchanged between two


S B











BS
"B S"










Figure 9-6. False base station.


neighboring nodes are encapsulated in the MSH-NCFG:Neighbor Link Establishment

messages.

When node A needs to establish a link with node B, A sends a challenge,

HMAC{OSS, frame number, ID of node A, ID of node B},

where the OSS is the global key obtained in the authorization process and the frame

number is the last known frame number in which node B sent an MSH-NCFG message.

Upon receiving the challenge, node B computes the same value because it knows the

OSS and the fame number. If the two values do not match, node B returns a rejection. If

a match is achieved, node B accepts the link and replies a challenge response containing

HMAC{OSS, frame number, ID of node B, ID of node A},

where the frame number is the one of the MSH-NCFG message that node A just sent.

Node B also randomly selects and includes an unused Link ID indicating the link from B

to A.

Upon receiving the challenge response, node A verifies it like node B does. If a match

is achieved, node A replies an Accept. It also randomly selects and includes an unused

Link ID indicating the link from A to B. Otherwise, a rejection is returned.

The security of the 3-way handshake depends on the secrecy of OSS, which makes the

authentication between neighbors too weak. As is mentioned in Section 9.3.2, the OSS is











Node A Node B
Challenge

Challenge Response

Accept


Figure 9-7. Link establishment.


shared by all nodes and there are many opportunities for attackers to get it. For example,

a malicious node can disclose it to an external attacker, or the attacker directly eavesdrops

it when a new node gets a PKM-RSP:Auth Reply message from its Sponsor node. Using

the OSS, the attacker can join the network without being authorized and establish links

with its neighbor. Then the attacker can get services from its neighbors.

9.3.4 Threats to Teks

Each SA includes two TEKs at the same time. The TSM (TEK state machine)

associated with the SA is in charge of the TEK update for the SA (Fig. 9-8).

An SS can start to update its TEKs by sending a PKM-REQ:Key Request message

containing SS-Certificate, SAID, HMAC-Digest.

Its neighbor verifies the SS-Certificate. If the verification successes, the neighbor

replies with a PKM-RSP:Key Reply containing SAID, old TEK parameters, new TEK

parameters, HMAC-Digest. Otherwise, the neighbor replies with a PKM-RSP:Key Reject.

To protect the confidentiality of TEKs, The SS's public key extracted from the

PKM-REQ:Key Request message is used to encrypt TEK parameters. To protect the

integrity of TEKs, the HMAC-Digests are attached to these messages. However, those

HMAC-Digests are calculated with the OSS. This leads to possible message tampering

when the OSS is disclosed to attackers. In such a case, attackers cannot find TEKs, but

they can spoof a PKM-RSP:Key Reply including false TEKs encrypted with SS's public

key and authenticate the message with the OSS.











Node A Node B
PKM-REQ: Key Request

PKM-RSP: Key Reply / Key Reject

Figure 9-8. TEK update.


9.3.5 Traffic Threats

In IEEE 802.16, only data traffic is encrypted. Particularly, only the MAC PDU

p loadd is encrypted. The generic MAC header and all MAC management messages are

not encrypted. Therefore, attackers can eavesdrop or forge those clear information to raise

problems.

To protect data traffic, two cryptographic methods are defined: DES in CBC mode

[146] and AES in CC'\I mode [147]. DES-CBC provides confidentiality by encrypting the

MAC PDU Ilp load with corresponding TEKs. AES-CC\ I provides confidentiality and

authenticity for the MAC PDU Ip load. Particularly, AES-CC\ I algorithm appends an

8-byt ICV (Integrity C('!. 1: Value) to the end of the p loadd and then encrypting both

the p loadd and the ICV. Therefore, DES-CBC is weaker than AES-CC'\ because the

messages encrypted by DES-CBC can be tampered or spoofed. DES-CBC is required by

all the implementations of IEEE 802.16 devices but AES-CC\ I is optional. Attackers can

launch the Security Level Rollback attack as is mentioned in Section 9.3.2 to cheat the SS

and BS into using DES-CBC, which can give attackers more opportunities to attack the

data traffic.

9.4 802.16e Security in Mesh Mode

An amendment to IEEE 802.16-2004 [132] is passed in 2005 as IEEE 802.16e [148].

This amendment increases the support to mobile devices and the security. The original

PKM protocol in IEEE 802.16 becomes the PKMv1 protocol in IEEE 802.16e, and a new









protocol PKMv2 is incorporated. In this section, we talk about the security improvement

of 802.16e over 802.16 and discuss its threats.

9.4.1 Security Improvements
802.16e supports two authentication methods: RSA-based and EAP-based [149]. The
RSA-based authentication is similar to that in 802.16. The handshake is like:

1. RSA-Request (SS -+ BS): MS_Random, MS_Certificate, SAID, SigSS.

2. RSA-Reply (SS -- BS): MS_Random, BSRandom, Encrypted pre-PAK, Key
Lifetime, Key Sequence Number, BSCertificate, SigBS.

3. RSA-Acknowledgement (SS -+ BS): BS_Random, Auth Result Code, Error-Code,
Di' pl v-String, SigSS.

Here the differences are: random numbers are included in authentication messages

to prevent replay attacks; the BS includes its own certificate in the authentication reply

message to prove its identity. The optional EAP-based authentication can be used

independently or combined with the RSA-based one. The real EAP methods are not

specified in 802.16e. Both the methods support mutual authentication between SS and BS,

which is a significant improvement to 802.16.

A master AK (Authorization Key) is established between SS and BS during

authentication. Then the SS uses the AK to negotiate security capabilities and acquire

available SA information. Three messages are defined for the handshake: SA-TEK-C('i !! iI;;,

SA-TEK-Request and SA-TEK-Response. These messages are authenticated with message

authentication digests. Therefore attackers cannot forge these messages.

In addition to the DES-CBC and AES-CC\l methods in 802.16, 802.16e also defines

an AES-CTR mode [150] and an AES-CBC mode [151] to protect the MAC PDU p .lload.

These two methods provide confidentiality by encrypting the MAC PDU p loada.

9.4.2 Potential Threats

The MSH-NCFG:Network Descriptor message is still a security hole in 802.16e. It

can be modified or forged by attackers to launch topological attacks. Though 802.16e

introduces mutual authentication in the authorization process, it does not mention how









to distribute the OSS for the Mesh mode. Therefore, the threats to the OSS in 802.16 are

still problems. Attackers can find the OSS and use it to establish links with normal nodes.

All the management messages are not encrypted either and thus can be eavesdropped.

9.5 New Security Improvements

In this section, we propose some improvements to strengthen IEEE 802.16 security in

the Mesh mode.

9.5.1 Neighbor Authentication

In IEEE 802.16 Mesh mode, two neighbors rely on an OSS to establish a link. It is

vulnerable to attacks as is stated in previous sections. Here we propose to use certificates

to achieve authentication between neighbors.
Before a node establishes links with its neighbors, it must be authenticated by an
Authorization center through an authorization process. The node can acquire a certificate
issued by the Authorization center during the authorization process. We can call it a mesh
certificate. After that, the node can use the mesh certificate to join the network. The
entire process is performed as the following:

1. A B: A's mesh certificate.

2. B A: B's mesh certificate.

3. C'!i !!. '5ge (A B): encrypted nonce-A, frame number, ID-A, ID-B, A' signature.

4. ('!I !!. 'Ige-Response (B A): encrypted nonce-B, frame number, ID-B, ID-A, B'
signature.

5. Accept (A B): accept, A' signature.

Nodes A and B first exchange their mesh certificates. They verify each other's mesh

certificate with the Authorization center's public key and extracts each other's public key.

Then A sends an challenge to B, which includes a nonce-A encrypted with B's public key.

B uses A's public to verify A's signature to check the authenticity of the ('!C 11 i!1,, As

long as this verification success, node B accepts node A and decrypt nonce-A with its own

public key. Likewise, node A can authenticate node B based on the ('! .1, I, ,!:-Response









message and get nonce-B. At last, node A replies with an Accept message to finish the

handshake.

Now nodes A and B both know nonce-A and nonce-B. They can compute a link key

as

K-AB H(ID-A, ID-B, nonce-A, nonce-B) ,

where H() is a hash function such as HMAC or C \!AC in 802.16.
Later node A can use the link key K-AB to update TEKs from node B. The process is
the following:

1. Key Request (A -+ B): SAID, random number, MAC-Digest.

2. Key Reply (B -+ A): SAID, random number, encrypted old TEK parameters,
encrypted new TEK parameters, MAC-Digest.

Here the random numbers are used to prevent the replay attack. The shared link key

K-AB is used to compute MAC-Digests and encrypt TEK parameters.

The above neighbor authentication process is much secure than the original one in

IEEE 802.16, because it is based on mesh certificates instead of the global shared OSS.

In addition, the TEK update is secured by the shared link key instead of the original

public key. Because the TEK update is performed periodically, we can expect our neighbor

authentication process it is more efficient than the original one in IEEE 802.16.

9.5.2 Cryptographic Issues

Generally, RSA-based public key cryptography is more expensive in computation than

symmetric key cryptography. Therefore, the use of public key algorithms should be as less

as possible in a security protocol. Meanwhile the performance can be increased if more

efficient public key techniques are developed.

One substitute to the RSA-based public key cryptography is the elliptic curve

cryptography (ECC) [71, 72]. ECC can achieve the same level of security as RSA with

smaller key sizes. It has been shown that 160-bit ECC provides comparable security to

1024-bit RSA and 224-bit ECC provides comparable security to 2048-bit RSA [73]. Under

the same security level, smaller key sizes of ECC offer merits of faster computational









efficiency, as well as memory, energy and bandwidth savings. Therefore ECC can be

incorporated into IEEE 802.16 in future to replace RSA-based cryptography.

9.6 Conclusion

We discussed the security of IEEE 802.16 in mesh mode and found out it is very

vulnerable to malicious attacks in multihop environments. Some improvements were

proposed to secure IEEE 802.16 in Mesh mode.









REFERENCES


[1] C. E. Shannon, "Communication theory of secrecy systems," Bell System Technical
Journal, vol. 28, pp. 656-715, Oct. 1949.

[2] W. Diffie and M. E. Hellman, \. v- directions in cryptography," IEEE Transactions
on Information The..,;' vol. IT-22, no. 6, pp. 644-654, Nov. 1976.

[3] R. L. Rivest, A. Shamir, and L. Adleman, "A method for obtaining digital
signatures and public-key cryptosystems," Communications of the AC'll vol. 21,
no. 2, pp 120-126, Feb. 1978.

[4] S. Basagni, K. Herrin, D. Bruschi, and E. Rosti, "Secure pebblenets," Proceedings of
the 2nd AC' International Symposium on Mobile Ad Hoc Networking & Corq',,l,:,',
(Mobihoc'01), Long Beach, CA, Oct. 2001, pp. 156-163.

[5] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cr;,.-''i ',','l,;i
CRC Press, ISBN: 0-8493-8523-7, Oct. 1996.

[6] A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, and D. E. Culler, "SPINS: Security
protocols for sensor networks," Wireless Networks, Kluwer Academic Publishers,
vol. 8, pp. 521-534, 2002.

[7] R. Blom, "An optimal class of symmetric key generation systems," Proceedings of
Advances in Cryptology: EUROCRYPT'8, Paris, France, Apr. 1984, pp. 335 338.

[8] C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung,
"Perfectly-secure key distribution for dynamic conferences," Proceedings of the
12th Annual International Cr;i, .'/. '. '/;/ Conference on Advances in C'r;,ll'/ '1. ',/
(CRYPTO'92), Aug. 1992, pp. 471-486.

[9] Y. Zhou and Y. Fang, "A scalable key agreement scheme for large scale networks,"
Proceedings of the :'titi' IEEE International Conference on Networking, Sensing and
Control (ICNSC'06), Ft. Lauderdale, Florida, Apr. 2006, pp. 631-636.

[10] Y. Zhou and Y. Fang, "Scalable and deterministic key agreement for large scale
networks," to appear in IEEE Transactions on Wireless Communications.

[11] W. Lou, W. Liu and Y. Fang, "SPREAD: Enhancing data confidentiality in mobile
ad hoc networks," Proceedings of the :' :'., Annual Joint Conference of the IEEE
Computer and Communications Societies (INFOCOM'04), Hong Kong, China, Mar.
2004, vol. 4, pp. 2404-2413.

[12] A. Shamir, "How to share a secret," Communications of the AC'I] vol. 22, no. 11,
pp. 612-613, Nov. 1979.

[13] L. Eschenauer and V. Gligor, "A key management scheme for distributed sensor
networks," Proceedings of the 9th AC'If Conference on Computer and Communica-
tions S .. .; (CCS'02), Washington D.C., Nov. 2002, pp. 41-47.









[14] J. Spencer, The str ,,.g- logic of random ir' l,.- Algorithms and Combinatorics 22,
Springer-Verlag 2000, ISBN 3-540-41654-4.

[15] H. C'!i in A. Perrig and D. Song, "Random key predistribution schemes for sensor
networks," Proceedings of the 2003 IEEE Symposium on S,. i '; and P, ,'.. .;
(SP'03), Berkeley, CA, May 2003, pp. 197-213.

[16] R. D. Pietro, L. V. Mancini and A. Mei, "Random key-assignment for secure wireless
sensor networks," Proceedings of the 1st AC'[ Workshop on S. i.1 i, of Ad hoc and
Sensor Networks (SASN'03), Fairfax, VA, 2003, pp. 62-71.

[17] W. Du, J. Deng, Y. S. Han, and P. K.Varshney, "A pairwise key pre-distribution
scheme for wireless sensor networks," Proceedings of the 10th AC'I[ Conference on
Computer and Communications S.. iil (CCS'03), Washington, DC, Oct. 2003, pp.
42-51.

[18] D. Liu and P. Ning, "Establishing pairwise keys in distributed sensor networks,"
Proceedings of the 10th AC'_I Conference on Computer and Communications
S'..- ;, i (CCS'03), Washington, DC, Oct. 2003, pp. 52-61.

[19] D. Liu, P. Ning, and R. Li, "Establishing pairwise keys in distributed sensor
networks," AC'_\ Transactions on Information and System S.. 'i1i, vol. 8, no. 1, pp.
41-77, Feb. 2005.

[20] J. Hwang and Y. Kim, "Revisiting random key pre-distibution schemes for wireless
sensor networks," Proceedings of the .',./ AC'_[ Workshop on S,. i.1, of Ad hoc and
Sensor Networks (SASN'04), Washington, DC, Oct. 2004, pp. 43-52.

[21] J. Lee and D. R. Stinson, "Deterministic key pre-distribution schemes for distributed
sensor networks," Proceedings of the 11th International Workshop on Selected Areas
in Crlj*l''l,'r'i,;l (SAC'04), Waterloo, Canada, Aug. 2004, pp. 294-307.

[22] J. Lee and D. R. Stinson, "A combinatorial approach to key pre-distribution
mechanisms for wireless sensor networks," Proceedings of the 2005 IEEE Wireless
Communications and Networking Conference (WCNC'05), New Orleans, LA, Mar.
2005, pp. 1200-1205.

[23] S. A. Camtepe and B. Yener, "Combinatorial design of key distribution mechanisms
for wireless sensor networks," IEEE/ACI Transactions on Networking, vol. 15,
no. 2, pp. 346-358, Apr. 2007.

[24] D.S. Sanchez and H. Baldus, "A deterministic pairwise key pre-distribution scheme
for mobile sensor networks," Proceedings of the 1st IEEE/CreateNet International
Conference on S.. .i;ii, and P,.:. .., for Emerging Areas in Communications
Networks (SECURECOMM'05), Athens, Greece, Sep. 2005, pp. 277-288.

[25] H. C('i i, and A. Perrig, "Pike: peer intermediaries for key establishment in sensor
networks," Proceedings of the 24th Annual Joint Conference of the IEEE Computer









and Communications Societies (INFOCOM'05), Miami, FL, Mar. 2005, vol. 1, pp.
524-535.

[26] F. Delgosha and F. Fekri, "Key pre-distribution in wireless sensor networks using
multivariate polynomials," Proceedings of the :',../ Annual IEEE Communica-
tions S .. .: Ii; Conference on Sensor and Ad Hoc Communications and Networks
(SECON'05), Santa Clara, CA, Sep. 2005, pp. 118-129.

[27] F. Delgosha and F. Fekri, "Threshold key-establishment in distributed sensor
networks using a multivariate scheme," Proceedings of the 25th IEEE International
Conference on Computer Communications (INFOCOM'06), Barcelona, Spain, Apr.
2006, pp. 1-12.

[28] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. C ivirci, "A survey on sensor
networks," IEEE Communication .I,',.r..',. vol. 40, no. 8, pp. 102-114, Aug. 2002.

[29] J. M. Kahn, R. H. Katz and K. S. J. Pister, \. :; century challenges: Mobile
networking for Smart Dust," Proceedings of the 5th Annual AC 'I/IEEE Interna-
tional Conference on Mobile Cor'npl,,l,: and Networking (\IOBICOM'99), Seattle,
WA, Aug. 1999, pp. 217-278.

[30] G. J. Pottie, W. J. Kaiser, "Wireless integrated network sensors," Communications
of the AC'_, vol. 43, no. 5, pp. 51-58, May 2000.

[31] Crossbow Technology, http://www.xbow.com/ 2006.

[32] Atmel Corporation, http://www.atmel. com/ 2006.

[33] C. Karlof and D. Wagner, "Secure routing in wireless sensor networks: attacks and
countermeasures," Proceedings of the 1st IEEE International Workshop on Sensor
Network Protocols and Applications (SNPA'03), Anchorage, AK, May 2003, pp.
113-127.

[34] R. Anderson and M. Kuhn, "Tamper resistance a cautionary note," PProceed-
ings of the :'../, USENIX Workshop on Electronic Commerce, Oakland, CA, Nov.
1996, pp. 1-11.

[35] A. Wood and J. Stankovic, "Denial of service in sensor networks," IEEE Computer
Ir,..:. vol. 35, no. 10, pp. 54-62, Oct. 2002.

[36] D. Liu and P. Ning, "Location-based pairwise key establishments for relatively static
sensor networks," Proceedings of the 1st ACM_ Workshop on S. .i;.1, of Ad hoc and
Sensor Networks (SASN'03), Fairfax, VA, Oct. 2003, pp. 72-82.

[37] W. Du, J. Deng, Y. S. Han, S. C'!i i: and P. K.Varshney, "A key management
scheme for wireless sensor networks using deployment knowledge," Proceedings of the
',.I Annual Joint Conference of the IEEE Computer and Communications Societies
(INFOCOM'04), Hong Kong, C('!,, ., Mar. 2004, pp. 586-597.









[38] D. Huang, M. Mehta, D. Medhi, and L. Harn, "Location-aware key management
scheme for wireless sensor networks," Proceedings of the .',.. AC_[ Workshop on
S .. ':, of Ad hoc and Sensor Networks (SASN'04), Washington, DC, Oct. 2004, pp.
29-42.

[39] Z. Yu and Y. Guan, "A robust group-based key management scheme for wireless
sensor networks," Proceedings of the 2005 IEEE Wireless Communications and
Networking Conference (WCNC'05), New Orleans, LA, Mar. 2005, vol. 4, pp.
1915-1920.

[40] D. Liu, P. Ning and W. Du, "Group-based key pre-distribution in wireless sensor
networks," Proceedings of the 4th AC_[ Workshop on Wireless S,. iii (WISE'05),
Cologne, Germany, Sep. 2005, pp. 11-20.

[41] L. Zhou, J. Ni and C.V. Ravishankar, "Efficient key establishment for group-based
wireless sensor deployments," Proceedings of the 4th AC I[ Workshop on Wireless
S'.;, .i;, (WISE'05), Cologne, Germany, Sep. 2005, pp. 1-10.

[42] L. Zhou, J. Ni and C. V. Ravishankar, "Supporting secure communication and data
collection in mobile sensor networks," Proceedings of the 25th IEEE International
Conference on Computer Communications (INFOCOM'06), Barcelona, Spain, Apr.
2006, pp. 1-12.

[43] F. Anjum, "Location dependent key management using random key-predistribution
in sensor networks," Proceedings of the 5th AC'I Workshop on Wireless S.. .ii1
(WISE'06), Los Angeles, CA, Sep. 2006, pp. 21-30.

[44] T. Ito, H. Ohta, N. Matsuda, and T. Yoneda, "A key pre-distribution scheme for
secure sensor networks using probability density function of node deployment,"
Proceedings of the 3rd ACI[ Workshop on S.. .;', of Ad hoc and Sensor Networks
(SASN'05), Alexandria, VA, Nov. 2005, pp. 69-75.

[45] Y. Zhou, Y. Zhang and Y. Fang, "LLK: A link-li--r key establishment scheme in
wireless sensor networks," Proceedings of the 2005 IEEE Wireless Communications
and Networking Conference (WCNC'05), New Orleans, LA, Mar. 2005, vol. 4, pp.
1921-1926.

[46] Y. Zhou, Y. Zhang and Y. Fang, "Key establishment in sensor networks based
on triangle grid deployment model," Proceedings of the 2005 IEEE Military
Communications Conference ('\II COM'05), Atlantic City, NJ, Oct. 2005, vol. 3, pp.
1450-1455.

[47] R. Merkle, "Secure communication over insecure channels," Communications of the
ACd!, vol. 21, no. 4, pp. 294-299, Apr. 1978.

[48] Y. Zhou and Y. Fang, "A two-li, r key establishment scheme for wireless sensor
networks," to appear in IEEE Transactions on Mobile Cori'n,1. I',:









[49] Y. Zhou and Y. Fang, "Scalable linh-l-, r key agreement in sensor networks,"
Proceedings of the t'itit; IEEE Military Communications Conference ('\II COM'06),
Washington, DC, Oct. 2006, pp. 1-6.

[50] W. Du, L. Fang and P. Ning, "LAD: localization anomaly detection for wireless
sensor networks," Journal of Parallel and Distributed Cor,,i,'l.:,,, Academic Press,
Inc., vol. 66, no. 7, pp. 874-886, Jul. 2006.

[51] Y. Zhou and Y. Fang, "Defend against topological attacks in sensor networks,"
Proceedings of the 2005 IEEE Military Communications Conference (1\!!':om'05),
Atlantic City, NJ, Oct. 2005, vol. 2, pp. 768-773.

[52] Y. Zhou and Y. Fang, "A location-based naming mechanism for securing sensor
networks," Wireless Communications and Mobile Corn-,l.I'I, Special Issue on
Wireless Networks S.. i iiWiley, vol. 6, no. 3, pp. 347-355, May 2006.

[53] N. Sastry, U. Shankar and D. Wagner, "Secure verification of location claims,"
Proceedings of the 2003 ACM Workshop on Wireless S.. .;, (WISE'03), San Diego,
CA, Sep. 2003, pp. 1-10.

[54] P. Corke, R. Peterson and D. Rus, \N I .-orked robots: flying robot navigation using
a sensor net," Proceedings of the 11th Internatonal Symposium of Robotics Research
(ISRR'03), Siena, Italy, Oct. 2003, pp. 234-243.

[55] C. Savarese, J. Rabaey and J. Beutel, "Locationing in distributed ad-hoc wireless
sensor networks," Proceedings of the 26th IEEE International Conference on
Acoustics, Speech, and S.:jl1 Processing (ICASSP'01), Salt Lake City, UT, May
2001, pp. 2037-2040.

[56] C. Karlof, N. Sastry and D. Wagner, "TinySec: A link li--r security architecture for
wireless sensor networks," Proceedings of the 2nd AC 'I International Conference on
Embedded Networked Sensor S,-. ,,- (SENSYS'04), Baltimore, MD, Nov. 2004, pp.
162-175.

[57] H. T. Kung and D. Vlah, "Efficient location tracking using sensor networks,"
Proceedings of the 2003 IEEE Wireless Communications and Networking Conference
(WCNC'03), March, 2003, vol. 3, pp. 1954-1961.

[58] R. Brooks, P. Ramanathan and A. ,i.,, "Distributed target classification and
tracking in sensor networks," Proceedings of the IEEE, vol. 91, no. 8, pp.1163-1171,
2003.

[59] M. Bellare, R. Canetti and H. Krawczyk, "Keying hash functions for message
authentication," Proceedings of the 16th Annual International Cr;,1ll'1. '.i/; Conference
on Advances in Cr, 'I, 1 l../,; (CRYPTO'96), Santa Barbara, CA, Aug. 1996, pp. 1-15.

[60] J. Newsome, E. Shi, D. Song, and A. Perrig, "The sybil attack in sensor networks:
analysis & defenses," Proceedings of the 3rd IEEE International Symposium on









Information Processing in Sensor Networks (IPSN'04), Berkeley, CA, Apr. 2004, pp.
259-268.

[61] Y. Hu, A. Perrig and D. B. Johnson, "Packet leashes: a defense against wormhole
attacks in wireless networks," Proceedings of the ';.l Annual Joint Conference of
the IEEE Computer and Communications Societies (INFOCOM'03), San Francisco,
CA, Mar. 2003, vol. 3, pp. 1976-1986.

[62] L. Hu and D. Evans, "Using directional antennas to prevent wormhole attacks,"
Proceedings of the 11th Annual Network and Distributed System S.. ,, iiSymposium
(NDSS'04), San Diego, CA, Feb. 2004.

[63] W. Wang and B. Bhargava, "Visualization of wormholes in sensor networks," Pro-
ceedings of the 2004 AC('I Workshop on Wireless S. ,I', (WISE'04), Philadelphia,
PA, Oct. 2004, pp. 51-60.

[64] S. Zhu, S. Setia and S. Jajodia, "LEAP: efficient security mechanism for large-scale
distributed sensor networks," Proceedings of the 10th AC '[ Conference on Computer
and Communications S. .:; (CCS'03), Washington, DC, Oct. 2003, pp. 62-72.

[65] Y. Zhang, W. Liu, W. Lou, and Y. Fang, "Securing sensor networks with
location-based keys," Proceedings of the 2005 IEEE Wireless Communications
and Networking Conference (WCNC'05), New Orleans, LA, Mar. 2005, vol. 4, pp.
1909-1914.

[66] B. Parno, A. Perrig and V. Gligor, "Distributed detection of node replication attacks
in sensor networks," Proceedings of the 2005 IEEE Symposium on S. I;, and
P,.:; r. ,; (SP'05), Berkeley/Oakland, CA, May 2005, pp. 49-63.

[67] Y. Zhou, Y. Zhang and Y. Fang, "Access control in wireless sensor networks," to
appear in Elsevier Ad Hoc Networks, Special Issue on S.. 'i;,ii in Ad Hoc and Sensor
Networks.

[68] R. Watro, D. Kong, S. Cuti, C. Gardiner, C. Lynn, and P. Kruus, "TinyPK:
securing sensor networks with public key technology," Proceedings of the .',;. AC'[
Workshop on S. .:1I'; of Ad hoc and Sensor Networks (SASN'04), Washington, DC,
Oct. 2004, pp. 59 64.

[69] J. R. Douceur, "The Sybil attack," Proceedings of the 1st International Workshop
on Peer-to-Peer S, -/i. m (IPTPS'02), Cambridge, MA, Mar. 2002, pp. 251-260.

[70] D. J. Malan, M. Welsh and M. D. Smith, "A public-key infrastructure for key
distribution in TinyOS based on elliptic curve cryptography," Proceedings of the
1st IEEE International Conference on Sensor and Ad Hoc Communications and
Networks (SECON'04), Santa Clara, CA, Oct. 2004, pp. 71-80.

[71] N. Koblitz, "Elliptic Curve Cryptosystems," Mathematics of Computation, vol. 48,
pp. 203-209, 1987.









[72] V. Miller, "Uses of Elliptic Curves in Cryptography," Advances in Cr;,.i 1/.I ;, -
CRYPTO'85, Santa Barbara, CA, 1985, pp. 417-426.

[73] S. Vanstone, "Responses to NIST's proposal," Communications of the AC'_, vol. 35,
pp. 50-52, Jul. 1992.

[74] 0. Goldreich, S. Goldwasser and S. Micali, "How to construct random functions,"
Journal of the AC'- vol. 33, no. 4, pp. 792-807, 1986.

[75] N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz, "Comparing elliptic
curve cryptography and RSA on 8-bit CPUs," Proceedings of the 6th Interna-
tional Workshop on Cr,/''li.'l,'i,.:. Hardware and Embedded S,-l 11,- (CHES'04),
Cambridge, MA, Aug. 2004, pp. 119-132.

[76] D. W. Carman, P. S. Kruus and B. J. Matt, "Constraints and approaches for
distributed sensor network security," NAI Labs Technical Report #00-010, Sep. 2000.

[77] A. Perrig, J. Stankovic and D. Wagner, "Security in wireless sensor networks,"
Communications of the AC('_, vol. 47, no. 6, pp. 53-57, Jun. 2004.

[78] M. Manzo, T. Roosta and S. Sastry, "Time synchronization attacks in sensor
networks," Proceedings of the 3rd AC'I Workshop on S.. .ii, of Ad hoc and Sensor
Networks (SASN'05), Alexandria, VA, Nov. 2005, pp. 107-116.

[79] Y. Zhou and Y. Fang, "BABRA: batch-based broadcast authentication in wireless
sensor networks," Proceedings of the 49th Annual IEEE Global Telecommunications
Conference (GLOBECOM'06), San Francisco, CA, Nov. 2006, pp. 1-5.

[80] A. Perrig, R. Canetti, B. Brisco, D. Song, and D. Tygar, "TESLA: multicast
source authentication transform introduction," IETF working draft,
draft-ietf-msec-tesla-intro-01.txt.

[81] D. Liu and P. Ning, "Efficient distribution of key chain commitments for broadcast
authentication in distributed sensor networks," Proceedings of the 10th Annual
Network and Distributed System S.. iiSymposium (NDSS'03), San Diego, CA,
Feb. 2003.

[82] S. Rafaeli and D. Hutchison, "A survey of key management for secure group
communication," AC([ Cor,,n',:,., Surveys, vol. 35, no. 3, pp. 309-329, Sep. 2003.

[83] A. Perrig, R. Canetti, D. Song, and J.D. Tygar, "Efficient and secure source
authentication for multicast," Proceedings of the 8th Annual Network and Distributed
System S.. .,; Symposium (NDSS'01), San Diego, CA, Feb. 2001.

[84] I. Khalil, S. Bagchi and C. Nita-Rotaru, "DICAS: detection, diagnosis and isolation
of control attacks in sensor networks," Proceedings of the 1st IEEE/CreateNet Inter-
national Conference on S.. ,ii, and Pr':; ;, for Emerging Areas in Communications
Networks (SECURECOMM'05), Athens, Greece, Sep. 2005, pp. 89-100.









[85] C. Kaufman, R. Perlman and M. Speciner. Network Security: private communication
in a public world, 2nd Edition, Prentice-Hall, 2002.

[86] S. E. Deering, 1\! !1 !cast routing in internetworks and extended LANs," Proceed-
ings of the 1988 AC'_I Symposium on Communications Architectures and Protocols
(SIGCOMM'88), Stanford, CA, Aug. 1988, pp. 55-64.

[87] T. Ballardie and J. Crowcroft, l\!l!i icast-specific security threats and
counter-measures," Proceedings of the 2th Annual Network and Distributed Sys-
tem S,. ii; Symposium (NDSS 1995), San Diego, CA, Feb. 1995, pp. 2-16.

[88] P. Judge and M. Ammar, "Security issues and solutions in mulicast content
distribution: a survey," IEEE Network -.',,...:,. vol. 17, no. 1, pp. 30-36, Jan./Feb.
2003.

[89] Y. C('!i!! !, H. Bettahar and A. Bouabdallah, "A taxonomy of multicast data origin
authentication: issues and solutions," IEEE Communication Surveys & Tutorials,
vo. 6, no. 3, pp. 34-57, 2004.

[90] R. Gennaro and P. Rohatgi, "How to sign digital streams," Information and
Computation, Academic Press, vol. 165, no. 1, pp. 100-116, Feb. 2001.

[91] R. Gennaro and P. Rohatgi, "How to sign digital streams," Proceedings of the 17th
Annual Cr;,i '/. .'.,/; Conference on Advances in Cr;,i 1,/.'.l,/; (CRYPTO'97), Santa
Barbara, CA, Aug. 1997.

[92] A. Perrig, R. Canetti, J. D. Tygar, and D. Song, "Efficient authentication and
signing of multicast streams over lossy channels," Proceedings of the 2000 IEEE
Symposium on S. '1; and Pr,; ,' ., (SP'00), Berkeley, CA, May 2000, pp. 56-75.

[93] Y. C!i' !! I H. Bettahar and A. Bouabdallah, "A2Cast: an adaptive source
authentication protocol for multicast streams," Proceedings of the 9th Interna-
tional Symposium on Computers and Communications (ISCC'04), Alexandria,
Egypt, Jun. 2004, vol. 1, pp. 363-368.

[94] S. Miner and J. Staddon, "Graph-based authentication of digital streams," Proceed-
ings of the 2001 IEEE Symposium on S. .i; and P, .i;. ;I (SP'01), Oakland, CA,
M li- 2001, pp. 232-246.

[95] Z. Zli ,i.- Q. Sun, W-C Wong, J. Apostolopoulos and S. Wee, "A content-aware
stream authentication scheme optimized for distortion and overhead," Proceedings of
the .' iit; IEEE International Conference on Multimedia and Expo (IC\11;'06),
Toronto, Canada, Jul. 2006, pp. 541-544.

[96] P. Golle and N. Modadugu, "Authenticating streamed data in the presence of
random packet loss," Proceedings of the 8th Annual Network and Distributed System
S .- i Symposium (NDSS'01), San Diego, CA, Feb. 2001.









[97] Z. Z!i i:.- Q. Sun and W-C Wong, "A proposal of butterfly-graphy based stream
authentication over lossy networks," Proceedings of the 2005 IEEE International
Conference on Multimedia and Expo (IC'\!1'05), Amsterdam, Netherlands, Jul. 2005.

[98] S. Ueda, N. Kawaguchi, H. Shigeno and K. Okada, "Stream authentication scheme
for the use over the IP telephony," Proceedings of the 18th International Conference
on Advanced Information Networking and Application (AINA'04), Fukuoka, Japan,
Mar. 2004, vol. 2, pp. 164-169.

[99] A. C'i io and E. Rogers Sr., "A graph-theoretical analysis of multicast
authentication," Proceedings of the ',. International Conference on Distributed
Computing S,'1/. m- (ICDCS'03), Providence, RI, AT ,i 2003, pp. 155-162.

[100] C. K. Wong and S. S. Lam, "Digital signatures for flows and multicasts," Proceed-
ings of the 6th International Conference on Network Protocols (ICNP'98), Austin,
TX, Oct. 1998, pp. 198-209.

[101] C. K. Wong and S. S. Lam, "Digital signatures for flows and multicasts,"
IEEE/AC(' Transactions on Networking, vol. 7, no. 4, pp. 502-513, Aug. 1999.

[102] J. M. Park, E. K. P. C'!i.,i-. and H. J. Siegel, "Efficient multicast packet
authentication using signature amortization," Proceedings of the 2002 IEEE
Symposium on S.. a,'./ and Pr,; ,' ., (SP'02), Berkeley, CA, May 2002, pp. 227-240.

[103] J. M. Park, E. K. P. C'!i.,i-. and H. J. Siegel, "Efficient multicast stream
authentication using erasure codes," AC(\ Transactions on Information and
System S.. ,./; vol. 6, no. 2, pp. 258-285, ,li- 2003.

[104] A. Pannetrat and R. Molva, "Authenticating real time packet streams and
multicasts," Proceedings of the 7th IEEE International Symposium on Comput-
ers and Communications (ISCC'02), Taormina/Giardini N i::;- Italy, Jul. 2002, pp.
490-495.

[105] A. Pannetrat and R. Molva, "Efficient multicast packet authentication," Pro-
ceedings of the 10th Annual Network and Distributed System S.. 'i;,i, Symposium
(NDSS'03), San Diego, CA, Feb. 2003.

[106] Y. Wu and T. Li, "Video stream authentication in lossy networks," Proceedings of
the .'tii,' IEEE Wireless Communications and Networking Conference (WCNC'06),
Las Vegas, NV, Apr. 2006, vol. 4, pp. 2150-2155.

[107] C. Karlof, N. Sastry, Y. Li, A. Perrig, and J. D. Tygar, "Distillation codes and
applications to DoS resistant multicast authentication," Proceedings of the 11th
Annual Network and Distributed System S.. .; iiSymposium (NDSS'04), San Diego,
CA, Feb. 2004.









[108] C.A. Gunter, S. Khanna, K. Tan, and S. Venkatesh, "DoS protection for reliably
authenticated broadcast," Proceedings of the llth Annual Network and Distributed
System S,. ;'iI, Symposium (NDSS'04), San Diego, CA, Feb. 2004.

[109] L. Harn, "Batch verifying multiple RSA digital signatures," IEE Electronic Letters,
vol. 34, no. 12, pp. 1219-1220, Jun. 1998.

[110] M. Bellare, J. A. Garay and T. Rabin, 1 I-1 batch verification for modular
exponentiation and digital signatures," Proceedings of Advances in Cryptology:
EUROCRYPT'98, Espoo, Finland, May 1998, pp. 236-250.

[111] D. Boneh, B. Lynn and H. Shacham, "Short signatures from the weil pairing,"
Proceedings of the 7th International Conference on the Theory and Application of
Cri'. I' .,1;, and Information S ..' ihI Advances in Cryptology: ASIACRYPT'O1, Gold
Coast, Australia, Dec. 2001, pp. 514-532.

[112] FIPS PUB 186, Digital -..:i,,Ire standard (DSS), Ai- 1994.

[113] T. ElGamal, "A public key cryptosystem and a signature scheme based on discrete
logarithms," IEEE Transactions on Information Ti, ..,,, vol. IT-31, no. 4, pp.
469-472, Jul. 1985.

[114] D. N i. 1!, D. M'Raihi, S. Vaudenay, and D. Raphaeli, "Can D.S.A. be improved?
complexity trade-offs with the digital signature standard," Proceedings of Workshop
on the Theory and Application of Cr;',i .'lI.i'l, ,,.. Techniques Advances in C'r;,.i I 1. 'i;'
EUROCRYPT'94, Perugia, Italy, ti 1995, pp. 77-85.

[115] C. H. Lim and P. J. Lee, "Security of interactive DSA batch verification," IEE
Electronic Letters, vol. 30, no. 19, pp. 1592-1593, Sep. 1994.

[116] L. Harn, "DSA-type secure interactive batch verification protocols," IEE Electronic
Letters, vol. 31, no. 4, pp. 257-258, Feb. 1995.

[117] L. Harn, "Batch verifying multiple DSA-type digital signatures," IEE Electronic
Letters, vol. 34, no. 9, pp. 870-871, Apr. 1998.

[118] C. Boyd and C. Pavlovski, "Attacking and repairing batch verification schemes,"
Proceedings of the 6th International Conference on the Theory and Application of
Cri i'/., ',i;, and Information S ,. .ii; Advances in Cryptology: ASIANCRYPT'OO,
Kyoto, Japan, Dec. 2000, pp. 58-71.

[119] Y. Desmedt, Y. Frankel, and M. Yung, i !11! i-receiver/multi-sender network
security: efficient authenticated multicast/feedback," Proceedings of the 11th
Annual Joint Conference of the IEEE Computer and Communications Societies
(INFOCOM'92), Florence, Italy, l li, 1992, vol. 3, pp. 2045-2054.

[120] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas, \!ill t
security: a' .:: n..ni,- and some efficient constructions," Proceedings of the 18th









Annual Joint Conference of the IEEE Computer and Communications Societies
(INFOCOM'99), New York, NY, Mar. 1999, vol. 2, pp. 708-716.

[121] F. Bergadano, D. Cavagnino and B. Crispo, "Individual single-source authentication
on the mbone," Proceedings of the 2000 IEEE International Conference on Multime-
dia and Expo (IC'\II'00), New York, NY, Jul. 2000, vol. 1, pp. 541-544.

[122] A. Perrig, "The BiBa one-time signature and broadcast authentication protocol,"
Proceedings of the 8th AC'If Conference on Computer and Communications S .
(CCS'01), Philadelphia, PA, Nov. 2001, pp. 28-37.

[123] P. Barreto, H. Kim, B. Lynn, and M. Scott, "Efficient algorithms for pairing-based
cryp' --, i:-", Proceedings of the .'';.,1 Annual International Cr; / 1/./. i; Conference
on Advances in Cryptology: CRYPTO'02, Santa Barbara, CA, Aug. 2002, pp.
354-368.

[124] R. Rivest, "The MD5 message-digest algorithm," RFC 1319, April 1992.

[125] D. Eastlake and P. Jones, US secure hash algorithm 1 (SHA1), RFC 3174, Sep.
2001.

[126] N. Baric and B. Pfitzmann, "Collision-free accumulators and fail-stop signature
schemes without trees," Proceedings of International Conference on the Theory and
Application of Crii'li''',i'l/', Techniques Advances in Cryptology: EUROCRYPT'97,
Konstanz, Germany, May 1997, pp. 480-494.

[127] J. Benaloh and M. de Mare, "One way accumulators: a decentralized alternative
to digital signatures," Proceedings of International Conference on the Theory and
Application of Crii'lI ''',,'l/', Techniques Advances in Cryptology: EUROCRYPT" ',
Lofthus, Norway, M li, 1993, pp. 274-285.

[128] J. Camenisch and A. Li--i-i-1: i i "Dynamic accumulators and application to
efficient revocation of anonymous credentials," Proceedings of the ';., Annual
International Cr;,l/.I/. .i'/; Conference on Advances in Cr;,/'/. /.'i /; CRYPTO'02, Santa
Barbara, CA, Aug. 2002, pp. 61-76.

[129] M. Goodrich, R. Tamassia and J. Hasic, "An efficient dynamic and distributed
cryptographic accumulator," Proceedings of the 5th International Conference on
Information S. ,.:/ (ICIS'02), 2002, pp. 372-388.

[130] K. Nyberg, 1 I-I accumulated i I-1i6:- Proceedings of the 3rd International
Workshop on Fast Software En, ;';,'/.. (FSE'96), Cambridge, UK, Feb. 1996, pp.
83-87.

[131] T. Sander, "Efficient accumulators without trapdoor extended abstracts," Pro-
ceedings of the 2nd International Conference on Information and Communication
S .-,,./ (ICICS'99), Sydney, Australia, Nov. 1999, pp. 252-262.









[132] IEEE Std 802.16-2004, IEEE standard for local and metropolitan area networks, part
16: air `'*i,, ifr.: for fixed broadband wireless access si l-. im- June 2004.

[133] WiMAX Forum, http://www.;, .:,,i, f.Irum.org/home/, A li- 2006.

[134] IEEE Std 802.11-1999, Information '. -i,, ,.4.,i/;, telecommunications and infor-
mation 1i.,ri. between s;,;-1. -i local and metropolitan area networks -p'.. :I.
requirements part 11: wireless lan medium access control (1. IC) and j1,;''-."rl !hi;. ,
(PHY) .i ... w:l n.:.s, 1999.

[135] I.F. Akyildiz, X. Wang and W. Wang, "Wireless mesh networks: a survey,"
Computer Networks, Elsevier, vol. 47, pp. 445-487, Mar. 2005.

[136] N. Borisov, I. Goldberg and D. Wagner, "Intercepting mobile communications:
the insecurity of 802.11," Proceedings of the 7th Annual International Conference
on Mobile Computing and Networking (Mobicom'01), Rome, Italy, Jul. 2001, pp.
180-189.

[137] W.A. Arbaugh, N. Shankar, Y.C. Wan, and K. Zi !: ,- "Your 802.11 wireless
network has no clothes," IEEE Wireless Communications M ir: .:,.. vol. 9, no. 6, pp.
44-51, Dec. 2002.

[138] J. Bellardo and S. Savage, "802.11 denial-of-service attacks: real vulnerabilities and
practical solutions," Proceedings of the 12th USENIX S..;, .:;, Symposium (SEC'03),
Washington, DC, Aug. 2003, pp. 15-28.

[139] A. Mishra, N.L. Petroni, W.A. Arbaugh, and T. Fraser, "Security issues in IEEE
802.11 wireless local area networks: a survey," Wireless Communications and Mobile
Computing, Wiley, vol. 4, no. 8, pp. 821-833, Dec. 2004.

[140] C. He, J. C. Mitchell, "Security analysis and improvements for IEEE 802.11i,"
Proceedings of the 12th Annual Network and Distributed System S.. ;,iii, Symposium
(NDSS'05), San Diego, CA, Feb. 2005, pp 90-110.

[141] DOCSIS Home, http://www.cablemodem.com/, M 2006.

[142] D. Johnston and J. Walker, "Overview of IEEE 802.16 security," IEEE S ., .; &
Pi. i. .1 Mi... ,, vol. 2, no. 3, pp. 40-48, May/Jun. 2004.

[143] M. Barbeau, "Wimax/802.16 threat analysis," Proceedings of the 1st ACI[
International Workshop on QI.:I.i of Service &c S. .iii; in Wireless and Mobile
Networks (Q2SWINET'05), Montreal, Canada, Oct. 2005, pp. 8-15.

[144] F. Yang, H. Zhou, L, Z1i i-: and J. F. 1i:- "An improved security scheme in WMAN
based on IEEE standard 802.16," Proceedings of the 2005 International Conference
on Wireless Communications, Networking and Mobile Corn,,',/.:,. (WCNMC'05),
Wuhan, C('ii, Sep. 2005, vol. 2, pp. 1191-1194.









[145] Y. Zhou and Y. Fang, "Security of ieee 802.16 in mesh mode," Proceedings of the
*',i"i; IEEE Military Communications Conference (1\ !i!om 2006), Washington, DC,
Oct. 2006, pp. 1-6.

[146] IETF RFC 2405, The ESP DES-CBC Cipher Algorithm With Explicit IV, November
1998.

[147] IETF RFC 3610, Counter with CBC-MAC (CC('), September 2003.

[148] IEEE Std 802.16e-2005, IEEE standard for local and metropolitan area networks,
part 16: air :,,o. i f,,: for fixed and mobile broadband wireless access s;;/.l i-
amendment 2: 1l ;;'.. ,rl and medium access control 7.1 ,. for combined fixed and
mobile operation in licensed bands and i.,.: il. ,./lii,, 1, December 2005.

[149] IETF RFC 3748, Extensible Authentication Protocol (EAP), June 2004.

[150] IETF RFC :;;., Using Advanced En, ,; ,. i, Standard (AES) Counter Mode With
IPsec Ern.7-l.l l S,. l ;,. .;, Pr;1..';/ .. (ESP), January 2004.

[151] IETF RFC 3602, The AES-CBC Cipher A/l.,.:i, in, and Its Use with IPsec,
September 2003.









BIOGRAPHICAL SKETCH

Yun Zhou received a B.E. degree in electronic information engineering (2000) and

an M.E. degree in communication and information system (2003) from the Department

of Electronic Engineering and Information Science at the University of Science and

Technology of ('!i i, Hefei, C'iii i He is currently pursuing the Ph.D. degree in the

Department of Electrical and Computer Engineering at the University of Florida,

Gainesville, USA. His research interests are in the areas of security, cryptography, wireless

communications and networking, signal processing, and operating systems. He is a student

member of the IEEE.





PAGE 1

SECURITYINWIRELESSSENSORNETWORKS By YUNZHOU A DISSERTATIONPRESENTEDTOTHEGRADUATESCHOOL OFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENT OFTHEREQUIREMENTSFORTHEDEGREEOF DOCTOROFPHILOSOPHY UNIVERSITYOFFLORIDA 2007 1

PAGE 2

2

PAGE 3

3

PAGE 4

Myforemostgratitudegoestomyadvisor,Prof.Yuguang\Michael"Fang,forhisinvaluableguidance,encouragementandsupportwithmyyearsintheWirelessNetworksLaboratory(WINET).Prof.Fanghasnotonlyguidedmyresearchinthepastfewyearswithhisinsightsandknowledge,butalsowiththoughtfulnessandpatienceonmypersonalgrowth.Igratefullyacknowledgemyothercommitteemembers,Prof.SartajSahni,Prof.ShigangChen,andProf.DapengWuforservingonmysupervisorycommitteeandfortheirinvaluablesupportinvariousstagesofmywork.Iwouldnotbeawholesomegraduatestudentwithoutagroupofgreatfriends.IwouldliketoextendmythankstomyfantasticcolleaguesinWINET,whosepresencesandfun-lovingspiritsbuiltupawarm,family-likeenvironment.Ialsoappreciatetheircollaborationandinsightfuladvicethroughouttheseyears.Finally,Iamdeeplyindebtedtomyfriendswhohavealwaysbeenstandingbymyside.Withouttheircherishandunwaveringsupport,IwouldneverimaginewhatIhaveachieved. 4

PAGE 5

page ACKNOWLEDGMENTS ................................. 4 LISTOFTABLES ..................................... 11 LISTOFFIGURES .................................... 12 LISTOFABBREVIATIONS ............................... 14 ABSTRACT ........................................ 16 CHAPTER 1INTRODUCTION .................................. 18 2KEYAGREEMENTFORLARGESCALENETWORKS ............ 22 2.1Introduction ................................... 22 2.2KeyAgreementModels ............................. 24 2.2.1GlobalKey ................................ 24 2.2.2KeyServer ................................ 25 2.2.3PairwiseKey ............................... 25 2.2.4Matrix .................................. 26 2.2.5Polynomial ................................ 27 2.3OurModel .................................... 27 2.3.1MathematicalTool ........................... 28 2.3.2Assumptions ............................... 30 2.3.3ShareDistribution ............................ 30 2.3.4DirectKeyCalculation ......................... 32 2.3.5IndirectKeyNegotiation ........................ 32 2.4Analysis ..................................... 33 2.4.1NumberofSecurePaths ........................ 34 2.4.2NumberofDisjointSecurePaths .................... 34 2.4.3NumberofAgentNodes ........................ 34 2.4.4AnExample ............................... 35 2.4.5SecurityofDirectKeys ......................... 36 2.4.5.1Nodecompromiseinonesubspace .............. 36 2.4.5.2Nodecompromiseinallsubspaces .............. 37 2.4.5.3Choosedegreet 38 2.4.6SecurityofIndirectKeys ........................ 40 2.4.7MemoryCost .............................. 40 2.4.8ComputationOverhead ......................... 42 2.4.9CommunicationOverhead ....................... 42 2.5SecurityEnhancementofIndirectKeys .................... 43 5

PAGE 6

............... 45 2.6.1RandomKeyMaterialDistribution .................. 45 2.6.2DeterministicKeyMaterialDistribution ............... 47 2.6.3ComparisonsWithRelatedWork ................... 49 2.7Conclusion .................................... 50 3KEYESTABLISHMENTUSINGDEPLOYMENTKNOWLEDGEINWIRELESSSENSORNETWORKS ............................... 51 3.1Introduction ................................... 51 3.1.1SensorNetworkModel ......................... 51 3.1.2SecurityChallenges ........................... 52 3.1.3Attacks .................................. 54 3.1.3.1Attacktechniques ....................... 54 3.1.3.2Passivevs.active ....................... 55 3.1.3.3Externalvs.internal ..................... 55 3.1.4SecurityRequirements ......................... 56 3.2UniformKeyMaterialDistribution ...................... 57 3.3ASquareCellDeploymentModel ....................... 58 3.4NewDeploymentandSecretPre-DistributionModels ............ 59 3.4.1SecurityofLBKP ............................ 59 3.4.2AHexagonCellModel ......................... 60 3.4.3Edge-BasedSecretPre-Distribution .................. 61 3.4.4ATriangleCellModel ......................... 63 3.5Cell-basedPairwiseKeyEstablishment .................... 64 3.5.1NodeDeployment ............................ 64 3.5.2Polynomialdistribution ......................... 64 3.5.3PairwiseKeyEstablishment ...................... 65 3.5.4NodeAddition .............................. 66 3.5.5NodeRevocation ............................ 66 3.6AnalysisandEvaluation ............................ 67 3.6.1Security ................................. 67 3.6.2MemoryCost .............................. 70 3.6.3Connectivity ............................... 71 3.7Conclusion .................................... 74 4SCALABLEKEYESTABLISHMENTINWIRELESSSENSORNETWORKS 77 4.1Introduction ................................... 77 4.2TwoDimensionGridDesignforTLKandLLKEstablishment ....... 79 4.2.1NetworkModel ............................. 79 4.2.2SharePre-distribution .......................... 80 4.2.3DirectKeyCalculation ......................... 81 4.2.4IndirectKeyNegotiation ........................ 82 4.2.5LLKEstablishment ........................... 83 4.2.6TLKEstablishment ........................... 84 6

PAGE 7

......................... 85 4.2.7.1Memorycost ......................... 85 4.2.7.2Resiliencetonodecompromise ............... 87 4.2.7.3Localsecureconnectivity ................... 91 4.2.7.4Computationoverhead .................... 93 4.3ScalableLink-LayerKeyAgreementinSensorNetworks ........... 94 4.3.1NetworkModel ............................. 94 4.3.2ShareDistribution ............................ 95 4.3.3NodeDeployment ............................ 96 4.3.4Link-layerKeyAgreement ....................... 97 4.3.5PerformanceEvaluation ......................... 100 4.3.5.1Memorycost ......................... 100 4.3.5.2Security ............................ 101 4.3.5.3Localsecureconnectivity ................... 102 4.4Conclusion .................................... 104 5ALOCATION-BASEDNAMINGMECHANISMFORSECURINGSENSORNETWORKS ..................................... 105 5.1Introduction ................................... 105 5.2Location-basedNamingMechanism ...................... 107 5.2.1LocationDetermination ......................... 107 5.2.2Location-basedName .......................... 108 5.3LinkLayerSecurity ............................... 110 5.3.1EstablishingSharedKeys ........................ 111 5.3.2B-PhaseAuthentication ......................... 112 5.3.3C-PhaseAuthentication ......................... 114 5.4SecureSensorNetworks ............................ 115 5.4.1TheSybilAttack ............................ 116 5.4.2IdentityReplicationAttacks ...................... 116 5.4.3WormholeAttacks ............................ 117 5.4.4SinkholeAttacks ............................. 118 5.4.5HELLOFloodAttacks ......................... 118 5.4.6TheAcknowledgementSpoongAttack ................ 118 5.4.7TheNode-compromiseAttack ..................... 119 5.4.8TheMemoryExhaustionAttack .................... 119 5.5Discussion .................................... 120 5.6Conclusion .................................... 121 6ACCESSCONTROLINWIRELESSSENSORNETWORKS .......... 122 6.1Introduction ................................... 122 6.2ReviewofAttacks ................................ 124 6.2.1MaliciousNodesDeployment ...................... 124 6.2.2TheSybilAttack ............................ 124 6.2.3TheNodeReplicationAttack ..................... 125 7

PAGE 8

......................... 126 6.3AccessControl ................................. 126 6.3.1Necessity ................................. 126 6.3.2TheStateoftheArt .......................... 127 6.4OurProtocol .................................. 129 6.4.1Outline .................................. 129 6.4.2Assumptions ............................... 130 6.4.2.1Networkmodel ........................ 130 6.4.2.2Adversarymodel ....................... 131 6.4.3CryptographicPrimitive ........................ 131 6.4.4PredeploymentPhase .......................... 132 6.4.4.1Networkparameters ..................... 132 6.4.4.2Sensorparameters ...................... 133 6.4.5NodeDeployment ............................ 134 6.4.6NodeAuthentication .......................... 134 6.4.6.1Handshakebetweennewnodes ............... 134 6.4.6.2Handshakebetweenanewnodeandanoldnode ..... 136 6.4.7KeyEstablishment ........................... 137 6.5SecurityAnalysis ................................ 138 6.5.1NewNodeDeployment ......................... 138 6.5.2EavesdroppingandFalseReportsInjection .............. 138 6.5.3NodeCompromise ............................ 138 6.5.4AttackstoAccessControl ....................... 139 6.6Evaluation .................................... 140 6.6.1ECCvs.RSA .............................. 140 6.6.2ComparisonwithRelatedWork .................... 142 6.7Conclusion .................................... 144 7BABRA:BATCH-BASEDBROADCASTAUTHENTICATIONINWIRELESSSENSORNETWORKS ............................... 146 7.1Introduction ................................... 146 7.2TESLA ..................................... 147 7.3BABRADesign ................................. 148 7.3.1NetworkModel ............................. 148 7.3.2Architecture ............................... 149 7.3.3Bootstrapping .............................. 151 7.3.4CounteractingBogusPackets ...................... 151 7.3.5CountermeasurestoRadioJamming .................. 152 7.3.5.1Intermittentjamming .................... 152 7.3.5.2Continuousjamming ..................... 155 7.4Discussion .................................... 157 7.5Conclusion .................................... 158 8

PAGE 9

159 8.1Introduction ................................... 159 8.2RelatedWork .................................. 161 8.3MulticastAuthenticationOverLossyChannels ................ 162 8.3.1Assumptions ............................... 162 8.3.2BatchSignature ............................. 162 8.4BatchSignatureConstruction ......................... 164 8.4.1BatchRSASignature .......................... 164 8.4.1.1RSA .............................. 164 8.4.1.2BatchRSA .......................... 164 8.4.1.3Requirementstothesender ................. 165 8.4.2BatchBLSSignature .......................... 166 8.4.2.1BLS .............................. 166 8.4.2.2BatchBLS .......................... 167 8.4.2.3Requirementstothesender ................. 168 8.4.3BatchDSASignature .......................... 168 8.4.3.1HarnDSA ........................... 168 8.4.3.2HarnbatchDSA ....................... 169 8.4.3.3TheBoyd-Pavlovskiattack .................. 170 8.4.3.4OurbatchDSA ........................ 170 8.4.3.5Requirementstothesender ................. 171 8.5PerformanceEvaluation ............................ 172 8.5.1ResiliencetoPacketLoss ........................ 172 8.5.2AuthenticationLatency ......................... 173 8.5.3ComputationalOverhead ........................ 175 8.5.4CommunicationOverhead ....................... 176 8.6CounteractingDoS ............................... 177 8.7Conclusion .................................... 182 9SECURITYOFIEEE802.16INMESHMODE .................. 184 9.1Introduction ................................... 184 9.2SecurityArchitectureofIEEE802.16inMeshMode ............. 186 9.3SecurityThreatstoIEEE802.16inMeshMode ............... 187 9.3.1TopologicalAttacks ........................... 187 9.3.2AuthorizationThreats ......................... 188 9.3.3ThreatstoLinkEstablishment ..................... 192 9.3.4ThreatstoTeks ............................. 194 9.3.5TracThreats .............................. 195 9.4802.16eSecurityinMeshMode ........................ 195 9.4.1SecurityImprovements ......................... 196 9.4.2PotentialThreats ............................ 196 9.5NewSecurityImprovements .......................... 197 9.5.1NeighborAuthentication ........................ 197 9.5.2CryptographicIssues .......................... 198 9

PAGE 10

.................................... 199 REFERENCES ....................................... 200 BIOGRAPHICALSKETCH ................................ 213 10

PAGE 11

Table page 2-1BoundandpreciseratiosbetweentandN1 40 3-1Thealgorithmforpolynomialdistributing. ..................... 65 3-2Memorycost. ..................................... 71 4-1Memorycostofdierentschemes. .......................... 87 4-2Localsecureconnectivityofdierentschemes ................... 93 4-3Computationoverheadofdierentschemes. .................... 94 4-4Memorycostofdierentschemes .......................... 101 8-1Authenticationlatencyofdierentschemes. .................... 175 8-2Computationoverheadofdierentschemesforoneblock. ............. 176 8-3Computationaloverheadofdierentbatchschemes. ................ 176 8-4Communicationoverheadofdierentschemesforoneblock. ........... 177 8-5Communicationoverheadofsignatureschemes. .................. 177 8-6Comparisonsbetweentheblock-basedapproachandthebatch-basedapproach. 182 11

PAGE 12

Figure page 2-1Constructionofcredentialsaccordingtotheequation( 2{9 ). ........... 31 2-2Anexampleofkeygraphinthe3-dimensionIDspace. .............. 35 2-3Minimumrequiredpolynomialdegree. ....................... 41 2-4Thecommunicationoverhead. ............................ 44 3-1Awirelesssensornetwork. .............................. 52 3-2Asquarecelldeploymentmodel. .......................... 59 3-3Ahexagoncellmodel. ................................ 61 3-4Atrianglegridmodel. ................................ 64 3-5M=120. ....................................... 69 3-6M=240. ....................................... 70 3-7Theprobabilitythateachnoderesidesinitsowncellis0:9. ........... 75 3-8Theprobabilitythateachnoderesidesinitsowncellis0:99. ........... 76 4-1Atwo-dimensionsensornetwork. .......................... 80 4-2LLKestablishment. .................................. 84 4-3M=240. ....................................... 89 4-4M=180. ....................................... 90 4-5Topology.A)Beforedeployment.B)Afterdeployment. .............. 98 4-6Deploymentstrategy.A)Beforedeployment.B)Afterdeployment. ....... 99 4-7Nodecoverageinonecell. .............................. 104 5-1Asquarecelldeploymentmodel. .......................... 108 5-2Location-basedname. ................................ 110 6-1Attacks. ........................................ 127 6-2Handshakebetweentwonewnodes. ......................... 136 6-3Handshakebetweenanewnodeandanoldnode. ................. 137 7-1Onebatchofbroadcastandthebatchpacketformat. ............... 149 12

PAGE 13

...................... 151 7-3Thekeysurvivalprobability. ............................. 154 8-1Vericationrateundertherandomlossmodel. ................... 173 8-2Vericationrateundertheburstlossmodelwiththemaximumburstlength10. 174 8-3AnexampleofMerkletree. ............................. 180 8-4MABSarchitectureincludingtheDoScountermeasure. .............. 181 9-1Meshnetworks. .................................... 185 9-2Sinkholeattacks. ................................... 188 9-3Wormholeattacks. .................................. 189 9-4Nodeauthorization. .................................. 190 9-5Replayattacks. .................................... 192 9-6Falsebasestation. .................................. 193 9-7Linkestablishment. .................................. 194 9-8TEKupdate. ..................................... 195 13

PAGE 14

14

PAGE 15

15

PAGE 16

Abstractof DissertationPresentedtotheGraduateSchool oftheUniversityofFloridainPartialFulllmentofthe RequirementsfortheDegreeofDoctorofPhilosophy SECURITYINWIRELESSSENSORNETWORKS By YunZhou August2007 Chair:YuguangFang Major:ElectricalandComputerEngineering Rapidadvancesinwired/wirelessnetworkingtechnologyaregraduallyexpandingthe realmofubiquitoushigh-speednetworkaccess.Suchaprocessalsoencountersmoreand morethreatsandattacksfromthosewhoexploitvulnerabilitiesinnetworks.Thishas beenmotivatingresearchonsecurityinwirelessnetworks. Keyestablishmentistherststeptodevelopalltheothersecuritymechanisms, becausemostsecurityprotocolsdependonkeystooperatecorrectlyandprovidedesirable securityperformance.Inmyresearch,ascalableanddeterministickeyagreementmodel basedonamultivariatepolynomialandamultidimensionalgrid-basednetworktopology wasdevelopedtoenablekeyestablishmentinlargescalenetworkswithverylowmemory cost.Iwillshowthatmymodelcanachievethememorycostofseveralorderslowerthan thenumberofnodesinthenetwork,whiletraditionalmodelshavethememorycostat thesameorderasthenetworksize.Mymodelhasfoundapplicationsinwirelesssensor networkstoestablishhop-to-hopkeysandend-to-endkeys.Inaddition,Ialsoproposed anaccesscontrolprotocolbasedonellipticcurvecryptography(ECC)forwirelesssensor networks,whichaccomplishesnodeauthenticationandkeyestablishmentfornewnodes. Dierentfromconventionalauthenticationmethods,myprotocolcandefendagainstmost well-recognizedattacksinwirelesssensornetworks,andachievebettercomputationand communicationperformanceduetothemoreecientalgorithmsbasedonECC. 16

PAGE 17

17

PAGE 18

2 ,ascalableanddeterministickeyagreementmodelbasedonamultivariatepolynomialandamultidimensionalgrid-basednetworktopologyisintroducedtoenablekeyestablishmentinlargescalenetworkswithverylowmemorycost.Wewillshowthatourmodelcanachievethememorycostofseveralorderslowerthanthenumberofnodesinthenetwork,whiletraditionalmodelshavethememorycostatthesameorderasthenetworksize.Existingkeyagreementmodelscanbeusedtoestablishkeysinwirelesssensornetworks(WSN).Aproblem,however,comesasthecommunicationoverheadissignicantwhentwoneighboringnodesdonothavecorrelatedkeymaterialandthushavetorelyonamultihoppathtonegotiateasharedkey.Thisproblemcanbealleviatedbyleveragingnodedeploymentknowledgeinthesensethattwonodesthatwillbedeployedclosetoeachothercanbepreloadedwithcorrelatedkeymaterialsothattheyhaveahigherprobabilityofestablishingasharedkey.InChapter 3 ,weshowthatbyleveragingdeploymentknowledgewecanachievemuchbetterperformance. 18

PAGE 19

4 ,wecombineourkeyagreementmodelanddeploymentknowledgeandproposeanovelkeyestablishmentschemeforWSNs.Wewillshowthatourschemecannotonlyachieveecientkeyestablishmentbetweenneighboringnodesbutalsoestablishend-to-endkeysbetweentwonodesfarawayfromeachother.ConventionalWSNdesignsnameeverynodewithanidentierfromaone-dimensionnamespacethathasnomeaningbuthasidenticationfunction.However,itismuchmoreusefultoleteverynodeidentiercarrymorecharacteristicsofthenodeitself.Chapter 5 introducesthenamingproblemandproposesalocation-basednaming(LBN)mechanismforWSNs,inwhichdeploymentknowledgeisembeddedintonodeidentierandactsasaninherentnodecharacteristictoprovideauthenticationserviceinlocalaccesscontrol.WhenLBNisenforced,theimpactsofmanyattackstoWSNtopologycanbelimitedinasmallarea.Alinklayerauthentication(LLA)schemeisalsoproposedtofurtherdecreasetheimpactsofthoseattacks.OurLBNandLLAcanbecombinedandactasanecientsolutionagainstawiderangeofattacksinWSNs.ToextendthelifetimeofaWSN,newnodedeploymentisnecessary.Inmilitaryscenarios,adversariesmaydirectlydeploymaliciousnodesormanipulateexistingnodestointroducemalicious\new"nodesthroughmanykindsofattacks.Topreventmaliciousnodesfromjoiningthenetwork,accesscontrolisrequiredinthedesignofWSNprotocols.InChapter 6 ,weproposeanaccesscontrolprotocolbasedonellipticcurvecryptography(ECC)forWSNs.Ouraccesscontrolprotocolaccomplishesnodeauthenticationandkeyestablishmentfornewnodes.Dierentfromconventionalauthenticationmethodsbasedonthenodeidentity,ouraccesscontrolprotocolincludesboththenodeidentityandthenodebootstrappingtimeintotheauthenticationprocedure.Henceouraccesscontrolprotocolcannotonlyidentifytheidentityofeachnodebutalsodierentiatebetweenoldnodesandnewnodes.Inaddition,eachnewnodecanestablishsharedkeyswithitsneighborsduringthenodeauthenticationprocedure.Comparedwithconventionalsecuritysolutions,ouraccesscontrolprotocolcandefendagainstmostwell-recognizedattacksinWSNs,and 19

PAGE 20

7 ,weproposeanovelprotocol,calledbatch-basedbroadcastauthentication(BABRA)forWSNs.BABRAdoesnotrequiretimesynchronization,eliminatestherequirementofkeychain,andsupportsbroadcastforinniterounds.LikeTESLA,BABRAisalsoecientduetotheuseofsymmetrickeytechniques.Authenticationiscriticaltoensuretheoriginofamulticaststreaminhostileenvironments.Toavoidcomputationallyexpensivesignatureoperationsoneachpacket,conventionalschemesdivideamulticaststreamintoblocks,associateeachblockwithasignature,andspreadtheeectofthesignatureacrossallthepacketsintheblockthroughsomeecientoperationssuchashashorcoding.However,mostofconventionalschemessuerfromdrawbackssuchasvulnerabilitytopacketlossandDoSattacks.Moreover,mostofthemrequiretheentireblockwithitssignaturebecollectedbeforeauthenticatingeachpacketintheblock.Thisauthenticationlatencycanleadtothejittereecttorealtimeapplicationsatthereceiver.Unliketheblock-basedapproach,wedevelopanovelmulticastauthenticationschemebasedonbatchsignature(MABS)inChapter 8 .Particularly,eachpacketinastreamisattachedwithasignature.Thereceiverauthenticatesmultiplepacketsbycheckingtheirsignaturesthroughonlyonevericationoperation.WeproposetwobatchsignatureschemesbasedonBLSandDSAthataremoreecientthanbatchRSAsignaturescheme.MABScanachievecomputationaleciencywhileavoidingthedrawbacksofconventionalblock-basedschemes. 20

PAGE 21

9 ,weanalyzedtheIEEE802.16standardandfoundoutthatthoughIEEE802.16providessomesecuritymeasuresinconventionalone-hopnetworks,itisveryvulnerabletomaliciousattacksinmultihopenvironmentssuchaswirelessmeshnetworks.InordertostrengththedefenseofIEEE802.16inmeshnetworks,weproposedamesh-certicate-basedaccesscontrolandauthenticationschemeforWiMAX-basedmeshnetworks. 21

PAGE 22

1 ],ClaudeShannon,whohadestablishedinformationtheory,developedthetheoreticalframeworkforthesymmetrickeybasedcryptography.Inhiscryptographicalsystemmodel,therearetwoinformationsources,i.e.,amessagesourceandakeysource,atthetransmissionend.ThekeysourceproducesaparticularkeyKfromamongthosewhichareusableinthesystem.ThiskeyKistransmittedbysomemeans,supposedlynotinterceptable,forexamplebyamessenger,tothereceivingend.ThemessagesourceproducesamessageM(inthe\clear")whichisencipheredbytheenciphererTK.TheresultingciphertextEissenttothereceivingendbyapossiblyinterceptablemeans,forexampleradio.AtthereceivingendtheciphertextEandthekeyKarecombinedinthedeciphererT1KtorecoverthemessageM.ThetransformationTKanditsinverseT1Karepossiblyknowntothepublic.TheDie-Hellman[ 2 ]andtheRSA[ 3 ]algorithmsmarktheestablishmentoftheasymmetrickeybasedcryptography.Unlikeasinglekeyusedbyboththetransmissionendandthereceivingendinsymmetrickeysystems,therearetwokeysforeachendinasymmetrickeysystems.ThetransmissionendencryptsamessageMintoaciphertextEbyanencryptionkeyKthatbelongstothereceivingend.ThereceivingenddecryptstheciphertextEtogetthemessageMbyadecryptionkeyK1thatalsobelongstohimself 22

PAGE 23

23

PAGE 24

4 ].Theglobalkeymodelassumesallthenodesinthenetworkaretrustful,andthusthismodelcaneectivelypreventexternalattackersfromaccessingcriticalinformationthatissecuredbytheglobalkey.However,thisassumptioncanfailinsomescenarioswhenan 24

PAGE 25

5 ].Eachofothernodeshasasharedkey,whichcouldbepre-congured,withtheKDC/KTC,whichisacentraltrustedserver.KDC/KTChelpstoestablishasharedkeybetweenanytwonodes.AnexampleofapplyingKDCinWSNsisSPINS(securityprotocolsforsensornetworks)[ 6 ].TheKDC/KTCmodelhasameritoflowmemorycostforstoringkeymaterial.EachnodekeepsonlyonekeysharedwiththeKDC/KTC.Whenanewnodejoinsthenetwork,itcannegotiateasharedkeywithanyothernodeaslongasthenewnodeisconguredwithakeysharedwiththeKDC/KTC.Ontheotherhand,thecentralizedmodelalsomakestheKDC/KTCapotentialfailurepointinthesensethattheentirenetworkisbrokendowniftheKDC/KTCiscorruptedbyanattacker. 25

PAGE 26

2.Asthesizeofthenetworkincreases,thisnumberbecomesunacceptablylarge.Therefore,thepairwisekeymodelisusuallysuitableforsmallnetworks. 7 ]proposedamatrix-basedmodelbasedon.ForanetworkofNnodes,anoinecentralauthorityrstconstructsa(t+1)NpublicmatrixPoveraniteeldFq,wheretisasecuritythreshold.Thenthecentralauthorityselectsarandom(t+1)(t+1)symmetricmatrixSoverFq,whereSissecretandonlyknowntothecentralauthority.AnN(t+1)matrixA=(SP)Tiscomputed,where()Tdenotesthetransposeoperator.Thecentralauthoritypre-conguresthei-throwofAandthei-thcolumnofPtonodei,fori=1;2;:::;N.Afterthenetworkissetup,nodesiandjcanagreeonasharedkeybyexchangingtheircolumnsofPandcomputingthekey.Inparticular,nodeicomputesakeyKijastheproductofitsownrowofAandthej-thcolumnofPandnodejcomputesKjiastheproductofitsownrowofAandthei-thcolumnofP.BecauseSissymmetric,itiseasytosee: Therefore,nodespair(i;j)willuseKij=Kji,asasharedkey.Thematrixmodelhasat-securepropertyinthesensethatinanetworkofNnodesthecollusionoflessthant+1nodescannotrevealanykeysharedbyotherpairsofnodes.Thisisbecauseasleastt+1rowsofAandt+1columnsofParerequiredtosolvethesecretsymmetricmatrixS.Therefore,thematrixmodelcantolerateuptotcompromisednodes. 26

PAGE 27

8 ],Blundoetal.suggesttouseat-degreebivariatesymmetricpolynomialtoachievekeyagreement.ItisaspecialcaseofthematrixmodelinthesensethatthepublicmatrixPiscomposedwithnodeidentiersas: 9 10 ].Ithasthreecomponents,i.e.sharedistribution,directkeycalculation,indirectkeynegotiation.Inthesharedistributionpart,partialinformationofaglobalt-degree(k+1)-variatepolynomialisdistributedamongnodes.Allthepartialinformationcannotrevealtheglobalpolynomialbutcanhelpkeyagreementbetweennodes.Somenodesmaycalculate 27

PAGE 28

AllcoecientsofthepolynomialarechosenfromaniteeldFq,whereqisaprimethatislargeenoughtoaccommodateacryptographickey.Withoutspecicstatement,allcalculationsinthischapterareperformedovertheniteeldFq.A(k+1)-tuplepermutationisdenedasabijectivemapping 28

PAGE 29

Infact,nodeuandnodevachievethekeyagreementbyamarginalt-degreebivariatepolynomial,i.e., 29

PAGE 30

2.3.1 .Thispolynomialisusedtoderivesharesfornodes.Toachievekeyagreement,everynodenshouldhavekcredentials(c1;c2;:::;ck),whicharepositiveandpairwisedierentasrequiredinSection 2.3.1 .Thesecredentialscanbecreatedandpreloadedintonodesbeforedeployment.However,itrequiresadditional 30

PAGE 31

Constructionofcredentialsaccordingtotheequation( 2{9 ). memoryspacepernode.Fortunately,thekcredentialscanbederivedfromthekindicesinnodeID(n1;n2;:::;nk)byabijection,i.e., 2-1 ).Foranode(n1;n2;:::;nk),apolynomialshare iscalculated,where and(c1;c2;:::;ck)ismappedfrom(n1;n2;:::;nk)accordingtotheequations( 2{9 ).Obviously,theshareisat-degreeunivariatemarginalpolynomialoftheglobalpolynomialandhast+1coecients.Thenthepolynomialshareisassignedtothenode.Here,thenodeonlyknowsthet+1coecientsoftheunivariatepolynomialshare,butnotthecoecientsoftheoriginal(k+1)-variatepolynomial.Therefore,evenifthemarginal 31

PAGE 32

2.3.1 ,twonodescancalculateasharedkeyiftheircredentialshavek1elementsincommon.Duetotheone-to-onemappingintheequations( 2{9 ),twonodesuwithID(u1;u2;:::;uk)andvwithID(v1;v2;:::;vk)candirectlycalculateasharedkeywithoutanyinteractioniftheirIDs(identier)havek1indicesincommon.Supposethatthei-thindicesoftheirIDsaredierent.Thennodeucantakevi+1+N1++Ni1astheinputtoitsownsharef(c1;c2;:::;ck;xk+1),andnodevcanaswelltakeui+1+N1++Ni1astheinputtoitssharef(c1;c2;:::;ck;xk+1).Duetothepolynomialsymmetry,thedesiredsharedkeybetweennodesuandvhasbeenestablishedas Becauseallnodecredentialsofuandvaredrawnfromdierentsubspaceswhereanytwosubspaceshavenointersectionandui6=vi,thek+1credentialsusedtocalculatethesharedkeyarepairwisedierent.Thereforethesharedkeycalculatedbythenodesuandvisunique,i.e.,othernodesdonotknowthesharedkey.Anytwonodescandirectlycalculateauniquesharedkeywithoutanynegotiationifthereisonlyonemismatchbetweentheirk-tupleIDs. 32

PAGE 33

(vi1;ui2;ui3;:::;uij1;uij);(vi1;vi2;ui3;:::;uij1;uij);(vi1;vi2;vi3;:::;uij1;uij);...(vi1;vi2;vi3;:::;vij1;uij);becauseallneighboringnodesalongthepathhavedirectkeys.Itisworthnotingthattherearemanysecurepathsbetweennodeuandnodev.Anotherexampleis (ui1;ui2;ui3;:::;uij1;vij);(ui1;ui2;ui3;:::;vij1;vij);...(ui1;ui2;vi3;:::;vij1;vij);(ui1;vi2;vi3;:::;vij1;vij):Theexistenceofmultiplepathsindicatesthestrongresilienceofourschemeinthefaceofnodecompromise. 33

PAGE 34

34

PAGE 35

Anexampleofkeygraphinthe3-dimensionIDspace. 2-2 .Supposenode(u1;u2;u3)needstoestablishasharedkeywithnode(v1;v2;v3),whereall3indicesintheirIDsaremismatching.Theycandetermine6agentnodes.Allthese8nodesformacubeinthe3-dimensionIDspace.Thereare6pathsfromnodeutonodev,inwhich3aredisjoint.Forexample,3disjointpathsare(u1;u2;u3)!(v1;u2;u3)!(v1;v2;u3)!(v1;v2;v3);(u1;u2;u3)!(u1;u2;v3)!(v1;u2;v3)!(v1;v2;v3);and(u1;u2;u3)!(u1;v2;u3)!(u1;v2;v3)!(v1;v2;v3):Obviously,theabovesetofdisjointpathsisnotunique. 35

PAGE 36

2.3.1 ).Ithasbeenshownin[ 8 ]thatat-degreebivariatepolynomialist-secureinthatthecoalitionbetweenlessthan(t+1)nodesholdingsharesofthet-degreebivariatepolynomialcannotreconstructit.ToguaranteeanypairofnodesinSihaveadirectkeythatisunsolvablebyotherNi2nodes,an(Ni2)-securebivariatepolynomialshouldbeused.Hence,thedegreeofpolynomialshouldsatisfy 0Ni2t;i=1;2;:::;k:(2{16) 36

PAGE 37

2equations,i.e., N1N1(N1+1) 2+N N2N2(N2+1) 2++N NkNk(Nk+1) 2=1 2(kYi=1Ni)(kXi=1Ni+k); wherethetotalnumberofnodesinthenetworkisN=N1N2Nk.Thenumberofcoecientsofat-degree(k+1)-variatesymmetricpolynomialis[ 8 ] 37

PAGE 38

2(kYi=1Ni)(kXi=1Ni+k)t+k+1k+1:(2{20) 2{16 )and( 2{20 )canbechosen.Eachnodeneedstokeepat-degreeunivariatepolynomial,whichhast+1coecients.Thus,tominimizememorycostpernode,weshouldusethepolynomialwhichhasminimumdegreesatisfyingtheaforementionedconditions.HereweconsideracommoncasewhereNi=N1fori=1;2;:::;k,i.e.,allsubspaceshavethesamenumberofindices.Thus,theinequalityin( 2{20 )canbechangedto k+1+1t k+1t k1+1t Wecanprovethatwhen (2{22) theinequality( 2{21 )canbesatised. 38

PAGE 39

k+1+1t k+1t 2(k+1)!tkN1k+1p 2(k+1)!=k k+1(k+1)(k+2) 2k+1p 2k+1p 2N1k>k wherek2.Becauset+k+1k+1isamonotonicincreasingfunctionoft,thesolutionof( 2{21 )shouldbe[t;1),wheretistheminimumdegreesatisfying( 2{21 ).Becausethesolutionof( 2{22 )isthesubsetofthesolutionof( 2{21 ),theminimumglobalpolynomialdegreetcanbeboundedas whereratio 2: ThesecondcolumninTable 2-1 givessomeboundratioswhenkissmall.Figure 2-3 illustratesthepreciseratioofttoN1respecttoN1.WecanseewhenN1becomeslarge,thevalueoftbecomesstableandtherealratioisboundedbyr.SomeaverageratiosaregiveninthethirdcolumninTable 2-1 whenkissmall.Obviouslywhentheconditionin 39

PAGE 40

BoundandpreciseratiosbetweentandN1 theinequality( 2{20 )issatised,theconditionintheinequality( 2{16 )isautomaticallysatised. Becausethemaximumnumberofmismatchesink-dimensionIDspaceisk,themaximumprobabilitythattheexchangedkeyisexposedis Obviously,bytuningk,ourschemecanachieveatrade-obetweensecurityandmemorycostinlargescalenetworks. 40

PAGE 41

Minimumrequiredpolynomialdegree. usedis Whenallsubspacesareequalsized,thememorycostfornodeIDis Inaddition,eachnodeinthenetworkkeepsat-degreeunivariatepolynomialshare,whichhast+1coecientsdrawnfromtheniteeldFq.Withtheboundcalculatedintheprevioussection,weknowthememorycostpernodeforpolynomialsharecanbe 41

PAGE 42

2+1!logq: Duetothelargevalueofq,usuallywehaveMIDMp.Thus,thetotalmemorycostis 2+1!logqkp Obviously,comparedwithconventionalprobabilisticdistributedmodels,whichhavememorycostatthelevelofO(N),ourschemehasverysmallmemorycostpernode,whichisontheorderO(kp 2kp 42

PAGE 43

whereN=Nk1.SeveralcaseswhenkissmallaredepictedinFig. 2-4 11 ]. 43

PAGE 44

Thecommunicationoverhead. Supposenodeuneedstonegotiateanindirectkeywithv.NodeumayrandomlyselectakeyKuvandconstructanewpolynomialas Then,Shamir's(s+1;T)thresholdsecretsharingscheme[ 12 ]canbeapplied.Specically,Tsharescanbecalculatedas whereTs+1. 44

PAGE 45

11 ].SupposeuandvhavejmismatchesintheirIDs,whichmeanstherearejdisjointsecurepathsbetweenthem.ThennodeumaytransmitT=jsharesalongeachsecurepathtonodev.Oncenodevgetss+1outofTshares,itcanrecoverthepolynomialg(x)andgetthekeyKuvbyLagrangeinterpolation.ThevalueTshouldbechosenproperlysuchthatthepolynomialg(x)cannotberecoveredevenifj1outofjsecurepathsarecorrupted.ThusTshouldsatisfy =)s+1T
PAGE 46

13 ],inwhicheachnodeispre-loadedwithasubsetofkeys,calledkeyring,randomlyselectedfromaglobalpoolofkeyssuchthatanypairofneighboringnodescanshareatleastonekeywithacertainprobability.Afterdeployment,twoneighboringnodescanhaveasharedkeydirectlyornegotiateanindirectkeythroughasecurepath,alongwhicheverypairofneighboringnodeshasadirectsharedkey.ThetheoreticbaseofRKPisrandomgraph[ 14 ].ArandomgraphG(n;p)isagraphofnnodesforwhichtheprobabilitythatalinkexistsbetweentwonodesisp.Thegraphdoesnothaveanyedgeifp=0orisfullyconnectedifp=1.Thereisatransitionfromnon-connecttofully-connectwhenpincreases.RKPexploitsthispropertybysettingplargerthanacertainvaluesuchthatthenetworkisalmostconnected.Herethesizeofglobalkeypoolandthesizeofkeyringforindividualnodecanbetunedtoachievesuchaproperty.AmajorconcernofRKPisnodecompromise.Therandomselectionofkeyringforeachnodemeansthereuseofeachkeybymultiplenodes.Anattackermaycompromiseanodeandexposeitskeyring,outofwhichsomekeysmaybeusedbyothernon-compromisednodes.Thisleadstothefailuresofthelinksbetweenthosenon-compromisednodes.Tomitigatetheimpactofnodecompromise,severalfollowingschemesareproposed.q-compositeRKP[ 15 ]followsRKPexceptthatanypairofneighboringnodesarerequiredtoshareatlestqkeyswithacertainprobability.q-compositeRKPcanimprovetheresiliencetonodecompromisewhenthenumberofcompromisednodesissmall.Unfortunately,itisnoteectivewhenthenumberislarge.AnotherproblemofRKPisthelackofauthenticationbecauseofthereuseofthesamekeybymultiplenodes.Tosolvetheproblem,nodeidentityinformationisusedto 46

PAGE 47

16 ].Asimilarapproachistakenintherandom-pairwisekey(RPK)[ 15 ]scheme,whereeachnodekeepsasetofkeys,eachofwhichisuniquelysharedwithanothernode.Duetal.developedthemultiple-spacekeypre-distribution(MSKP)schemein[ 17 ],wheretheglobalkeypoolin[ 13 ]isreplacedbyapoolofBlom'smatrices[ 7 ].LiuandNing[ 18 19 ]presentedthepolynomialpool-basedkeypre-distribution(PPKP)scheme,whichisbasicallythesameasMSKP,buteachBlom'smatrixisreplacedbyapolynomial[ 8 ].Inthoseschemes,eachkeyistiedtotheidentitiesofthenodessharingit.Inthisway,theidentityofanodecanbeveriedthroughthenormalchallenge-responseapproachbyothernodesthatsharetheuniquekeywithit.Particularly,averiernodecansendanencryptedrandomnumber,calledachallenge,tothesuspectnode,andthesuspectnodecanproveitsidentitybyreturningthedecryptedresulttotheveriernode.RKPrequiresthestorageofakeyringbyeachnodetomakethenetworkalmostconnected.Insomecaseswheresensornodesdonothaveenoughmemoryresource,thisbecomesaproblem.HwangandKim[ 20 ]revisitedRKPanditsfollow-upschemesandproposedtoreducetheamountofkeymaterialthateachnodekeepswhilestillmaintainingacertainprobabilityofsharingakeybetweentwonodes.Theprobabilitycanassurethatthereisalargestcomponentofthenetworkconnectingmostnodes.Thetrade-oisthatsomesmallsetsofnodesmaybeisolatedbecausetheydonotsharekeyswiththelargestcomponent. 47

PAGE 48

21 { 23 ].Ina(n;r;;)stronglyregulargraph,therearennodes,eachofwhichhasadegreeofrandanypairofwhichhascommonneighborswhentheyareadjacentandcommonneighborswhentheyarenonadjacent.Inthestronglyregulargraph,everypairofnodesisconnectedthroughapath.Eachlink(edge)canbeassignedwithauniquekeywhichispreloadedintothetwoendvertices(nodes).Besidestheregulargraph,theblockdesigninsettheorycanbeusedinkeypredistribution,inwhichallthenodesformacompletegraphatthenetworklayer.Thetoolisthebalancedincompleteblockdesign(BIBD).A(v;r;)-BIBDisanarrangementofvobjectsintomanyblockssuchthateachblockcontainsrdistinctobjectsandeverypairofobjectsoccursinexactlyblocks.Forexample,whenan(n2+n+1;n+1;1)-BIBDisappliedinaWSN,eachsensornodeispreloadedwithn+1keys,whichformablockoutofapoolofn2+n+1keys,andeverypairofnodeshaveonecommonkey.In[ 24 ],theBIBDdesigniscombinedwiththepolynomialmodel[ 8 ]inthesensethateachsensornodeispreloadedwithpolynomials.TheirschemeenablesauthenticationinadditiontothosepropertiesprovidedbytheoriginalBIBDdesign.Theotherapproachistouseamulti-dimensiongridtoreplacetherandomgraph,whichisfollowedbyourmodel[ 9 10 ].Particularly,eachsensornodeisassignedanID(n1;n2;:::;nk)suchthatallthenodesformak-dimensiongrid.Eachnodeispreloadedwithsomekeymaterialsuchthatitcanestablishdirectsharedkeyswithothernodesalongthesamedimensionandnegotiateindirectkeyswithothernodesindierentdimensions.Therearealsoseveralsimilarworkfollowingthegridapproach.PIKE[ 25 ]simplyassignsauniquekeyforeachpairofnodesalongeachdimension.Hypercube[ 18 19 ]isthesameasPIKEexceptthatitusesbivariatepolynomialsinsteadofkeystoachievekeyagreementbetweennodesalongeachdimension.DelgoshaandFekri[ 26 27 ]followHypercube[ 18 19 ]butusemultiplemultivariatepolynomialstoestablishmultiplecommonkeysbetweeneachpairofnodesalongeachdimension. 48

PAGE 49

6 ],needatrustedservertofacilitatekeyagreementbetweenanytwonodes.Thetrustedservercanbeapotentialfailurepoint.Distributedmethodsaremoresecureduetotheeliminationofthefailurepoint.Distributedmodelssuchaspairwisekey,matrix[ 7 ]andpolynomial[ 8 ]lackscalabilitybecauseoftheirlargememorycostofN1inanetworkofNnodesandthusonlysuitableinsmallnetworks.Probabilisticschemes[ 13 15 { 19 ]canprovideacertainlevelofscalabilitywiththetradeothattheycannotguaranteethateverypairofnodesestablishasharedkey.Thoughthememorycostofthoseschemesislessthanstandarddistributedmodelsincludingpairwisekey,matrix[ 7 ]andpolynomial[ 8 ],thememorycoststillincreaseslinearlywithrespecttothetotalnumberofnodesiftheyneedtoachieveacertainlevelofsecurityorcommunicationeciency[ 25 ]andthusisattheorderofO(N).Keyreuseisoffatalunderthenodecompromiseattack.Moreover,thoseschemesaretargetedatthekeyestablishmentbetweenneighboringnodes,whileourmodelcanachievetheend-to-endkeyagreement.Graph-baseddesign[ 21 { 23 ]canensurekeysharingdirectlyorindirectlybetweenanypairofnodes.Intheirschemes,however,eachkeyisalsoreusedbymanysensornodesasintheprobabilisticschemes.Thisleadstopoorresiliencetonodecompromiseinthatonecompromisednodecanexposekeysbelongstoothernon-compromisednodes.Inaddition,thememorycostoftheirschemesisroughlyO(p 49

PAGE 50

19 25 { 27 ],thememorycostisatthelevelofk(kp 2+1andcanachievemorememoryeciencywhenkincreases.Anothermeritofourmodelisthatthecommunicationoverheadtendstobeaconstant(/L,whereListheaveragepathlengthbetweenapairofnodesthathaveonlyonemismatchintheirIDs)whenthenetworksizeislargerthanacertainthreshold(refertoFig. 2-4 ).Thismeansourschemecanprovideagoodscalability.Ontheotherhand,thecommunicationoverheadcanbereducedifwecouldreducethevalueofL.WewillshowinChapters 3 and 4 thatinstaticnetworks(suchassensornetworks)deploymentinformationcanbeusedtoreducethevalueofLandthusreducethecommunicationoverhead. 9 10 ].Ourmodelisscalableforlargenetworkswithsmallmemorycostpernode.WeshowthatourmodelhasonlyO(kp 50

PAGE 51

28 { 30 ],apromisingnetworkinfrastructureformanyapplications,suchasenvironmentalmonitoring,medicalcaring,homeappliancemanagements.Thisisparticularlytrueforbattleeldsurveillanceandhomelandsecurityscenarios,becauseWSNsareeasytodeployandself-conguredforthoseapplications.Inmanyhostiletacticalscenariosandimportantcommercialapplications,however,securitymechanismsarenecessarytoprotectWSNsfrommaliciousattacks,andthusthesecurityinWSNsbecomesanimportantandachallengingdesigntask. 28 { 30 ].Usually,sensornodesaredeployedinadesignatedareabyanauthoritysuchasgovernmentormilitaryunit,andthenautomaticallyformanetworkthroughwirelesscommunications.Sensornodesarestaticmosttime,whilemobilenodescanalsobedeployedaccordingtoapplicationrequirements.Oneorseveralbasestations(BS)aredeployedtogetherwiththenetwork.ABScanbeeitherstaticormobile.Sensornodeskeepmonitoringthenetworkareaafterbeingdeployed.Onceaneventofinterestoccurs,oneofthesurroundingsensornodesmaydetectit,generateareportandtransmitthereporttoaBSthroughmultihopwirelesslinks.Collaborationcanbecarriedoutifmultiplesurroundingnodesdetectthesameevent.Inthiscase,oneofthemgeneratesanalreportaftercollaboratingwiththeothernodes.TheBSmayprocessthereportandthenforwarditthrougheitherhighqualitywirelessorwiredlinkstotheexternalworld 51

PAGE 52

Awirelesssensornetwork. forfurtherprocessing.TheWSNauthoritymaysendcommandsorqueriestoaBS,whichspreadsthosecommandsorqueriesintothenetwork.HenceBSsactasgatewaysbetweentheWSNandtheexternalworld.AnexampleisillustratedinFig. 3-1 .SinceaWSNconsistsofalargenumberofsensornodes,eachsensornodeisusuallylimitedinitsresourceduetothecostconsiderationinmanufacturing.Forexample,MICA2MPR400CB[ 31 ],whichisthemostpopularsensornodeplatform,hasonly128KBprogrammemoryandan8-bitATmega128LCPU[ 32 ].Itsdatarateis38:4KBaudin500ft,anditispoweredbyonly2AAbatteries.Theconstrainedresourcecannotsupportcomplicatedapplications.Ontheotherhand,BSsareusuallywell-designedandhavemoreresourcesincetheyaredirectlyattachedtotheexternalworld. 52

PAGE 53

53

PAGE 54

33 ].Sincemostcommunicationprotocolsarepubliclyknown,attackerscaneavesdropthepacketstransmittedovertheairforfurthercryptanalysisortracanalysis.Theeavesdroppedpacketscanbereplayedatalatertimeoratanotherplacetoincurinconsistency.Falsepacketscanbeinjectedintothenetworktoconfusesensornodes.Maliciousnodescanalsomodifyreceivedpacketsbeforeforwardingthem.NodecompromiseisoneofthemostdetrimentalattackstoWSNs[ 33 ].SinceWSNsareusuallydeployedinahostileenvironmentwithoutcontinuousmonitoring,anattackercancaptureasensornodeanduseproperdevicestodigintosensorhardwaresandndkeymaterial.Duetocostconstraints,itisalsounrealisticanduneconomicaltoemploytamper-resistanthardwarestosecurethecryptographicmaterialineachindividualnode.Eveniftamperresistantdevicesareavailable,theyarestillnotabletoguaranteeperfectsecurityofsecretmaterial[ 34 ].ItmeansthatthenodecompromiseattackisunavoidableinWSNs.Theexposedkeymaterialrenderstheattackermorecapabilitiestolaunchothersevereattacks,suchasderivingthekeysusedbyothernon-compromisednodes.Whatwecandowithnodecompromiseistoreducetheimpactonothernormalnodesasmuchaspossible.Whenacertainnumberofnodesarecompromised,forinstance,theprobabilitythatakeyusedbyothernormalnodesisexposedshouldbeassmallaspossible.Sometimesattackersarenotinterestedindatacontentinthenetwork.Theymaysimplyintroduceradiojamminginterferenceintothesameradiobandstodisruptcommunicationsbetweennodes[ 35 ],leadingtothedenialofservice(DoS)attack. 54

PAGE 55

55

PAGE 56

56

PAGE 57

35 ]arethemostdetrimentalthreattothenetworkavailability,whereadversariescausethenetworklossofabilitytoprovideservicesbysendingradiointerference,disruptingnetworkprotocolsordepletingnodes'powerthroughsometrickymethods. 1 andChapter 2 ,keyestablishmentistherststeptosetupasecureinfrastructureforWSNs.Wealsoshewthatthedistributedkeyagreementmodelssuchaspairwisekey,matrix[ 7 ]andpolynomial[ 8 ]describedinChapter 2 canguaranteethateverypairofnodesinanetworkofNnodeshasauniquesharedkey,butthecostisthateachnodeneedstostoreN1keys.ItisimpracticalforWSNsduetothememoryconstraintsofsensornodesandthepossiblelargescaleofsensornetworks.Instead,mostrecentresearchpapers[ 13 15 { 19 ]inthiseldloosethesecurityrequirementandfollowapartialpre-distributionapproach,wherekeymaterialsarepre-distributedsuchthatsomesensornodescanestablishsharedkeysdirectlyandtheycanhelptoestablishindirectsharedkeysbetweenothersensornodes.Thepartialpre-distributioncanreducethememorycostforeachnode.Thelesspre-distributedkeymaterial,however,alsoimpliesasmallerprobabilitythattwoneighboringnodescanestablishadirectsharedkey,thusleadingtolowersecureconnectivity,whichistheprobabilitythattwoneighboringnodesestablishadirectsharedkey.Theresultoflowsecureconnectivityisthattwoneighboringnodeshavehigherprobabilityofnegotiatinganindirectkeythroughamultihoppath,whichmeanshighercommunicationoverhead. 57

PAGE 58

13 15 { 19 ]assumethatallthekeymaterialsareuniformlypre-distributedintheentirenetwork.Therefore,twonodeswithcorrelatedkeymaterialmaynotbeintheneighborhoodofeachother.Weobservethatinmanypracticalscenarioscertaindeploymentknowledgemaybeknownapriori.Hence,theproblemnotwelladdressedisthatwhichdeploymentmodelweshouldadopttoobtainasmuchgainaspossible.Existingschemeseitherassumeasimplesquarecelldeploymentmodel[ 36 { 38 ]orusegroup-basedpre-distribution[ 39 { 44 ].Inthischapter,westudyhowtoleveragedeploymentknowledgetofacilitatekeyestablishmentinWSNs.Wemakethefollowingcontributions.First,weproposenewhexagon[ 45 ]andtriangle[ 46 ]cellbaseddeploymentmodelsanddemonstratethattheyaremuchbetterchoicesthanasquarecelldeploymentmodelforfacilitatingkeyestablishment.Second,weproposeanoveledge-basedsecretpre-distributionmodeltoreducethememorycostsofsensornodes.Last,weuseextensiveanalyticalresultsandsimulationstudytoshowthattheproposedschemescanprovideperfectresiliencetonodecaptureattacks,highsecureconnectivity,andhighenergyeciencywithmuchsmallermemorycosts. 36 { 38 ]usesquarecellstomodelnodedeployment.Theentirenetworkisdividedintomanynon-overlappingsquarecells,eachofwhichiscenteredatapredeneddeploymentpoint.Ineachsquarecellagroupofnodesisdeployed.Basedonthesquarecellmodel,dierentsecretpre-distributionmodelsandkeyagreementmodelscanbeapplied.Inparticular,thelocation-basedkeypre-distribution(LBKP)scheme[ 36 ]canachievebetterperformanceduetoitspolynomial-basedresistancetonodecompromiseattacksandhighsecureconnectivity.InLBKPeachdeploymentpointisassociatedwithauniquet-degreebivariatepolynomial,andallnodesdestinedtothesamedeploymentpointarepreloadedwithapartialinformationofthecorrespondingpolynomial.Toguaranteeacertainsecureconnectivity,eachpolynomialisalsoassignedtothehorizontalandthe 58

PAGE 59

Asquarecelldeploymentmodel. verticalneighboringcells.Forexample,inFig. 3-2 ,thepolynomialofcellC33isalsoassignedtocellsC32,C34,C23,andC43.Thepolynomialsofothercellsareassignedinthesameway.Asaresult,anodeinC33hassomecommonpolynomialinformationwithothernodesintheshadowareas.Wereferreadersto[ 36 ]formoretechnicaldetails. 13 15 { 19 ],thesquarecellmodelinLBKP[ 36 ]isabletolocalizetheimpactofnodecompromiseattacksinthateachsetofsecretsispre-distributedonacell-scaleinsteadofanetwork-scale.Evenwhensomenodesarecompromisedandtheirpreloadedsecretsarerevealedtoattackers,itwouldonlygracefullydegradethesecurityofthehomecelloradjacentcellsofcompromisednodes,sothesquarecellmodeloutperformstheuniformdeploymentmodelintermsofsecurity.However,canwedobetter?Toanswerthisquestion,belowwerstanalyzethesecurityoft-degreebivariatepolynomials,thenweproposeahexagoncellmodelandanedge-basedsecretpre-distributionmodel.Last,wepresentatrianglecellmodelfeaturinghighersecurityandlowermemorycost. 36 ]isbasedonthepolynomialmodel[ 8 ],inwhichat-degreebivariatesymmetricpolynomialist-secure,meaningthatadversarieshavetocompromisenolessthant+1nodesholdingsharesofasamepolynomialtoreconstructit.Considernodecompromiseattacks.Ift+1outofxcompromisednodesshareacommont-degreebivariatepolynomial,thepolynomialitselfcanbecompromisedandthusthedirectly 59

PAGE 60

Nx;(3{1)andthustheprobabilitythatthepolynomialiscompromisedisgivenby Npc1:(3{3)Thentheprobabilityofexposingapolynomialcanberewrittenas NpcPc(i):(3{4) 45 ]forkeyestablishmentinsensornetworks.Herewedesignadeploymentmodelsuchthateachdeploymentpointisenclosedinahexagoncell,asshowninFig. 3-3 .Eachdeploymentpoint,orhexagoncell,isassociated 60

PAGE 61

Ahexagoncellmodel. withauniquet-degreebivariatepolynomialandallnodesdestinedtothedeploymentpointarepreloadedwithsharesofthepolynomial.Allnodesdestinedtoacellareusuallydeployedasagroupandaresupposedtoresideatthedeploymentpointoftheirhomecell.Duetodeploymenterrorsandrandomness,however,therealresidentpointofeachnodemayfollowsomeprobabilitydistributionfunction(PDF),suchasGaussiandistributionorUniformdistribution,inanarea,whichmaybeacircleorasquare,arounditsdeploymentpoint.Inaddition,thepolynomialofeachcellisalsoassignedto3outofits6neighboringcellsintermittently.Forexample,inFig. 3-3 (a),thepolynomialassociatedwithcellC0isalsoassignedtocellsC1,C3,andC5.Hence,eachpolynomialisusedin4cells.AnodeinC0hassomecommonpolynomialinformationwithothernodesintheshadowareas.Assumethatbothareasofahexagoncellandasquarecellare(approximately)equaltoandnodedensityremainsunchanged.Byusingthehexagongridmodel,thenumberNsofnodessharingonepolynomialisreducedfrom5to4ascomparedtoLBKP[ 36 ].AnotherbenetisthatthenumberNpofpolynomialshareseachnodeneedstostoreisreducedfrom5to4atthesametime.Itmeansthatwecandecreasetheprobabilityofpolynomialexposure,leadingtothefavorablesecurityimprovement.WewilldiscussmoreaboutthisissueinSection 3.6 61

PAGE 62

37 38 ]userandomsecretpre-distribution[ 13 17 ]ineachcelltoachieveacertainintra-cellconnectivity.Toattainacertaininter-cellconnectivity,[ 37 ]letsthekeysubsetsoftwoneighboringcellshaveaintersection,and[ 38 ]usesrandom-pairwisesecretpre-distributionscheme[ 15 ]betweentwoneighboringcells.However,theinter-cellconnectivityofbothschemesisstillunsatisfactory.Bycontrast,LBKP[ 36 ]assignseachcellauniquepolynomialandthuscanguaranteeahighintra-cellconnectivity.Italsoassignsapolynomialofonecelltoitsfourneighboringcellssoastoachieveacertaininter-cellconnectivity.Thesimilarpolynomialpre-distributionmodelisusedaswellforourproposedhexagoncellmodel.LetusdepictadeploymentmodelusingagraphG(D;E),wherethevertexsetDconsistsofalldeploymentpoints,andtheedgesetEcomprisesadjacentdeploymentpoints.Previousschemes[ 36 { 38 ]andourproposedhexagongridapproachgivemoreemphasistotheintra-cellconnectivityandleavetheinter-cellconnectivityinthesecondaryplace.Thatisbecausetheyalluseavertex-basedsecretpre-distributionmodelinwhichauniquekeysubsetorpolynomialisassociatedwitheachdeploymentpoint.Inthischapter,wealsoswitchtoanotherstrategybyputtingmoreeortsonguaranteeingahighinter-cellconnectivity.Particularly,weproposeanewedge-basedsecretpre-distributionmodel,inwhichauniquet-degreebivariatepolynomialisaliatedwitheachedgeinEandassignedtotwoenddeploymentpointsofthatedge.Forexample,inFig. 3-3 (b),eachdoubleheadedarrowmeansthecellsconnectedbythearrowareassignedwithasameuniquet-degreebivariatepolynomial.Foreaseofpresentation,hereafterwedenotebyHEX-Vthehexagongridmodelwithvertex-basedsecretpre-distributionandbyHEX-Ewithedge-basedsecretpre-distribution.WewillseeinSection 3.6.3 thatHEX-Ecanguaranteehighintra-cellandinter-cellconnectivityatthesametime. 62

PAGE 63

3.6 ). 46 ],whichhasleastnumberofneighborsforeachcell.Inthetrianglecellmodel,eachdeploymentpointisenclosedinatrianglecell,asshowninFig. 3-4 .Whenusingedge-basedsecretpre-distribution,eachpairofneighboringdeploymentpointsareassignedauniquepairwiset-degreebivariatepolynomial.Asbefore,sensornodesaredeployedingroupsandthegroupofnodesdestinedtothesamedeploymentpointarepreloadedwithsharesofthecorrespondingpolynomials.WewilldenoteournewschemebyTRI-Ehereafter.InTRI-E,eachnodeispreloadedwith3polynomialshares,whichistheleastboundofNp.TheneachnodeinC0mightbeabletoestablishpairwisekeyswithnodesintheshadowareainFig. 3-4 .ItisworthpointingoutthatinTRI-Eweonlyconsider3neighboringcellsC1/C2/C3thathavecommonboundarieswithC0becausethesecellsusuallyhavemoreconnectionswithC0.WecandistributemorepolynomialstomakeC0bedirectlyconnectedtomore 63

PAGE 64

Atrianglegridmodel. neighboringcells.However,itwouldresultinthenotableincreaseofmemorycostandthesharpdegradationofsecurityduetotheincreaseofNs,bothofwhichareundesirableinsecurity-sensitivesensornetworks.Moreover,wewillshowinSection 3.6.3 thatTRI-Emaystillachievehighnetworkconnectivitywithfocusononly3neighboringcells. 3-1 64

PAGE 65

Thealgorithmforpolynomialdistributing. 5 ].ThethirdistousetheMerklepuzzle[ 47 ],whichissuggestedby[ 15 ].However,thesemethodswouldincurtoomuchcomputationandcommunicationoverhead,whichisundesirableinresource-constrainedsensornetworks.Iftwoneighboringnodesndthattheyaredestinedtothesamedeploymentpointortwoneighboringdeploymentpoints,theycanestablishadirectpairwisekeybyevaluatingtheirowncorrespondingpolynomialshareswiththeIDofeachotherasinput.Since 65

PAGE 66

11 ]canbeappliedtoexchangeapairwisekeybetweenaandbthroughmultiplenode-disjointoredge-disjointpaths.Forthelackofspace,thefurtherinvestigationonthisissueislefttotheextensionofthispaper.However,aswewillshowinSection 3.6.3 ,ourschemeshaveprettyhighconnectivityinthateverynodecanestablishdirectkeyswithalmostallitsneighbors,sowedonotneedtospendmuchenergyontheestablishmentofindirectkeys. 66

PAGE 67

36 ]thatrequireseachnodetokeepIDsofthosecompromisednodes.Afterthat,somenormalnodesmayneedtore-initiatethepairwisekeyestablishmentproceduretoestablishnewpairwisekeys.Aswillbediscussedlater,byusingourproposeddeploymentandedge-basedsecretpre-distributionmodels,ourschememayachieveperfectresiliencetonodecompromiseattacks.Weaccomplishthisbylimitingthetotalnumberofnodessharingonepolynomialtonomorethanthepolynomialdegree.Therefore,nomatterhowmanynodesadversariescompromise,theywouldbeunabletoreconstructanypolynomialandthustoutilizetheacquiredknowledgetolaunchattacksonnon-compromisednodes.Bycontrast,conventionalschemeslikeLBKP[ 36 ]arelackofthisnicefeaturebecauseoftheirlargememorycosts,whichwillbedetailedinSection 3.6.2 36 ]andE-G(shortfor 67

PAGE 68

13 ]withregardtothelinkcompromiseprobabilitythatalinkiscompromised.Becauseeverylinkissecuredbyat-degreebivariatepolynomial,wemayusetheprobabilityofpolynomialexposal(Equation( 3{4 )inSection 3.4.1 )toevaluatethelinkcompromiseprobability.Therearetwoscalesofnodecompromiseattacksinourconsiderations.Inthelocalnodecompromiseattack,theadversarytriestocompromisenodesinaparticulararea.Duetothethreshold-basedsecurityofpolynomials,theattackermustcompromiseenoughnodestorecoverapolynomial.AsisshowninSection 3.4 ,usinghexagonandtrianglecellsandtheedge-basedpre-distributionmethod,ourschemesreducethenumberofnodessharingapolynomial.Hence,ourschemesaremoreresilientcomparedwithLBKPinthelocalnodecompromiseattack.Besides,theexposureofonepolynomialhasnoimpactonothersareasbecauseeachpolynomialisusedinasmallarea.Intherandomnodecompromiseattack,theattackerrandomlyselectnodesastheobjectsofattack.Inthisrandomattack,thelinkcompromiseprobabilityofE-Gmaybecalculatedas[ 15 37 ] Mx;(3{5)whereeachnoderandomlyselectsakeysubsetofsizemfromaglobalkeysetofsizeMandthenumberofcompromisednodesisx.Supposenodedeploymentdensityis=0:0025nodes=m2,thenetworksizeis2000m2000m,thetotalnumberofnodesisjNj=10000,andthenodetransmissionrangeis50m.ForE-G,thesizeoftheglobalkeypoolissetto100000,whileforourschemesandLBKP,theinter-celldistance,whichisthedistancebetweenthecentersofneighboringcells,issetto100m.Fig. 3-5 andFig. 3-6 depicttheirrespectivelinkcompromiseprobabilityversusthefractionofcompromisednodesfordierentnumbers(M)ofmemoryunitsallocatedforstoringpre-distributedsecrets.FromFig. 3-5 andFig. 3-6 ,wecanclearlyseethatE-Gschemehastheworstsecurityperformanceinalmostallscenarios.Everytimeadversaries 68

PAGE 69

compromiseonemorenode,theywouldincreasetheirchancesofcompromisingmorelinksbetweennon-compromisenodes.IfMisincreased,sayfrom120to240,thesecurityofE-Gwoulddegrademoredramaticallywiththeincreaseofcompromisednodes.Thisisbecauseadversarieswouldgetmoreinformationoftheglobalkeypoolaftercompromisinganode.ItisofnosurprisethatLBKPhavebettersecurityperformancethanE-Gbecauseofits(t+1)-compromiseresistantproperty.WecanalsoobservethatourschemesoutperformbothE-GandLBKP.Forexample,whenMisequalto240,LBKPcanonlytoleratethecompromiseof30%nodes,whileallourschemescantoleratethecompromiseofover50%nodes.Inaddition,TRI-EschemeexhibitsthebestsecurityperformanceofhavingperfectresiliencetonodecompromiseattackswhenMisequalto240. 69

PAGE 70

3-2 givesthememorycostofthoseschemes.Intuitively,wecouldgetperfectresiliencetonodecompromiseattacksbylimitingthenumberofnodessharingonepolynomialtobelessthan(t+1).However,toachievethis,dierentschemesmayincurdierentmemorycosts.LetstillbethenodedeploymentdensityandDbetheinter-celldistanceinmeters.WecalculatedthedierentmemorycostsofLBKPandourschemesforachievingperfectresiliencetonodecompromiseattacks,whicharegivenintheColumnBofTable 3-2 .Wecaneasilyndthefollowing 70

PAGE 71

Memorycost. schemeAB LBKP5(t+1)5(5D2+1)HEX-V4(t+1)4(2p 2D2+1) relationshipthatLBKP>HEX-V>HEX-E>TRI-E:GiventhesamememoryconstraintM,ourschemeshavebettersecurityperformancebecauseofthemuchlessmemoryrequirementswhichimplylargerpolynomialdegreesandthushighersecurity.Amongourschemes,TRI-Ehasthebestsecurityperformancebecauseofitssmallestmemorycost,whichrendersitthemostattractivecandidateforsensornetworkswherethememoryofeachnodeisverytight. 71

PAGE 72

N=Xu;vP(nuv2Guv)ZZNuv(x;y)puv(x;y)dxdy=1

PAGE 73

M=Xu;vP(nuv2Guv)ZZMuv(x;y)puv(x;y)dxdy=1 22exp(x2+y2) 22;(3{7)whereweassumethecorrespondingdeploymentpointtobetheoriginofcoordinatesystem.UsingthesamecongurationparametersgiveninSection 3.6.1 ,wecancalculatetheprobability(denotedbypr)thatanoderesidesinitshomecellafterdeployment.priscomputedbychoosingappropriatevarianceofGaussiandistributionsuchthatthenodewouldresideinthecirclethathasthesamediameterwithitshomecell.Fig. 3-7 andFig. 3-8 plottheconnectivityversustheinter-celldistance,whichisnormalizedbynodetransmissionrange,forpr=0:9andpr=0:99,respectively.Whenthecellsizeissmall,anodetransmissionrangemaynotonlycoveritshomecellandneighboringcellsbutalsocoverothernon-neighboringcells,whichmeansthenodemayhavemanyneighborswithwhichitcannotestablishdirectpairwisekeys.Hence,theconnectivityissmall.Withtheincreaseoftheinter-celldistance,theconnectivityofbothvertex-basedandedge-basedschemeswouldincreasedramatically,becausethenumberofneighborswithwhichanodecannotestablishdirectpairwisekeysdecreasesquickly.Inparticular,whentheinter-celldistanceislargerthantwotimesofthenodetransmissionrange, 73

PAGE 74

13 15 { 19 ]havelowconnectivityandthushavetorelyonmulti-hopand/ormulti-pathroutingtoestablishindirectkeysformaintaininganacceptableglobalnetworkconnectivity.Althoughthesquare-grid-basedschemes[ 37 38 ]mayimprovetheconnectivity,theystilluserandomdistributionineachcellandthuscannotguaranteeafullconnectivitybetweentwoneighboringcells,thusleadingtounfavorableenergyconsumptioninestablishingindirectpairwisekeys.Bycontrast,ourschemesareofhighenergyeciencyandthusprettysuitableforresource-constrainedsensornetworksinthatthereisalmostnoneedforestablishingindirectpairwisekeys. 74

PAGE 75

Theprobabilitythateachnoderesidesinitsowncellis0:9. highnetworkconnectivityandthusgreatlyreducethecommunicationoverheadandtransmissionenergyconsumptionincurredinestablishingindirectpairwisekeysthroughmulti-hopand/ormulti-pathrouting.Tosummarize,weproposealightweight,simple,andsecuresolutiontoestablishpairwisekeysinresource-constrainedsensornetworks. 75

PAGE 76

Theprobabilitythateachnoderesidesinitsowncellis0:99. 76

PAGE 77

2 ,theTLKestablishmentisnotaneasyproblem.InanetworkofNnodes,theoretically,eachnodecanbepreloadedwithN1keysuniquelysharedwithothernodes,butthefeasibilitycanbechallengedbecauseofthecontradictoryrequirementsbetweenthescarcememoryofsensornodesandthelargescaleofsensornetworks.Instead,mostrecentsolutions[ 13 15 { 19 ]relaxthesecurityrequirementandtargetattheestablishmentoflinklayerkeys(LLK)betweenanypairofneighboringnodes.Inalargescalesensornetwork,thenumberofneighborsofanodeisusuallyasmallconstant.ThusitismorefeasibletoestablishanLLKinfrastructurewherebytosavememoryresource.BasedonthisLLKinfrastructure,twoendnodescanperformsecurecommunicationsoveramulti-hoppathwiththehelpofintermediatenodes,andcannegotiateaTLKondemand,ifneeded,throughthesecurehandshake.TheLLKinfrastructurecaneectivelypreventexternalattackersfromaccessingthenetwork,but 77

PAGE 78

13 15 { 19 ]themselvesarealsovulnerabletonodecompromise.Anadversarycanusethesecretsincompromisednodestoderivethesecretssharedbetweenothernon-compromisednodes.HencesomecompromisednodesmaycausemanyfailurepointsinthenetworkanddestroytheentireLLKinfrastructure.AnotherdrawbackofthepreviousLLKschemesisthattheyhavealargememoryrequirementtomaintainacertainlevelofsecurityorconnectivity.Basedonourworkin[ 9 ],hereweintroduceanovelschemekeyestablishmentschemebycombiningdeploymentknowledge.First,weconsideratwodimensionalgridmodel,whichleadstoLAKE(two-LAyerKeyEstablishment)[ 48 ],fortheestablishmentofbothTLKsandLLKsinsensornetworks.Particularly,allsensornodesareorganizedintoatwodimensionalspace,andatri-variatepolynomialispre-distributedtofacilitatetheestablishmentofTLKsandLLKsinthespace.Toincreaseconnectivityandreducecommunicationoverhead,thenodesclosetoeachotherarepreloadedwithcorrelatedsecrets,calledshares,derivedfromthetri-variatepolynomials.Second,weextendourschemeintothemulti-dimensioncaseandproposeanecientLLKscheme[ 49 ].Themaincontributionsareasfollows:1.OurLAKEeectivelyaddressestheTLKestablishmentproblemforsensornetworks.AnytwonodescannegotiateaTLKondemanddirectlyorwiththehelpofonlyoneintermediatenode.ThoughinconventionalLLKschemestwonodescanalsonegotiateaTLKthroughamulti-hoppath,therearemorethanoneintermediatenodethatcanlearntheTLK.HenceLAKEismuchmoresecureunderthenodecompromiseattackcomparedwiththeconventionalproposals;2.ComparedwiththeconventionalLLKschemes,ourschemefeaturesmuchlessmemorycost;3.Byutilizinglocationinformation,ourschemeguaranteesthattwoneighboringnodescanestablishadirectLLKwithhighprobability.ThisprovidesenergyeciencycomparedwiththeconventionalLLKschemesbecausetheprobabilityofindirectLLKsestablishmentthroughmulti-hoppathsbetweentwoneighboringnodesisreduced. 78

PAGE 79

2 .WewillshowthatLAKEcanecientlyestablishbothLLKsandTLKsbetweensensornodes.AnLLKinfrastructurecanbeestablishedjustafternetworkdeployment.TLKsareestablishedondemandwhentwoendnodesneedtocommunicatewitheachother. 3 thatutilizingdeploymentinformationcanachievehigherconnectivity.So,evenourkeyagreementmodelcanachievedeterministickeyagreementbetweenanypairofnodes,asisshownin[ 9 ],weconsiderincorporatingdeploymentinformationintoLAKE.TheentirenetworkisdividedintoN1non-overlappingsquarecellsandeachcellincludesN2sensornodes.Eachnodeinthenetworkisidentiedbyacoordinate(n1;n2)inthetwo-dimensionalspace,whereni=0;1;:::;Ni1;i2f1;2g,andwemayusethecoordinate(n1;n2)asthenodeIDandtheindexn1asthecellID.CellIDsareassignedinaxedordersuchthateachcellIDactslikeacoordinateinatwo-dimensionalplane.Wemayallocate2hhigherbitsfromthenodeIDeldforthecellID.The2hbitsaredividedintoapairofintegers(i;j),whereiistherowindexandjisthecolumnindexofthecell.Hence,eachcellIDreectsthelocationinformationofthecorrespondingnodes.Thisinformationiscoarse,soweonlycantellinwhichareaanodewithagivencellIDresides.Thenodedeploymentineachcellmayfollowanyprobabilisticdistribution,suchasGaussian[ 17 45 50 ]oruniform[ 36 38 46 ].WeassumeGaussiandistributionhere.Ourkeyagreementmodelisdeterministic,soeverynodeknowswithwhichofothernodesitcanestablishasharedkeydirectly.Iftwonodescannotcalculateasharedkeydirectly,theyrelyononeintermediatenodetonegotiateanindirectkey.Justlikeprevious 79

PAGE 80

Atwo-dimensionsensornetwork. work[ 13 15 { 19 ],weassumetheunderlyingroutingprotocolcancorrectlyroutekeynegotiationmessagesovermultihoppathsbetweenthosepeernodes.Fig. 4-1 illustratesanexampleofthenetworkmodel.Thereare64cellsinthenetwork.EachcellconsistsofN2nodes.WeassigncellIDsinanorderfromlefttorightandfromtoptodown.EverynodecanbelocatedbythecellIDinitsnodeID.Forexample,node(0;n2)isinthemostup-leftcell,andnode(63;n2)isinthemostdown-rightcell.OtherexamplesofnodesarealsodepictedinFig. 4-1 80

PAGE 81

Hence,everynodeinthenetworkneedstokeeponlyat-degreeunivariatepolynomialthathast+1coecientsoveraniteeldFq.Thosecoecientsarepreloadedintoeverynode'smemorybeforedeploymentandusedtoestablishkeysafterdeployment. 4-1 ,node(18;4)andnode(18;6)arelevel-2neighborsandtheycancalculateasharedkeydirectly.Node(18;4)andnode(37;4)arelevel-1neighborsandtheycanalsocalculateasharedkeydirectly.Allnodescancalculatedirectkeysbyitselfwithoutinteractionwithotherlogicalneighbors.Eachdirectkeybetweentwologicalneighboringnodesisonlysecrettothem.Anadversarycannotlearnthedirectkeyunlesshe/sheknowsthecorrespondingpolynomialshare. 81

PAGE 82

4-1 ,therearetwosecurepathsbetweennode(18;6)andnode(37;4)andasharedkeycanbenegotiatedthrougheitherofthesecurepathswiththehelpoftheagentnodes(18;4)or(37;6). 82

PAGE 83

4-2 .Eveniftwolevel-1neighborsarefarawayfromeachother,likenodes(1;5)and(2;5),theycanalwayscalculateasharedkeyindependently.Thekeysbetweenlevel-1neighborscanactasbridgesbetweentwocells.Anodeinonecellcangothroughanyofthebridgestonegotiatekeyswithnodesintheothercell.InFig. 4-2 ,forexample,node(1;2)cannegotiateanindirectLLKwithnode(2;6)througheithernode(2;2)ornode(1;6).Duetothedeploymenterror,somenodesmayresideoutsideoftheirsupposedcells.InFig. 4-2 ,forexample,node(1;7)needstoestablishLLKswithneighboringnodes(2;2),(2;5),(2;6).Inthiscase,node(1;7)cancarryoutindirectkeynegotiationthroughitslevel-1neighbor(2;7).Ofcourse,node(2;7)maybemultihopawayfromnode(1;7),buttheunderlyingroutingprotocolcanroutekeynegotiationmessagesbetweenthem,justasisshowninpreviouswork.CommunicationoverheadisaconcernintheindirectLLKsnegotiation.LAKEincludesdeploymentinformationintotheestablishmentofLLKs,thuseachnodemaycalculatedirectLLKswithalmostallofitsneighbors.Thishighlocalsecure 83

PAGE 84

LLKestablishment. connectivityisdesirablebecauseitmeansthateachnodedoesnotneedtospendtoomuchenergyontheestablishmentofindirectLLKswithneighborsthroughmulti-hoprouting.ConventionalLLKschemeswithuniformkeypre-distributionhavemoreenergyconsumptionintermsoflowerlocalsecureconnectivity.Innextsection,wewillevaluatethesecureconnectivityassumingGaussiandistributionfornodelocationineachcell. 4-1 ).Thenitcanrelyonthelevel-1neighborasanagenttoestablishindirectTLKswithothernodesinthatcell(inFig. 4-1 ),node(18;6)cannegotiateanindirectTLKwithnode(37;4)throughnode 84

PAGE 85

2 ,wecansimplegettheminimumpolynomialdegreetas Becauseeachnodekeepst+1coecientsofat-degreeunivariatepolynomial,thememorycostpernodeislessthan1:8171p 4-1 .ThesecondcolumninTable 4-1 givesthenormalmemorycostofeachscheme.Inkey-pool-basedschemes[ 13 15 16 20 37 40 ],eachnodekeepsmkeysout 85

PAGE 86

17 ],Liu's[ 18 ]andHuang's[ 38 ]schemesreplacekeypoolswithspacepoolsofmatrixorpolynomialsofdegreet.InPIKE[ 25 ],eachnodeispreloadedwithuniquepairwisekeysfor2(p 19 ]useshigherdimensionalgrid.UnlikePIKE,hypercubeusesat-degreebivariatepolynomialforeachdimension.Forfaircomparison,weassumetwo-dimensionalgridforhypercube.Therefore,thememorycostofhypercubeis2(t+1).InLBKP[ 36 ]eachnodeispreloadedwith5polynomialshares,eachofwhichhasadegreeoft.HEX[ 45 ]andTRI[ 46 ]havememorycostof6(t+1)and3(t+1),respectively.InLAKE,unlikepreviouswork,eachnodeneedstokeeponlyat-degreeunivariatepolynomialandthusthememorycostisonlyt+1.ThethirdcolumninTable 4-1 giveshowmanymemoryunitsarenecessarytoprovidesecrecyfordirectkeys,i.e.,nomatterhowmanynodesarecompromisedthedirectkeysamongnon-compromisednodesarestillsafe.Key-pool-basedschemes[ 13 15 16 20 37 40 ]cannotprovidesecrecybecauseeachtimeanadversarycompromisesonemorenodehe/sheknowsmorekeysintheglobalorlocalkeypools.InDu's[ 17 ],Liu's[ 18 ]andHuang's[ 38 ]schemes,thedegreeofeachmatrixorpolynomialmustbesetast=N2toavoidtheexposureofdirectkeys.SotheirmemorycostisontheorderofN.InPIKE[ 25 ],allthose2(p 19 ],eachdimensionhasp 36 ],HEX[ 45 ]andTRI[ 46 ]andLAKEusethesamenetworkconguration,wheretheentirenetworkisdividedintop 36 ],toguaranteeeachbivariatepolynomialissecret,thedegreeshouldbenolessthan5p 45 ]andTRI[ 46 ]are6(2p 86

PAGE 87

Memorycostofdierentschemes. SchemesMemoryCostForSecrecy key-pool-based[ 13 15 16 20 37 40 ]mspace-pool-based[ 17 18 38 ]O((t+1))O((N1))PIKE-2D[ 25 ]2(p 19 ]2(t+1)2(p 36 ]5(t+1)5(5p 45 ]6(t+1)6(2p 46 ]3(t+1)3(2p 13 15 16 20 37 40 ],everytimeanadversarycompromisesonemorenodes,he/sheobtainsmoreinformationabouttheglobalkeypoolorspacepool,whichmeansmorekeysarecompromised.Forexample,inE-G[ 13 ],theadditionaldirectkeyexposureprobabilitycanbecalculatedas[ 15 37 ] Sx;(4{4) 87

PAGE 88

25 ]canalsoachievethezeroadditionaldirectkeyexposureprobabilitybecauseofthepre-distributionofuniquedirectkeys.Hypercube-2D[ 19 ],LBKP[ 36 ],HEX[ 45 ]andTRI[ 46 ]uset-degreebivariatepolynomialtoachievekeyagreement.SupposethereareAnodessharingat-degreebivariatepolynomialandNisthetotalnumberofnodesinthenetwork.Givenxcompromisednodes,theprobabilitythatioutofAnodeswerecompromisedis Nx;(4{5)andthustheprobabilitythatthepolynomialwascompromisedisgivenby BcPc(i):(4{7)HerethevaluesofAandBarep 19 ],5Ncand5forLBKP[ 36 ],2Ncand6forHEX[ 45 ],and2Ncand3forTRI[ 46 ],whereNcisthenumberofnodesinonecell.Anexample:Suppose10000nodesaredeployedinanarea20002000m2.TheglobalkeypoolofE-G[ 13 ]isset100000.PIKE[ 25 ]andHypercube[ 19 ]usetwo-dimensionalgrid.ForLBKP[ 36 ],HEX[ 45 ],TRI[ 46 ]andLAKE,thereare100cellsandthusthenumberofnodespercellis100.SupposeeachnodehasamemorysizeofMunitsfor 88

PAGE 89

cryptographicmaterialsandeachmemoryunitcanaccommodateacryptographickeyorapolynomialcoecient.Fig. 4-3 andFig. 4-4 givestheadditionaldirectkeyexposureprobabilityaccordingtothefractionofcompromisednodeswhenM=240;180.WeobservethatLAKEoutperformsotherschemeswiththezeroprobabilityoftheadditionaldirectkeyexposure.Whenthereismorememoryresource(M=240),Hypercube-2D[ 19 ]canalsogivethezeroprobabilityoftheadditionaldirectkeyexposure.However,whenmemoryresourceislimited(M=180),Hypercube-2D[ 19 ]becomesvulnerabletonodecompromise. 89

PAGE 90

EverynodeneedsanagentnodetoestablishindirectLLKsandTLKswithothernodes.Iftheagentnodeiscompromised,theindirectkeysareexposed.SupposexoutofNnodesinthenetworkarecompromised.Theprobabilityoftheindirectkeyexposureis Nx=x N: PIKE-2D[ 25 ]andHypercube-2D[ 19 ]canachievethesameprobabilityoftheindirectkeyexposurebecauseitalsoreliesoneagentnodetoestablishpairwisekeysbetweenneighboringnodes.Inotherschemes[ 13 15 16 20 37 40 ],twonodeshavetorelyon 90

PAGE 91

13 ]thesecurepathbetweentwoneighboringnodesconsistsof2or3agentnodesandthesecurepathbetweenanytwoendnodesconsistsofmorethan11agentnodesonaverage[ 13 ].SupposethesecurepathbetweentwonodesinE-GandLBKPconsistsofhagentnodes.Theprobabilitythattheindirectkeybetweenthetwoendnodesisexposedcanbecalculatedas Nx11x Nhxh N; whereNh>1.Thus,LAKEismoreresilienttothenodecompromiseattack. 13 15 16 20 ],keymaterialsareuniformlypre-distributedinthenetwork.ItishighlypossiblethattwonodeswithcorrelatedkeymaterialscannotestablishadirectLLKbecausetheyarefarawayfromeachother.Forexample,inE-Gscheme[ 13 ],eachnoderandomlyselectsMkeysfromSkeys,thusthelocalsecureconnectivityofE-Gis1SMM=SM11M SMM2 25 ]andHypercube-2D[ 19 ],eachnodekeepspairwisekeyswith2(p 91

PAGE 92

36 { 38 45 46 ].Byintentionallypre-distributingthesamesetofsecretsinsmallcells,theycanachievemuchhigherconnectivitythanuniformpre-distributionschemes.Thoughourkeyagreementmodelstillworkinuniformpre-distributionscenarios,weconsiderdeploymentknowledgeheretofurtherincreasethelocalsecureconnectivity.Duetodeploymenterrors,wecannotexpecteachnoderesidesatthepredeterminedlocation.Rather,thenodedeploymentineachcellfollowssomeprobabilisticdistribution.Inordertoevaluatetheinuenceofdeploymentknowledge,weusetheGaussiandistribution[ 17 45 50 ]inoursimulation.Particularly,thelocationofeachnodefollowsthedistribution, 22exp((xxc)2+(yyc)2) 22;(4{10)where(xc;yc)isthecenterofthecellinwhichthenoderesidesand(x;y)isthereallocationofthenode.WeusethesamecongurationparametersinSection 4.2.7.2 inoursimulation.Thereare10000nodesdeployedinanarea20002000m2.AlltheschemesevaluatedherecanstoreM=200keys.Noderadioradiusis150m,whichiscorrespondingtoMICA2capability[ 31 ].TheglobalkeypoolofE-G[ 13 ]isset100000.TheschemesE-G[ 13 ],PIKE-2D[ 25 ]andHypercube[ 19 ]usetheuniformpre-distribution.Asforthelocation-basedschemesLBKP[ 36 ],HEX[ 45 ],TRI[ 46 ]andLAKE,thereare100cellsandthusthenumberofnodespercellis100.Theinter-celldistance(thedistancebetweenthecentersofneighboringcells)isset200m.Thestandardderivationissetto=50m.Underthesecongurations,wesimulateasensornetwork,ndthelocalsecureconnectivityofeachnode,andaverageitoverallthenodes.TheaveragelocalsecureconnectivityisgiveninTable 4-2 .Weobservethatthelocalsecureconnectivityfortheuniformpre-distributionschemes[ 13 19 25 ]isverylow.Thelocation-basedschemes[ 36 45 46 ]havemuchhigherconnectivitybecauseallthenodesinneighboringcellsarepre-distributedwithcorrelated 92

PAGE 93

Localsecureconnectivityofdierentschemes SchemesLocalConnectivity E-G[ 13 ]0:2797PIKE-2D[ 25 ],Hypercube-2D[ 19 ]0:0276LBKP[ 36 ]0:9999HEX[ 45 ]0:9960TRI[ 46 ]0:9985LAKE0:5317 keymaterials.LAKEhaslowerlocalsecureconnectivitythanthelocation-basedschemes[ 36 45 46 ],becauseinLAKEonlythenodesinonecellhavecorrelatedkeymaterialsandeachnodecanestablishadirectkeywithonlyonenodeinanothercell.However,LAKEstillhasmuchhigherlocalsecureconnectivitythantheuniformpre-distributionschemessuchasE-G[ 13 ],PIKE-2D[ 25 ]andHypercube[ 19 ]. 19 ]thatthepolynomialevaluationiscomparablewithconventionalsymmetrickeyprimitivessuchasMessageAuthenticationCodebasedonRC5orSkipJack.Tocalculateakey,eachnodeshouldcalculate2t1modularmultiplicationsoverZq:t1forx2;:::;xtandtforb1x;b2x2;:::;btxt.Underthesymmetrickeytechnology,thelengthofqisusually64bitsor128bits.SupposethesamecongurationparametersinSection 4.2.7.2 isusedhere,wheretotalnumberofnodesisN=10000,thenumberofnodespercellis100,andthenumberofcellsis100.AccordingtotheTable 4-1 ,thetislessthan181.Hence,eachnodeneedstoperformonly36164-bitor128-bitmodularmultiplications.Similarly,thenumberofmodularmultiplicationsofotherpolynomial-basedschemesisgiveninTable 4-3 .ObviouslyLAKEismoreecientthanmostconventionalsymmetrickeyschemes. 93

PAGE 94

Computationoverheadofdierentschemes. Schemes#.ofsharesdegree#.ofmultiplications Hypercube-2D[ 19 ]298390LBKP[ 36 ]54983875HEX[ 45 ]61982370TRI[ 46 ]31981185LAKE1<181<361 PublickeytechniquessuchasRSAandDie-Hellmancanalsoachievekeyagreement.ThebasicoperationofRSAandDie-Hellmanisthemodularexponentiationoftheformyx(modq).Onemodularexponentiationneeds3 2log2qlog2q-bitmodularmultiplicationsonaverage[ 5 ].Toguaranteethesamelevelofsecurity,hereqisusually1024bitsandyandxaredrawnfromZq.Thuspublickeybasedoperationrequires15361024-bitmodularmultiplicationsonaverage.A1024-bitmodularmultiplicationis1024 642=256timesmoreexpensivethana64-bitmodularmultiplication[ 17 ].Hencethepublickeytechniquesare2561536 361=1089timesmoreexpensivethanLAKEif64-bitsymmetrickeysareusedinLAKE. 49 ].Ourschemeisbasedonamethodwehavedevelopedin[ 9 ].Eachsensornodecarriesashareofaglobalt-degreemultivariatesymmetricpolynomial.Ifthesharesoftwonodesarecorrelated,thetwonodescancalculateasharedkeydirectly.Otherwise,theycannegotiateanindirectkeywiththehelpofanintermediatenode.Weutilizenodedeploymentknowledgesuchthatnodeswithcorrelatedsharesaredeployedascloseaspossible.Inthisway,eachnodecandirectlycalculateLLKswithmostofitsneighbors.Inthissection,wewillelaboratethedetailsofourscheme. 94

PAGE 95

2 .Thispolynomialisusedtoderivesharesforsensornodes.Toachievekeyagreement,everynodenshouldhavekcredentials(c1;c2;:::;ck),whicharepositiveandpairwisedierent.Thesecredentialscanbecreatedandpreloadedintonodesbeforedeployment.However,itrequiresadditionalmemoryspacepernode.Fortunately,thekcredentialscanbederivedfromthekindicesinnodeID(n1;n2;:::;nk)byabijection,i.e., 95

PAGE 96

iscalculated,where and(c1;c2;:::;ck)ismappedfrom(n1;n2;:::;nk)accordingtotheequations( 4{11 ).Thenthepolynomialshareisassignedtothenode.Here,thenodeonlyknowsthet+1coecientsoftheunivariatepolynomialshare,butnotthecoecientsoftheoriginal(k+1)-variatepolynomial.Therefore,evenifthemarginalbivariatepolynomialisexposed,theglobalpolynomialisstillsafeifthedegreetischosenproperly. 4{11 ),twonodesuwithID(u1;u2;:::;uk)andvwithID(v1;v2;:::;vk)candirectlycalculateasharedkeywithoutanyinteractioniftheirIDshaveonlyonemismatch.Ifthetwonodesarewithintheradiocoverageofeach,thenthekeycanbeusedasanLLK.Therefore,weneedadeploymentmethodthatintentionallymakenodeswithonlyonemismatchintheirIDsbedeployedascloseaspossible.Insuchaway,eachnodecanestablishLink-layerkeyswithmostofitsneighbors.BecausenodeIDisanindex-tuple(n1;n2;:::;nk),whereni=0;1;:::;Ni1;i2f1;2;:::;kg,thenetworkislogicallyconstructedwithklevels.Thei-thlevelconsistsofN1N2Nicells,eachofwhichhasNi+1subcells,i.e.,Ni+1Nknodes,wherei=1;2;:::;k2.The(k1)-thlevelconsistsofN1N2Nk1cells,eachofwhich 96

PAGE 97

4-5 (A),whereN1=N2=N3=9.Tofacilitatekeyagreement,thelogicalnetworktopologyistransformedintoarealone,whichdecidestherealnodedeploymentmodel.Supposealevel-(i1)cellhasNi=RiCisubcells.Todothetransformation,thefollowingtwostepsaretaken: 1. intherststep,iptheevenrowsofthelevel-(i1)cellvertically; 2. inthesecondstep,iptheevencolumnsofthelevel-(i1)cellhorizontally.AnexampleisdepictedinFig. 4-6 .Acellatthe(i2)-thlevelhasNi1=35level-(i1)subcells(Fig. 4-6 (A)),eachofwhichagainhasNisubcells.Bythetwo-steptransformation,wegettherealcelltopologyillustratedinFig. 4-6 (B).Theentirenetworktopologyisconstructedbasedonthetwo-steptransformation.Inthisway,thenetworkisdividedintoN1N2Nk1cells,wherecellsarelocatedaccordingtothespaceorderdeterminedbythetwo-steptransformation.AllthenodesaredeployedintocorrespondingcellsbasedontheirIDs.TherealnetworktopologyoftheexampleinFig. 4-5 (A)isillustratedinFig. 4-5 (B). 97

PAGE 98

BFigure4-5. Topology.A)Beforedeployment.B)Afterdeployment. 98

PAGE 99

BFigure4-6. Deploymentstrategy.A)Beforedeployment.B)Afterdeployment. Becauseallnodecredentialsofuandvaredrawnfromdierentsubsetswhereanytwosubsetshavenointersectionandui6=vi,thek+1credentialsusedtocalculatethesharedkeyarepairwisedierent,andthesetofcredentialsisunique.Thereforethesharedkeycalculatedbythenodesuandvisunique,i.e.,othernodesdonotknowthesharedkey.Considerourdeploymentmodel.Atthelowestlevel,thenetworkisdividedintoN1N2Nk1cells.AllthenodesineachofthosecellshavecommonIDprex,whichisthecellID,andtheirnodeIDsareonlydierentatthek-thposition.Therefore,anypairofnodesinonecellcancalculateadirectsharedkey.Forexample,twonodes(041)and(044)incell(04)(Fig. 4-5 (B))cancalculateasharedkeydirectly. 99

PAGE 100

4-5 (B),node(041)incell(04)cancalculateasharedkeydirectlywithnode(081)incell(08).Withthehelpofnode(081),node(041)canindirectlyestablishasharedkeywitheveryothernodeincell(08).FortwoneighboringcellswithtwomismatchesintheircellIDs,theyareinthediagonaldirectionofeachotherandhaveaneighboringcellincommon,whichhasonlyonemismatchincellIDwitheachofthem.InFig. 4-5 (b),node(081)incell(08)canindirectlynegotiateasharedkeywithnode(151)incell(15)throughnode(181)incell(18),becausenode(181)hasdirectkeyswithnode(081)and(151)respectively.Thennode(081)canindirectlynegotiateasharedkeywitheachofothernodesincell(15)throughnode(151).Inourdeploymentmodel,eachnodecancalculatedirectLLKswithmostofitsneighborsbecausemostofitsneighborsareinthesamecellasit,andnegotiateindirectLLKswiththerestneighborswiththehelpofonlyoneintermediatenode.Moreover,eachnodecanevenestablishsharedkeyswithothernodesmulti-hopaway. 13 21 23 25 36 ]. 9 ]thattoguaranteethesecurityoftheglobalpolynomial,theminimumdegreetcanbeboundas[ 9 ] 100

PAGE 101

Memorycostofdierentschemes SchemesMemoryCost E-G[ 13 ]mLBKP[ 36 ]5(t+1)PIKE[ 25 ]2(p 21 23 ]O(p whereratio 2: WecomparethememorycostpernodeofourschemeswithotherschemesinTable 4-4 .InE-Gscheme[ 13 ]eachnodehasasubsetofmkeys,wheremmaybemorethan100ifitneedstomaintainacertainsecurityorconnectivity.InLBKP[ 36 ]eachnodeispreloadedwith5polynomialshares,eachofwhichhasadegreeoft.However,inordertomaintainstrongsecurity,thevalueoftisveryhigh.Soitsmemorycostismuchhigherthanours.InPIKE[ 25 ],eachnodemuststore2(p 21 23 ].TheyaresimilartoE-G[ 13 ],buttheycanensurekeysharingbetweenanypairofnodes.ThememorycostoftheirschemesisroughlyO(p 101

PAGE 102

13 21 23 36 ],whenthenumberofcompromisednodesislarge,thedirectkeysamongnon-compromisednodescanbeexposed.Moreover,theindirectkeysareaswellinsecurebecauseeachindirectkeyhastobeestablishedwiththehelpofseveralintermediatenodesalongapath.Ifsuchapathinvolvehintermediatenodes,thentheprobabilitythatanindirectkeyisexposedcanbecalculatedas PIKE[ 25 ]issimilartoourschemeinthatanypairofnodescanestablishasharedkeythroughnomorethanoneintermediatenode.ThedierenceisthatitdoesnotutilizedeploymentknowledgetofacilitateLLKagreementandthusismoreexpensiveincommunication.Moreover,itsmemorycostpernodeishigherthanours.Obviously,ourschemeismoresecurethanconventionalschemes. 4-7 ),wherethecenterofcellislocatedattheoriginoftheplane.Therstquadrantisdividedintoveareas,eachofwhichiscorrespondingtodierentnodecoverageA(xo;yo) 102

PAGE 103

2arccos(2Yo21)+Yop 2arccos(2Xo21)+Xop 2arccos(2Xo21)1 2arccos(2Yo21)+Xop Inscheme[ 13 ],eachnodeselectsMkeysfromSkeys,thusthelocalsecureconnectivityisroughly1SMM=SMM2 25 ],eachnodekeepsuniquepairwisekeyswith2(p 21 23 ]aresimilartoPIKE[ 25 ]inthatthelocalsecureconnectivityisroughlyO(1=p 36 ]useslocationinformationtofacilitatekeypre-distributionsothateachnodecanestablishdirectLLKswithall 103

PAGE 104

Nodecoverageinonecell. neighborsinitscellandinneighboringcells,leadingthelocalsecureconnectivitytoabout1ifallthenodesareuniformlydeployedintheirhomecell.Thelowlocalsecureconnectivityofschemes[ 13 21 23 25 ]isbecauseeachnodecannotstoretoomuchkeystoincreasethelocalsecureconnectivity.However,inoursschemethelocalsecureconnectivityisunrelatedtomemorycost.Forexample,supposethesizeofcellsizeis200200m2andnoderadioradiusis25m.Thelocalsecureconnectivityofoursschemeis0.89,whichismuchhigherthanthatof[ 13 21 23 25 ],whichisusuallymuchlessthan0.5. 104

PAGE 105

51 52 ].Theideaistoembedsomelocationinformationintonodeidentier(ID)andusethelocationinformationtofacilitatemanyapplicationsinsensornetworks.Particularly,theentirenetworkisdividedintomanycells,andeachcellismarkedbyacellindex.Allsensornodesaredeployedingroupssuchthateachcellisdeployedwithagroupofnodes.Hence,thenodesinonecellhavethesamecellindex.Todistinguisheachindividualnodeinonecell,eachnodeisassignedanodeindex,whichisuniqueinthecell.InthiswayeachnodeIDhastwoparts:thecellindexthattellswhichcellinthenetworkthenoderesides,andthenodeindexthatactsliketheconventionalidentierfortheidenticationofthenodeinthecell.ThuslocationinformationisembeddedintonodeIDsbytheone-to-onemappingbetweencellindicesandthelocationsofcells. 105

PAGE 106

53 ].Forexample,everynodeparticipatesinthenetworkthoughaneighbor-to-neighborcommunicationmode,soeverynodeshouldacceptthepacketsonlyfromthenodesinitsneighborhood.TheLBNmechanismisprettysuitableinthisscenariointhateverynodemayidentifywhetherapacketcomesfromaneighbororanotherdistantnodebasedonthenodeIDinthepacket.Manyattacksinsensornetworkstrytoraisehavocbyskewingnetworktopology[ 33 ].Forexample,amaliciousnodemayimpersonateothernormalnodesbychangingitsnodeID,thuscauseseveretopologicaldistortionleadingtothefailureofroutingprotocols.However,bybindinglocationinformationwithnodeIDs,LBNcanbeusedtodetectthosetopologicaldistortions.WhenLBNisemployed,amaliciousnodecannotchangeitsIDintothoseinthecellsfarawayfromitsowncell,becausethemaliciousnodemaybedetectedifitsIDdoesnotbelongtoitsowncell.However,themaliciousnodemaystillimpersonatetheIDsinitsneighborhood,becauseallIDsinonecellhasthesamecellindex.Inthiscase,someneighborhoodauthenticationserviceshouldbeappliedtodetectthemaliciousnode.Wemakethefollowingcontributionsinthischapter:1.Weintroducethenamingproblemforsensornetworksintheliteratureforthersttime;2.Weproposealocation-basednamingmechanismLBNandexploreitssecurityvalueforsensornetworks;3.WeproposealinklayerauthenticationschemeLLA,whichincorporatesLBN,toprovideaneighborhoodauthenticationservice; 106

PAGE 107

5.2 weproposethelocation-basednamingmechanismLBNtofulllourideaonnetworknamingsystem.InSection 5.3 wedescribethelinklayerauthenticationschemeLLA,andshowhowitactsasareenforcementofourLBNmechanismbyprovidingneighborhoodauthentication.WewilldiscusshowourLBNmechanismandLLAschemecanbecombinedtodefendagainstmanynotoriousattacksinsensornetworksinSection 5.4 .SomediscussionsaregiveninSection 5.5 ,andconclusionisgiveninSection 5.6 5.2.1LocationDeterminationToutilizelocationinformation,itistherstrequirementtoacquirelocationinformation.Thelocationdeterminationisnotatrivialtaskinstationarysensornetworks.ItisinfeasibletoinstalleverynodewithaGPS(globalpositioningsystem)duetothedesireforlowpricesensornodes.Thoughtherearesomepost-deploymentfacilitatingmethods[ 53 { 55 ],theyrelyonthecooperationbetweensensornodes,whichleadstoalargeamountofcommunicationoverhead.However,whenasensornetworkisdeployedinanarea,somelocationinformationisknownapriori.Hence,ifwedeployagroupofnodesintoanarea,wemaypreloadthelocationinformationoftheareaintothenodes'memory.Thisa-priorilocationinformationcanbeusedinmanyscenariossuchaskeymanagement[ 36 { 41 ].Duetodeploymenterrors,thea-priorilocationinformationislessprecisethanthatofposteriormeasurements,however,itobviatestheneedtouseexpensivepositioningdevicesandcomplexdistributedlocationdeterminationalgorithms,thusitisprettysuitableforsomeapplicationsinresourceconstrainedsensornetworks.Inthispaper,weusesthecourse-graineda-priorilocationinformationtodevelopasecurityschemetodefendagainstmanyattackstonetworktopology. 107

PAGE 108

Asquarecelldeploymentmodel. Beforedeployingagroupofsensornodes,weshoulddecidewhichplacethegroupshouldreside.Thustheentiredeploymentareaisdividedintomanyadjacentnon-overlappingcells.Everycelliscenteredwithadeploymentpoint.Basedonspecicdeploymentmodels,thecontourofcellmaybesquare[ 36 { 38 48 49 ],hexagon[ 45 ]ortriangle[ 46 ].Forsimplicity,squarecell(Fig. 5-1 )isusedasaninstanceinthispaper.However,othershapesarestillapplicablewithafewmodications.Eachgroupofnodesisintendedtobedeployedinapredenedcell.Duetodeploymenterrors,everynodewillbedeployedaroundthedeploymentpointofitscellaccordingtosomeprobabilitydistributionfunction(PDF),suchasGaussiandistributionorUniformdistribution.Itisnecessarytopointoutthattheareawherethenoderesidesdoesnotnecessarilyhavethesameshapeasitscell.Forexample,theareawherethenoderesidesmaybeacirclebecauseofthecentralizedGaussiandistributionwhileitscellisasquare.However,wemayimprovedeploymentprecisionsothattheprobabilitythatanoderesidesoutofitscellisverysmall[ 45 46 48 49 ]. 108

PAGE 109

56 ].ItisimpossibletoincludethelocationcoordinatesofdeploymentpointsdirectlyintonodeIDeldinlargescalesensornetworks.However,ourschemedoesnotrelyonpreciselocationinformation,weonlycountontherelativelocationinformationbetweensensornodes.Hence,wetendtouseindices.Inourdeploymentmodel,eachcellismarkedwithacellindex,whichisapairofintegers(i;j),whereiistherowindexandjisthecolumnindex.Thuswecanidentifyeachcellanditsassociatedgroupofnodesbycellindex.Theindicesarenotabsolutelocationcoordinates,sotheycouldbeverysmallintegers.Withthisbenet,wemayallocateseveralbitsfromthenodeIDeldforcellindex,andtherestbitsfromthenodeIDeldasnodeindexintheassociatedcell.Inthiswayeachnodeisidentiedbyapair(cellindex,nodeindex).Forexample,wemayallocate10bitsfroma16bitsIDeldforcellindex,andtherestof6bitsfornodeindex(Fig. 5-2 ).Thenthemaximumaordablenetworkmayconsistofcellsof32rowsand32columns,whereeachcellcontains64nodes,andthetotalnumberofnodesis65536.Onlyindexcannotprovidemoreinformationotherthancellidentication.Whatwecareaboutishowtheindicesdescribetherelationshipbetweennodes.Inourdeploymentmodelallcellsareindexedaccordingaxedorderfromtoptorightandfromlefttorightsuchthateachcellindex(i;j)actslikeacoordinateinatwodimensionalplane(Fig. 5-1 ).Inotherwords,cellindicesarenormalizedcoordinatesofcells.Hence,theindicesreectthespatialrelationshipbetweennodes.BycheckingnodeIDeldsinreceivedpackets,anodemaytellwhetherthesourcesofpacketscomefromitsowncellorneighboringcellsorotherdistantcells.Ifwetreateachnodeasakindofresource,andthepacketsreceptionbythenodeasakindofresourceaccess,thentheorderlynamingmechanismmayprovideanauthenticationservicefortheaccesscontrolatlinklayer.Becauselinklayercommunicationsrunbetweenneighboringnodesandinourschemetheneighbors 109

PAGE 110

Location-basedname. ofonenodemostlikelycomefromitscellorneighboringcells,everynodeshouldonlyacceptthepacketsfromthenodesinitscellorneighboringcells,anddenythepacketsfromotherdistantcells 5.4 thatourLBNmechanismmaydefendagainstawiderangeofattacksinsensornetworks. 57 58 ].Adversariescaneasilyeavesdropmessagestransmittedovertheairbetweennodes,ordisabletheentirenetworkbylaunchingphysicalattackstosensornodesorlogicalattackstocommunicationprotocols[ 33 35 ].Undersuchcircumstances,securityservicessuchasencryptionandauthenticationareindispensableforguaranteeingtheproperoperationofsensornetworks.Intheoverallnetworksecurityinfrastructure,linklayersecurityisthebasictile,becauseallcommunicationsareestablishedontheneighbor-to-neighborcommunicationmode.Anodeshouldonlyacceptthepacketsfromauthenticatedneighboringnodes.Toestablishtrustinessbetweenneighboringnodes,authenticationservicesatlinklayerare 36 45 46 48 49 ]thatthisprobabilityisverysmall.Wecouldtreatitasthetrade-ooftheusageofa-priorideploymentknowledge. 110

PAGE 111

36 { 41 ]uselocationinformationinkeymanagementinsensornetworks,whichmaybeusedtoestablishlinklayerencryptionkeys.However,theyhavenotaddressedtheauthenticationproblem.Motivatedbytheirwork,weproposealinklayerauthentication(LLA)schemeinthissection,whichincorporatestheLBNmechanismtoprovideaneighborhoodauthenticationservice.OurLLAschemeconsiststwophases.Therstoneisthebootstrappingphase(B-Phase),whichistheinitialtimeperiodafternetworkdeployment.Thesecondisthenormalcommunicationphase(C-Phase)duringwhichnodescommunicatenormalpacketstofulllkindsofapplications.Ineachphaseatwo-stepauthenticationisenforced.TherststepistheID-basedauthentication,inwhicheverynodedecidestoacceptorrejectapacketbycheckingthepacketIDeldaccordingtoLBN.Thesecondstepisthekey-basedauthentication,inwhichthetwocommunicatingnodesverifytheIDsofeachotherbythesharedkeybetweenthem.Theunderlyingtechniquesweuseherearesomethinginherentandsomethingknown[ 5 ].Somethinginherentmeansanentityisauthenticatedbyitsinherentcharacteristic,whichisthelocation-basednodeIDinourscheme.Somethingknownmeansanentityisauthenticatedbythesecretsitknows,whicharesharedkeysinourscheme. 2 canbeusedtoestablishkeysinWSNs,andtheyallrequiretheexchangeofnodeIDsastheinputstothekeyagreementmodel.Forsimplicity,weassumet-degreebivariatepolynomialstoestablishsharedkeysbetweenneighboringnodes,i.e., 111

PAGE 112

36 ]topredistributepolynomialssothattwonodesinthesamecellandneighboringcellsholdsharesofthesamesetofpolynomial(s) 5-1 ,thepolynomialofcell(i;j)isalsoassignedtocells(i;j1),(i;j+1),(i1;j),and(i+1;j).Thusanodeincell(i;j)mayestablishsharedkeyswithnodesinitcellsandallneighboringcells.Wereferreadersto[ 36 ]formoretechnicaldetails.Afterthepolynomialsdistribution,everypairofnodeshasasharedpolynomialssetP,whichisusedtoderivepolynomialsharesforthepairofnodes.ThesetPisdecidedbythecellindicesofthetwonodes.Fortwonodesinthesamecellorneighboringcells,Pisnon-empty,butfortwonodesfromtwodistantcells,Pisempty.Itisdierentfrom[ 36 ]inthat[ 36 ]requireseverynodetokeepthecoordinatesofitscellwhileourschemedoesnotbecausethelocationinformationisinthenodeIDeld.SoanodemayknowinstantlywhetherithasthesharesofthesamesetofpolynomialsasanothernodeonlyfromitsnodeID. 45 46 ]usinghexagonandtrianglecells.ItcanalsobeusedinLBNdesignifwechoosetousehexagonortrianglecellsinplaceofsquarecells. 112

PAGE 113

36 { 38 45 46 48 ],everynodeneedstobroadcastbothitscellcoordinatesanditsnodeIDtoitsneighbors.However,ourschemeismoreecientbecausethenodeIDhasalreadyincludedthecorrespondinglocationinformation.Whennodeuhearsnodev,itrstchecksthecellindexeldinv'snodeID.InLBNmechanism,thecellindexshouldbethesameasthatofuortheoneoftheneighboringcellindiceswhichmaybeeasilyveriedbecauseallcellindicesareorderlysorted.Ifitisnotthecase,thereceivedIDvmaybeaspoofedvaluefromamaliciousnode,andnodeujustignoresnodev'spackets.IfthereceivedIDvisacceptable,nodeuknowsimmediatelythesharedpolynomialssetPwithnodev.BecausenodeuandnodevhavesharesderivedfromthepolynomialsinP,nodeumayfurtherverifynodevthroughachallenge-responsemethod.Nodeurandomlyselectsapolynomialf(x;y),whichhasauniqueindexpf 113

PAGE 114

59 ].Every 114

PAGE 115

56 ]deneslinklayerpacketformatsincludingAuthpacketformat,inwhichonlyauthenticationisprovided,andAEpacketformat,inwhichbothauthenticationandencryptionareprovided.Itissimilartoourscheme,however,itdoesnotaddresshowtoestablishauthenticationandencryptionkeys.ItisobviousthatwecancombineTinySecwithourschemetoprovideacompletesolutionforlinklayersecurityinsensornetworks. 115

PAGE 116

33 ]classiedaseriesofattackstosensornetworks,whichmaycausetherapiddeteriorationofnetworkperformance.Mostoftheattackstrytocausetopologicaldistortionbyspoongorreplayingroutinginformation.However,aswewillshowinthissection,ourLBNhasinherentresistancetothesetopologicalattacks,becausethelocationinformationinnodeIDsreectstopologyofthenetwork.AnyattackthatcausesserioustopologicaldistortionscanbedetectedbyourLBNandLLA.Inthissection,wediscussmanytypicalattacksasexamples. 60 ],amaliciousnodeillegitimatelytakesonmultipleidentities,whichmaybefabricatedIDsorimpersonatedIDs.TheSybilattackmayposeaseriousthreattoroutingprotocols,dataaggregation,voting,fairresourceallocation,misbehaviordetection,etc[ 33 60 ].Severalpotentialdefensemethodsareproposedin[ 60 ],includingradioresourcetesting,vericationofkeysetsforrandomkeypredistribution,registration,positionvericationandcodeattestation.However,thosemethodsrelyoneitherstrictphysicalassumptionsorcooperationsbetweenabunchofnodes.Inourscheme,everynodeIDshouldappearonlyinasmallareaofthenetworkduetotheLBNmechanism.IfthemaliciousnodeclaimsanIDbelongingtodistantcells,itmaybeeasilyfoundoutbyitsneighborsandthenbeprecluded.TheonlyIDsthemaliciousnodecanclaimarethoseinitscellandneighboringcells.Eventhat,themaliciousnodecannotpassthelinklayerauthenticationbecauseitdoesnothavethecorrespondingpolynomialsharesbelongingtothenodewhoseIDisclaimedbythemaliciousnode.SotheSybilattackcannotgetsuccessinourscheme. 60 ],anadversarymayputmanyreplicasofacapturednodeatmanyplacesinthenetworktoincurinconsistency.LiketheSybilattack,theidentityreplicationattackmayleadtothefailureofmanynetworkfunctions. 116

PAGE 117

60 ],whichiscommunicationintensiveandlacksofscalability.Inourscheme,theadversarycannotputthereplicasofthecapturednodeatplacesotherthanitsvicinitybecausethepresenceofanodeIDshouldbelocalizedduetotheLBNmechanism.Theadversarycanonlyputthosereplicasinasmallareawherethecapturednodeoriginallyresides.However,convergenceofthereplicasofthesamenodeIDinasmallareamaybeeasilydetectedbysurroundingnormalnodes.So,theidentityreplicationattackndsnoplaceinourscheme. 61 ],twomaliciousnodescolludetotunnelpacketsfromoneplacetoanotherdistantplaceinthenetwork.Thisattackmaydistortthenetworktopologybymakingtwodistantnodesbelievetheyareneighbors,thusbecomeaseriousattacktoroutingprotocols.Huetal.proposedtousepacketleashes[ 61 ]tolimitthemaximumrangeoverwhichpacketscanbetunneledbythetwocolludingnodes.Directionalantennas[ 62 ]arealsousedtodefendagainsttheWormholeattack.However,thesedefensesaretargetedtotheWormholeattackinadhocnetworks,andrequireexpensivehardwaredevices,whichareinfeasibleformostresourceconstrainedsensornetworks.WangandBhargava[ 63 ]proposedtousecentralizedcomputingtodefendagainsttheWormholeattackinsensornetworks,inwhichacontrollercollectsallnodes'locationinformationtoreconstructthenetworktopologysuchthatanytopologicaldistortionmaybevisualized.However,thisapproachcausesmuchcommunicationoverheadandisnotrealisticifmaliciousnodesmovearoundintheentirenetworkbecauseeachlocationchangewilltriggeranewroundofexecutionofthetopologyreconstructionalgorithm.ByusingLBN,anodemaycheckthecellindexeldsinthereceivedpacketsandsimplydropthosepacketscomingfromadistantplace.SotheimpactoftheWormholeattackislimitedinneighboringcellsautomatically.Thoughthetwocolludingnodes 117

PAGE 118

33 ],amaliciousnodetriestolurenearlyallthetracfromaparticulararea,creatingametaphoricalsinkholewiththemaliciousnodeatthecenter.Thiskindofattacktypicallyworksbymakingthemaliciousnodelookespeciallyattractivetosurroundingnodesbyclaimingalowerroutingcosttothebasestationinthesensornetwork.Ifgeographicalroutingprotocolsareused,everyrouteisfoundbasedongeographicalinformation,whichcanbeextractedfromnodeIDs.Inthiscase,themaliciousnodecannotcheatothernodesbecauseothernodesmayeasilyndwhetherthemaliciousnodeisontheroutetothebasestationbasedontheIDofthemaliciousnode.Ifdierentroutingcriteriasuchasreliabilityareused,itisratherdiculttodetectthesinkholeattack.However,thenodeIDmaystillprovidesomeinformationaboutthelocationofthemaliciousnode,thusifthesourcenodendsthelocationofthemaliciousnodeisfarawayfromthedirectionofthebasestation,itmeansapotentialthreatandsomemethodsmaybeusedtoverifytheroutinginformation. 33 ],amaliciousnodemaybroadcastHELLOpacketswithlargeenoughtransmissionpowertoconvincemostnodesinthenetworkthatthemaliciousnodeistheirneighbor,thusleadthenetworkintothestateofconfusion.ThisattackmaybedefeatedbecauseitiseasytocheckwhetheraHELLOpacketisacceptablefromitsIDeldinourscheme. 33 ],amaliciousnodemayspooflinklayeracknowledgmentsforthepacketsdestinedtoaneighboringnodewhichisdeadorthepacketslostduetothebadchannelreliability,thusmakethesourcenodeformawrong 118

PAGE 119

7 8 ]thatat-degreebivariatepolynomialist-collusionresistant,meaningthatthecollusionofnomorethantnodescannotexposethepolynomial.Howeverifonet-degreebivariatepolynomialisusedbymorethantnodes,anadversarymaycompromisemorethantnodesholdingsharesofasamepolynomialtoreconstructit,andthenusethereconstructedpolynomialtoderivesharedkeysbetweennon-compromisednodesthatholdsharesofthesamepolynomial.Wehaveproposedecientschemes[ 45 46 48 49 ]thatachievetheperfectresiliencetothenode-compromiseattack.Thedetailshavebeendiscussedinpreviouschapters. 119

PAGE 120

36 { 38 45 46 48 ]usenodeidentiersinkeyestablishment,theysimplyusetheidenticationfunction.Ourschemeistherstinvestigationthattriestodigoutmoreapplicationvaluesofnodeidentier.WehaveshownthatbyembeddinglocationinformationintonodeidentiersourLBNhasintrinsicimmunityfrommanyattacksagainstnetworktopology.Besidessecurityvalue,webelieveourLBNcanstillbeusedinotherapplicationsinsensornetworks.OurLLAschemeincorporatesLBNastherststepauthenticationmethod,andusessharedkeytofurtherverifynodeidentity.InLLA,predistributedpolynomialsareusedtoachievekeyagreementtoprovideauthenticationservice.However,othershared-key-basedauthenticationschemescanalsoworkwellwithLBNinthesecondauthenticationstep,aslongastheyguaranteeneighboringnodescanestablishauniquesharedkey.SimilarschemesareSPINS[ 6 ],LEAP[ 64 ].ThebuildingblockSNEPinSPINS[ 6 ]canprovideneighborauthenticationbyasharedkey.However,twoneighboringnodesrelyonthebasestationtonegotiateasharedkey,whichisnotecientintermsofcommunicationoverhead.InLEAP[ 64 ],aglobalkeyisusedtoderivesharedkeystoachieveneighborauthentication,wheretheunderlyingassumptionisthatadversariescannotcompromiseanynodeduringnetworkbootstrapphase,thustheglobalkeycanbesafe.However,ourschemedoesnotrelyonthisassumptionandisresilienttonodecompromiseattacks.Zhangetal.[ 65 ]proposedtouselocation-basedkeystosecuresensornetworks.Theirschemeisbasedonpublickeycryptography,whileourschemeisbasedonsymmetrickeycryptography.Besides,intheirschemeeachlocation-basedkeyistighttoapreciselocationinthenetworkandthelocationinformationshouldbeobtainedbymobilerobots.Whenanodemoves,itslocation-basedkeyassociatedwithitspreviouslocationisinvalid.Hence,theirschemeisonlyapplicableinstationarysensornetworks,wheresensornodesdonotmoveafterdeployment.Ourschemeonlyusescourse-gaineda-priorideployment 120

PAGE 121

121

PAGE 122

6 ].Theconstrainedresourcesresultinlimitedcomputationandcommunicationcapabilities.Afterseveralweeksormonthsofoperation,somenodesinthenetworkmayexhausttheirpowerbecauseoftheunevendistributionoftracload.Applicationsmayfailduetothelossofsomecriticalsensornodesandbecomeuseless.Thoughpowersavingtechnologyinthedesignofbothhardwareandsoftwaremayextendthelifetimeofasensornetwork,newnodedeploymentisstillnecessaryinmanycases.Besidesthenaturallossofsensornodes,asensornetworkisalsosusceptibletomaliciousattacksinunattendedandhostileenvironments.Somesensornodesmaybedestroyedbyadversaries.Ifthenumberofattackedsensornodesexceedsacertainthreshold,theentirenetworkmaybecomeuseless.Hence,newsensornodesneedtobedeployedtomaintainthenormaloperationofthesensornetworkifnecessary.Inmilitaryscenarios,however,asensornetworkisusuallylackofcarefulsurveillanceafterdeployment.Henceanadversarycanalsodeploymaliciousnodesintothenetwork.Thesemaliciousnodesmayeasilyeavesdropmessagestransmittedovertheairbetweennodesorinsertfalsereportsintothenetwork[ 6 ].Inaddition,anintelligentattackermaylaunchtrickyattacksfromtheinsideofthesensornetworkbymanipulatingexistingsensornodes.Asensornodemaybecompromisedduetothelackoftamperresistance[ 34 ]sothatallthesecretsinitareexposedtotheadversary.Thentheadversarymayusethecompromisednodetolaunchothermoreseriousattacks.Forexample,intheSybilattack[ 60 ],amaliciousnode,whichmaybeacompromisedone,impersonatesothernormalnodesornewnodes.Another 122

PAGE 123

66 ],whereanadversarycompromisesanodeanddeploysmanycopiesofthenodeintothesensornetwork.TheadversarycanalsolaunchtheWormholeattack[ 61 { 63 ],inwhichpacketsaretunneledbetweentwodistantplacesinthesensornetwork,thusintroducingfalsenodesintheneighborhoodofnormalnodes.Theseattacksmaycausefatalhavoc[ 33 35 ]inthesensornetwork.Recently,manyschemes[ 6 13 15 17 18 56 ]wereproposedtoprotectsensornetworks.Theymaypreventexternalattackersfromeavesdroppingmessagesorinsertingfalsereports.However,theycanhardlydefendagainstinternalattackssuchastheSybilattack,thenodereplicationattackandtheWormholeattack.Thoughseveraltechniques[ 60 { 63 66 ]wereproposedtocounteracttheinternalattacks,eachofthemisonlytargetedtoonespecicattackbyusingdierentapproachesandhardwareassumptions.Itisverydiculttointegratethosetechniquesintoauniformhardwareplatform.Eveniftheintegrationispossible,itmaycostalotofresourcesanddeviatefromthelowcostconsideration.Inthischapter,weanalyzetheinternalattacksincludingtheSybilattack,thenodereplicationattackandtheWormholeattack.Weobservethatthecommontrickundertheseattacksisthattheymanipulateexistingnodestointroducemalicious\new"nodes,whichareindistinguishablefromlegitimatenewnodesundercurrentsensornetworksecuritytechnology.Thoseintroduced\new"nodescouldbeacceptedbyothernormalnodesaslegitimateones.Basedonthisobservation,wedesignanaccesscontrolprotocol[ 67 ]forsensornetworkstopreventmaliciousnodes,nomatterwhethertheyaredirectlydeployedbyadversariesorintroduced\new"ones,fromparticipatinginsensornetworks.Anewnodeshouldprovethatitnotonlyhascorrectidentitybutalsoistrulynewtobeadmittedintothesensornetwork.Besidesthenodeidentitywhichiswidelyusedinauthentication,weintroducethenodebootstrappingtime,whichisthetimewhenthenewnodebootstrapsitselftojointhesensornetwork,intotheauthenticationproceduretodierentiatemalicious\new"nodes,whichareactuallyoldnodes,fromlegitimatenew 123

PAGE 124

60 { 63 66 ]thatattempttodetectmaliciousnodesaftertheyjoinsensornetworks,ouraccesscontrolprotocolcanpreventmaliciousnodesfromjoiningsensornetworksattheverybeginning.Moreover,keyestablishmentisalsoincludedinouraccesscontrolprotocoltohelpthenewnodeestablishsharedkeyswithitsneighborssothatitcanperformsecurecommunicationswiththem.Therestofthischapterisorganizedasfollows.WeanalyzemosttypicalattacksinSection 6.2 andshowwhyaccesscontrolisnecessaryforsensornetworksinSection 6.3 .ThedetailsofouraccesscontrolprotocolaredescribedinSection 6.4 .SomesecurityanalysisandperformanceevaluationsarecarriedoutinSection 6.5 andSection 6.6 .WenallyconcludethechapterinSection 6.7 6-1 (a),forexample,amaliciousnodeBisdeployedinthevicinityofexistingnodeA.NodeBmayeasilyeavesdropmessagessentoutorreceivedbynodeA.IfnodeBknowsthecommunicationprotocolsinthesensornetwork,itmayeveninjectfalsereportstodisruptthenetworkfunctionalities[ 6 33 35 ].Somesecuritymeasuresmaybeenforcedtothwartthiskindofattack,butiftheadversaryhasthecapabilityofbreakingintothesecurityinfrastructure,he/shecanstilldeployasmanymaliciousnodesaspossible. 69 ].Thenitwasfoundtobeaseriousthreattosensornetworks[ 60 ].IntheSybilattack,a 124

PAGE 125

6-1 (b),forexample,anodeBiscompromisedbyanadversarywhothenmakesnodeBimpersonateotheridentities,e.g.,nodeC.FromthepointoftheviewofnodeA,itisjustlikeanewnodeCcomingoutinitsvicinity.IthasbeenshownthattheSybilattackmayposeaseriousthreattodistributedstorage(redundantinformationdestinedtoseveralnodesmaynallybestoredinonemaliciousnode),routingprotocols(multipathrouting,geographicrouting)[ 33 ],andsoon.Inaddition,itmayalsocausedevastatingconsequencestootherapplicationssuchasdataaggregation,voting,fairresourceallocation,andmisbehaviordetection[ 60 ].Severalpotentialdefensemethodswereproposedin[ 60 ],includingradioresourcetesting,vericationofkeysetsforrandomkeypredistribution,registration,positionverication,andcodeattestation.Thosemethodsrelyoneitherstricthardwareassumptionsorcomplicatedcooperationbetweenabunchofnodes. 66 ],anadversaryintentionallyputsmanyreplicasofacompromisednodeatmanyplacesinthenetworktoincurinconsistency.InFig. 6-1 (c),forexample,nodeBiscompromisedandoneofitscopiesisdeployedinthevicinityofnodeAsothatnodeAmaytakenodeBasitsnewneighbor.LiketheSybilattack,thenodereplicationattackcanalsorenderadversariestheabilitiestosubvertdataaggregation,misbehaviordetectionandvotingprotocolsbyinjectingfalsedataorsuppressinglegitimatedata[ 66 ].Theconventionalmethodstodefendagainstthenodereplicationattackusuallyincludecentralizedcomputingbasedonnodelocationsornumberofsimultaneousconnections,whichisvulnerabletothesingle-pointfailure.Distributeddetectionofthenodereplicationattackwasproposedin[ 66 ],wherethelocationofasuspectnodeisveriedbyrandomlyselectedwitnessnodes. 125

PAGE 126

61 ],anadversarytunnelspacketsbetweentwodistantplacesinthesensornetwork.InFig. 6-1 (d),forexample,theadversarydeploystwospecialdevicesintothevicinitiesofnodeAandnodeB,respectively.Thesetwodevicesshareasecretbroadbandchannel,whichisinvisibletosensornodes.Thenthesedevicesmayrecordpacketssentoutbyonenode,tunnelthosepacketsthroughthesecretbroadbandchanneltotheotherend,andreplaythosepacketsinthevicinityoftheothernode.TheconsequenceisthatnodeAmayndanewnodeBcomingoutinitsneighborhood,andviceversa.Thisattackmaydistortthenetworktopologybymakingtwodistantnodesbelievetheyareneighbors,thusbecomingaseriousattacktoroutingprotocols[ 61 ]. 6.3.1NecessityNewnodedeploymentisinevitablewhenapplicationsinthesensornetworkbecomeinstablebecauseofthelossofsensornodes.Thecooperativecharacteristicofsensornetworkapplicationsrequiresmutualtrustamongsensornodes.Adeployednewnode,however,maynotbealegitimateoneasisshowninSection 6.2 .Itmaybeamaliciousnodedirectlydeployedbyadversaries,oranintroduced\new"nodeduetotheSybilattack,thenodereplicationattackortheWormholeattack.TheunderlyingtrickoftheSybilattack,thenodereplicationattackandtheWormholeattackisthatthosemalicious\new"nodesareindistinguishablefromlegitimatenewnodesundercurrentsensornetworksecuritytechnology,hencethosemalicious\new"nodeswillbeacceptedbyothernormalnodesaslegitimateones.Topreventmaliciousnodesfromjoiningsensornetworks,accesscontrolshouldbeenforcedtocontrolsensornodedeployment.Asensornodeshouldprovethatitisalegitimateonewhendeployedintothesensornetwork.Usually,anaccesscontrolmechanismshouldaccomplishtwotasks: 126

PAGE 127

Attacks. 1.Nodeauthentication:Throughauthenticationadeployednodeprovesitsidentity(ID)toitsneighboringnodesandprovesthatithastherighttoaccessthesensornetwork;2.Keyestablishment:Sharedkeysshouldbeestablishedbetweenadeployednodeanditsneighboringnodestoprotectcommunications. 6 13 15 17 18 68 ]wereproposedintheliteraturetoprotectsensornetworks.However,theycanhardlyaddresstheaccesscontrolprobleminsensornetworks.SPINS[ 6 ]andTinySec[ 56 ]arevulnerabletothenodecompromiseattack, 127

PAGE 128

13 15 ]wereproposedtoachievekeyagreementsbetweenneighboringsensornodes,buttheycannotprovidetheauthenticationservicebecauseofthereuseofthesamekeysamongmanysensornodes.Bycompromisingafewsensornodes,anadversarycangetalotofkeysandwherebytomanufactureanddeploymanymaliciousnodes.ID-basedsymmetrickeysschemes[ 17 18 ]involvenodeIDsintokeyagreements.Theycouldprovidetheauthenticationservice,whereanode'sidentitycouldbechallengedbasedonthekeysitholds.Thoseschemes,however,arebasedonthreshold-basedsymmetrickeytechniques,wherethesecuritythresholdisdirectlydeterminedbythenodememoryresource.Duetothecontradictionbetweenthelargenumberofsensornodesinanetworkandtheconstrainedmemoryresource,theyusuallycannotprovidefullsecurity.Ifthenumberofcompromisednodesexceedsathreshold,anadversarycandestroythesecurityinfrastructureanddeployasmanymaliciousnodesaspossible.Withthedevelopmentofhardwarecapability,publickeytechniquesbecomeapossibleandpromisingapproachtosecuresensornetworksbecauseofitsexiblekeymanagementandscalability.Veryrecently,Watroetal.[ 68 ]proposedTinyPKprotocol,whereRSA[ 3 ]certicatesareusedtoauthenticateexternalpartiestosensornetworksandDie-Hellman[ 2 ]keyexchangesareusedtoachievekeyagreementsbetweenexternalpartiesandsensornodes.Comparedwithsymmetrickeytechniques,TinyPKismoreresilienttothenodecompromiseattack.TinyPKcouldbeusedintheaccesscontrolduringnodedeployment.Itmaypreventadversariesfromdeployingmaliciousnodes,anddetecttheSybilattack,butitcannotdetectthenodereplicationattackandtheWormholeattack,becausethe\new"nodesintroducedbythesetwoattackshavelegitimatecerticates. 128

PAGE 129

6.4.1OutlineApreloadedpublickeycerticatewhichincludesIDinformationoranID-basedsymmetrickeycanbeusedtoprovetheidentityofanewnode.Whenthenewnodeisdeployedintothesensornetwork,itsneighborsmayverifythecerticateorchallengetheID-basedsymmetrickeytocheckwhetherthenewnodehasalegitimateidentity.ByusingthisIDauthentication,adversariesarepreventedfromdirectlydeployingmaliciousnodesbecausetheydonothavecorrespondingcerticatesorID-basedsymmetrickeys.However,theIDauthenticationisnotenoughtoprotectthesensornetwork,asisshowninSection 6.3 .IntheSybilattack,thenodereplicationattackandtheWormholeattack,anadversaryinfactcouldmanipulateexistingnodestointroducemalicious\new"nodes.ThoseoldnodeshavepreloadedcerticatesorID-basedsymmetrickeys,sothe\new"nodesalsohavelegitimateidentities.Hence,weneedtodierentiatethoseoldnodesfromnewnodestofurtherprotectthesensornetwork.Asolutiontosolvetheproblemistoinvolveatimestampintotheauthenticationprocedure.Itisacommonsolutiontosolvingthefreshnessproblemsinourreallives.Forexample,theticketswebuyformoviesorfootballgamescarrytimestampswhichshowwhentheticketsarevalid.Thesimilarideacanalsobeappliedtothedesignofouraccesscontrolprotocolforsensornetworks.Afterasensornodeisdeployedintoasensornetwork,itwillbootstrapitselfatapresettimetojointhesensornetwork.Thedierencebetweenanoldnodeandanewnodeisthattheyhavedierentbootstrappingtimes.Hence,wemayusethebootstrappingtimeasthetimestampintoouraccesscontrolprotocol.OuraccesscontrolprotocolusesapreloadedcerticatewhichincludesbothIDinformationandbootstrappingtimetoauthenticatetheidentityofanewnode.Thecerticateisgeneratedbyacerticationauthority(CA),e.g.,theadministratorofthesensornetwork.InthecerticatethenodeIDinformationanditsbootstrappingtime 129

PAGE 130

6.4.2.1NetworkmodelWeassumethatsensornodesarestationarysothatifanodendsanewnodeinitsneighborhood,thenewnodemustbeeitheranewlydeployednodeoranodeintroducedbyadversaries.Allsensornodeshavethesametransmissionrangeandcommunicatewitheachotherviabi-directionalwirelesslinks.Eachnodehasaunique,integer-valued,non-zeroID.Weassumethatallsensornodesarelooselysynchronized.Eachsensornodehasapresetbootstrappingtime.Afterbeingdeployedintothesensornetwork,eachsensornodebootstrapsitselfatitsbootstrappingtimetojointhesensornetwork.Twosensornodesmayhavethesamebootstrappingtimeiftheyaredeployedsimultaneously.ApossiblecollisionattheMAClayermayoccurifthetwonodesbootstrapthemselves 130

PAGE 131

65 ].Hence,eachnodecannishbootstrappingwithinatolerancetimeintervalafteritsbootstrappingtime. 34 ].Hence,nodecompromiseisusuallyunavoidableinwirelesssensornetworks.Compromising,however,isnotatrivialjob.Weassumethateachsensornodecansustainatolerancetimeintervalbeforeitiscompromised,whichisalsoassumedbypreviouswork[ 34 64 ]. 6 13 15 17 18 36 ].However,withthefastdevelopmentofhardwareperformance,publickeycryptographybecomespossibleonlow-enddevices[ 68 70 ].Ellipticcurvecryptography(ECC)[ 71 72 ]andRSA[ 3 ]arematurepublic-keytechniquesthathavebeenresearchedbytheacademiccommunityformanyyears.ComparedtoRSA,ECCisseentobethestandardforthenextgenerationcryptographictechnology.ThefundamentaloperationunderlyingRSAisthemodularexponentiationinintegerrings.Itssecuritystemsfromthedicultyoffactorizinglargeintegers.Currently 131

PAGE 132

71 72 ].ThebestalgorithmsknownforsolvingECDLPareexponential.Hence,ECDLPisharderthanRSAgiventhesamelengthofkeys.Inotherwords,ECCcanachievethesamelevelofsecuritywithsmallerkeysizes.Ithasbeenshownthat160-bitECCprovidescomparablesecurityto1024-bitRSAand224-bitECCprovidescomparablesecurityto2048-bitRSA[ 73 ].Underthesamesecuritylevel,smallerkeysizesofECCoermeritsoffastercomputationaleciency,aswellasmemory,energyandbandwidthsavings,thusECCisbettersuitedfortheresourceconstraineddevices.DuetothemeritsofECC,ouraccesscontrolprotocoluses160-bitECCastheunderlyingcryptographicinfrastructure.Particularly,thesignatureoperationinourprotocolisbasedontheellipticcurvedigitalsignaturealgorithm(ECDSA)[ 73 ],andthesharedkeyisestablishedaccordingtotheDie-HellmanalgorithmoverECDLP. 6.4.4.1NetworkparametersBeforeasensornetworkisdeployed,theCAchoosesasetofsystemparametersincluding:1.aniteeldFq,whereqisalargeoddprimeofatleast160bits;2.anellipticcurveEoverFq(denotedbyE(Fq)hereafter);3.acyclicgroupG=ofpointsovertheellipticcurveE(Fq),whereGisthegeneratorofthegroupandhasanordernofatleast160bits,withn>4p 132

PAGE 133

71 72 ],noonecanderivetheCA'sprivatekeyfromthepair.Inaddition,theCAdoesnotgetinvolvedinthenetworkoperation,soadversarieshavenoopportunitytodirectlyattacktheCAtoget. where\k"istheconcatenationoperator. 133

PAGE 134

6-2 )andthehandshakebetweenanewnodeandanoldnode(Fig. 6-3 ). 134

PAGE 135

).NodeNiproceedstoverifywhethernodeNjisanewnodebycomparingTjwithitscurrenttimet.IfTjisoutofdate(jTjtj>Lj),nodeNisimplydropsthereceivedmessage.IfTjiswithinatolerancetimeinterval(jTjtjLj),nodeNicontinuestoverifyNj'sidentitybyECDSA.Specically,nodeNicomputes IfV=Cj,nodeNicanmakesurethatnodeNjisalegitimatenewnode.Thisisbecauseifthesignatureisvalid,thevericationequationholds: AfternodeNiveriestheidentityofnodeNj,itcalculatesasharedkeywithitsprivatekeyandNj'spublickey,i.e., 135

PAGE 136

Handshakebetweentwonewnodes. NodeNiandnodeNjcanmakesurethateachotherdoeshavethesharedkeybyfollowingthechallenge-responseprocedure.NodeNijustselectsanonceni,encryptsitandsendsittonodeNj.IfnodeNjhasthesharedkey,itcandecryptthenonceni.ThennodeNjsendsbackamessageincludingthenonceniandanencryptednoncenjchosenbyitselftonodeNi.NodeNicanalsodecryptthenoncenjandreturnittonodeNj.ThehandshakebetweennodeNiandnodeNjisdepictedinFig. 6-2 6-3 ).Afterthat,nodeNjcalculatesasharedkeywithitsprivatekeyandNi'spublickey,selectsanoncenj,encryptsthenoncewiththesharedkey,andreplieswiththemessage: 6.5 .NodeNisimplyveriesNj'sidentitybyfollowingECDSA.ThennodeNicandecryptthenoncenjandreturnittoNjtoshowthatitisa 136

PAGE 137

Handshakebetweenanewnodeandanoldnode. legitimatenewnode.NodeNialsochallengesnodeNjbysendinganencryptednonceniandrequiringNjtoreturnit.ThewholehandshakeisdepictedinFig. 6-3 6 ].Forexample,thesharedkeycanbefedintoafunctionf(ahashfunctionorapseudo 137

PAGE 138

74 ])togenerateanencryptionkeyasf(Kij;1)andanauthenticationkeyf(Kij;2). 6.5.1NewNodeDeploymentByauthentication,ouraccesscontrolprotocolcanpreventadversariesfromdirectlydeployingmaliciousnodesintosensornetworks.BecauseadversariesdonotknowtheprivatekeyoftheCA,he/shecannotfalsifycerticatesformaliciousnodes.OuraccesscontrolprotocolcaneectivelydefendagainsttheSybilattack,thenodereplicationattack,andtheWormholeattack.AsisshowninSection 6.2 ,theunderlyingtrickofthoseattacksisthattheadversarycouldmanipulateexistingnodestointroducemalicious\new"nodesintothesensornetwork.Byincludingthebootstrappingtimeinouraccesscontrolprotocol,anewnodeisonlyallowedtojointhesensornetworkduringitsbootstrappingphase.Afterthatitbecomesanoldnode.Hence,malicious\new"nodesarepreventedfromjoiningthesensornetworkattheverybeginning,becausetheydonothavetheproperbootstrappingtime,andtheyarepreventedfromfalsifyingthelatestbootstrappingtimewhichdoesnotmatchtheircerticates. 34 ].Ouraccesscontrolcannoteliminatethenodecompromiseproblem,butitcan 138

PAGE 139

34 ].Thenodebootstrappingphase,however,isusuallyveryshort,andinpracticeitisreasonabletoexpectittobeshorterthanthetimeneededtocompromisethenode[ 64 ].Hencewedonotneedtoworryaboutnodecompromiseduringthenodebootstrappingphase. 139

PAGE 140

6.6.1ECCvs.RSAThelengthofthebootstrappingphaseiscriticalforthesecurityperformanceofouraccesscontrolprotocol.Theshorterthebootstrappingphaseis,thelessopportunitiesadversarieshavetoattackthesensornetwork.Henceashortbootstrappingphaseisdesirabletokeepthesensornetworksafe. 140

PAGE 141

68 ]usesRSAtoauthenticateexternalpartiesandDie-HellmanoverDLPtoestablishsharedkeysbetweenexternalpartiesandsensornodes.Itrequiresthreemodularexponentiationoperationsoverintegerringsforeachsensornode:oneRSApublickeyoperationandoneRSAprivatekeyoperationfornodeauthenticationandoneDLPoperationforkeyestablishment.Ithasbeenshownin[ 68 70 ]thatapointmulitplicationneedslesscomputationtimethanamodularexponentiationunlesstheexponentischosenassomespecicvalue.InTinyPK[ 68 ],apublicexponente=3ischosenforcomputationalsimplicity,anda1024-bitRSAmodularexponentiationwithe=3onMICA1Motes[ 31 ]needs14:5s.TheDLPof2xisevaluatedin[ 68 70 ].Itshowsthata1024-bitmodularexponentiation2x,wherexisatleast160bits,needsmorethan50sonbothMICA1andMICA2Motes[ 31 ].However,a163-bitpointmultiplicationofECConMICA2Motesrequiresonly34s[ 70 ].Ifassemblylanguagesareusedinimplementation,muchmoredecreaseofcomputingtimecanbeachieved.Guraetal.[ 75 ]evaluatedtheassemblylanguageimplementationsofECCandRSAontheAtmelATmega128processor[ 32 ],whichispopularforsensorplatformsuchasCrossbowMICAMotes.Intheirimplementation,a160-bitpointmultiplicationofECCrequiresonly0:81s,while1024-bitRSApublickeyoperationandprivatekeyoperationrequire0:43sand10:99s,respectively.Obviously,ECCismorecomputationalecient, 141

PAGE 142

76 ].Mostoftheperformanceoverheadisattributabletotheincreaseinpacketsize[ 77 ].Comparedwitha1024-bitRSAsignature,ouraccesscontrolprotocolonlyintroducesa480-bitsignaturewhen160-bitECCisused.HencebyusingECCinsteadofRSAourprotocolcanachievemuchmoreenergyandbandwidthsavings. 13 15 ],ID-basedkeys[ 17 18 ],andlocation-basedkeys[ 36 37 45 ]trytoimprovetheresiliencetonodecompromisebyincreasingtheleastnumberofsensornodesthatanadversaryneedstocompromisetodestroytheentirenetworksecurityarchitecture.Theseschemescantolerateacertainnumberofcompromisednodes.TinyPK[ 68 ]ismoreresilienttonodecompromisebecauseoftheuseofRSA.ItmaypreventadversariesfromspreadingtheimpactofnodecompromisebylaunchingtheSybilattack,butitcannotdetectthenodereplicationattackbecausethecopiesofthecompromisednodesalsohavelegitimatecerticates.Byincludingthenodebootstrappingtimeintoaccesscontrolprocedure,ourprotocolcaneectivelypreventadversariesfrommanipulatingcompromisednodestolaunchtheSybilattackandthenodereplicationattack,andtheimpactofnodecompromiseisthuslimitedtothevicinityofthecompromisednodes. 142

PAGE 143

60 ].Onemethodistheradioresourcetesting,inwhicheachnodeassignsauniquechanneltoeachofitsneighborsincludingthosefakeneighborsandtestswhetheritsneighborscouldcommunicatewithitthroughtheassignedchannels.Thismethodassumesthateachnodehasenoughradioresourcesandrequiresseveralroundsofbroadcastingovermultiplechannels,thusleadingtoalargecommunicationoverhead.AnothermethodistousetheID-basedsymmetrickeys.Particularly,eachsensornodeispreloadedwithasetofkeyswhichareselectedfromaglobalkeypoolbyitsnodeID.TheIDofasuspectnodeischallengedbyasetofvalidatingnodesbasedonthekeyssharedbetweenthesuspectnodeandthevalidatingnodes.Besidesthelargeamountofcommunicationoverhead,thismethodmayfailifmanysensornodesarecompromisedsothatmostofthekeysintheglobalkeypoolareexposed.Inouraccesscontrolprotocol,thosemalicious\new"nodesintroducedbytheSybilattackarepreventedfromjoiningthesensornetworkattheverybeginning,becausetheydonothaveproperbootstrappingtimeandcorrespondingkeyswhicharechallengedduringtheauthenticationprocedure.Conventionalmethodstodefendagainstthenodereplicationattack[ 66 ]usuallyincludecentralizedcomputingbasedonnodelocationsorthenumberofsimultaneousconnections,whichisvulnerabletothesingle-pointfailure.Distributeddetectionofthenodereplicationattackwasproposedin[ 66 ],whereeachnodeisassumedtoknowitslocationanditisrequiredtosenditslocationtoasetofwitnessnodes.Ifawitnessnodendsacontradictioninthelocationclaimsofasuspectnode,thissuspectnodemustbeareplicatedone.Obviously,thismethodmayintroducealotofcommunicationoverhead.LikethefakenodesintheSybilattack,thereplicationsofcompromisednodesarealsopreventedfromparticipatinginthesensornetworkattheverybeginninginouraccesscontrolprotocol.Thoughthosereplicationshavelegitimateidentities,theydonothavecorrectbootstrappingtimestoshowtheyarethenewnodes.Theauthentication 143

PAGE 144

61 ]tolimitthemaximumrangeoverwhichpacketscanbetunneled.Theyrequirethateachnodeeitherknowitslocationorhaveatightlysynchronizedclocksothatthisinformationcanbeusedtocalculatethemaximumdistancethatarelayedpacketcouldtravel.Directionalantennas[ 62 ]werealsousedtodefendagainsttheWormholeattack.However,thesedefensesaretargetedtoadhocnetworksandrequireexpensivehardwaredevices,whichmaybeinfeasibleformostresourceconstrainedsensornetworks.Ourprotocoldoesnotrequirelocationinformationandonlyneedsloosesynchronizedclock.WangandBhargava[ 63 ]proposedtousecentralizedcomputingtodefendagainsttheWormholeattackinsensornetworks,inwhichacontrollercollectsallnodes'locationinformationtoreconstructthenetworktopologysuchthatanytopologicaldistortionmaybevisualized.Thisapproach,however,causesmuchintensivecommunicationoverheadandisonlysuitableforstaticWormhole.Ifadversariesmovearoundintheentirenetwork,thelocationoftheWormholewillchangedynamically.Eachlocationchangewilltriggeranewroundofexecutionofthetopologyreconstructionalgorithm.OurprotocolcanpreventdynamicWormholebyonlyinvolvinglocalizedauthentication,thuscansavealotofcommunicationoverhead. 6 13 15 17 18 36 ]trytosecuresensornetworks,adversariescanstillattackthenetworks[ 60 { 63 66 ]bymanipulatingoldnodestointroducemalicious\new"nodes.Inthispaper,weanalyzemostofthewell-recognizedattackstargetedatsensornetworks,includingtheSybilattack,thenodereplicationattackandtheWormholeattack,anddesignanaccesscontrolprotocoltopreventmaliciousnodes,whichmaybedirectlydeployedorjustoldnodesmanipulatedbyadversaries,from 144

PAGE 145

60 { 63 66 ]thattrytodetectmaliciousnodesaftertheyjoinsensornetworks,ouraccesscontrolprotocolcanpreventmaliciousnodesfromjoiningsensornetworksattheverybeginning.Inaddition,keyestablishmentisalsorealizedinouraccesscontrolprotocoltohelpthenewnodeestablishsharedkeyswithitsneighborssothatitcanperformsecurecommunicationswiththem.Comparedwiththeconventionalsensornetworksecuritysolutions,ouraccesscontrolprotocolcandefendagainstmostofthenotoriousattacksinsensornetworks,andachievebettercomputationandcommunicationperformanceduetotheusageofthemoreecientalgorithmsbasedonEllipticCurveCryptographythanthosebasedonRSA. 145

PAGE 146

6 ]isalight-weightbroadcastauthenticationprotocol,whichusesaone-wayhashkeychainandthedelayeddisclosureofkeystoprovidetheauthenticationservice.Itisecientduetotheuseofsymmetrickeytechniques.However,itrequiressynchronizationbetweenthesourceandrecipient,whichcanbeapotentialsecurityholeforadversaries[ 78 ].Moreover,thekeychaininTESLAhaslimitedlength,andthuscanonlysupportlimitedroundsofbroadcast.Ifthesourcenodeneedstobroadcastforalongperiod,ithastogeneratealongkeychain.Butthemanagementofalongkeychainisdicultforlow-endsensornodes.SoTESLAcanonlybeusedbythebasestationsforthenetworkbroadcast.Inthischapter,weproposeanovelprotocol,calledbatch-basedbroadcastauthentication(BABRA)forwirelesssensornetworks[ 79 ].BABRAbroadcastspacketsinbatchesand 146

PAGE 147

7.2 simplydescribestheTESLAprotocol.DetailsofBABRAaregiveninSection 7.3 .SomecomparisonsbetweenTESLAandBABRAarecarriedoutinSection 7.4 .ThepaperisnallyendedinSection 7.5 80 ].Itisbasedonaone-wayhashchain(OHC),whichisasequenceofkeys,K0;K1;:::;Kn,suchthatKj1=H(Kj),8j,j>0,wherethehashfunctionHsatisestwoproperties:1.Givenx,itiseasytocomputery=H(x);2.Giveny,itiscomputationallyinfeasibletocomputexsuchthaty=H(x).TherstkeyK0isunicastedtoalltherecipientnodesasacommitmentinadvance.Theentirebroadcaststreamisdividedintocontinuoustimeslots.Abroadcastedpacketinthet-thtimeslotcarriesamessageauthenticationcode(MAC)generatedbyusingthet-thkeyKtoftheOHC.AlltherecipientnodesdonotknowKtwhentheyreceivethepacket.Afterdtimeslots,thesourcenodedisclosesKt.TheneverynodecanauthenticateKtbyapplyingthehashfunctiontoKtseveraltimesandcheckingwhetherHk(Kt)=Ktkholds,whereKtkisthetk-thkeythathasbeenreceivedandauthenticated.Afterthat,therecipientnodecanusetheauthenticatedKttoauthenticatethepacketsofthet-thslot.Thedelayedkeyreleasecanecientpreventmaliciousnodesfromimpersonating 147

PAGE 148

78 ].ThedistributionofthekeychaincommitmentK0toallthenodesiscommunicationexpensivebecausethecommitmenthastobeunicastedtoeachnodewhilethenetworkcanconsistoflargevolumeofnodes.TheOHClengthislimited,andthusitcannotsupportbroadcastforalongtime.ThecomplexkeychainmanagementindicatesthatTESLAcanbeusedonlybythebasestationforthenetworkbroadcast.Multilevelkeychainsareusedtoextendthelifetimeofauthenticatedbroadcast[ 81 ],butitisstilllimitedbythehighestlevelOHC.ThemultilevelkeychainsalsorequirethesourcenodemanagemanyOHCsatthesametimeandthusarenotsuitableforsensornodes.Moreover,timesynchronizationisstillarequirement. 82 ]andisoutofourconsiderations. 148

PAGE 149

Onebatchofbroadcastandthebatchpacketformat. Themainpurposeofauthenticatingbroadcastistopreventadversariesfrominjectingboguspackets.BABRAalsousesdelayedkeydisclosuretocounteracttheboguspacketinjection.Inaddition,adversariescanalsoinjectradiointerferenceatthephysicallayertodisruptcommunications,leadingtotheDoSattack[ 35 ].Theintermittentinterferencecandeterioratechannelconditionandcausepacketloss.Thecontinuousjammingcanevenstopcommunications.However,duetothelargescaleofnetworkandcostconsiderations,adversariesmaynotbeabletojamtheentirenetwork.Inthispaper,weassumethattheimpactofradiojammingonlycoversaportionofthenetworkatonetime.Thereareotherattacksandcorrespondingcountermeasuresdiscussedintheliterature[ 33 35 ].Theyareoutofthescopeofthispaperbecausemostofthemareunrelatedtobroadcastauthentication.Wehavedevelopedseveralschemes[ 9 45 46 ]toestablishpairwisekeystosecurepoint-to-pointcommunications.Inthischapter,wesimplyassumethateverypairofneighboringnodessharesapairwisekeyafternetworkinitialization. 149

PAGE 150

83 ].Particularly,allthepacketsinonebatchalsocarryahashofthekeyassociatedwiththenextbatch.Hence,eachbroadcastedpacketconsistsoffourparts:thebatchindex,thepayload,thehashofthekeyofnextbatch,andtheMACcalculatedoverthepreviousthreepartsandthebatchkey(Fig. 7-1 ).Thedelayedbatchkeycanauthenticatethecorrespondingbatch.Thehashofthekeyofnextbatchisauthenticatedatthesametime,andcanbeusedtoauthenticatethekeyofnextbatch.TheentirebroadcaststreamisdepictedinFig. 7-2 .Beforebroadcast,thesourcenodebootstrapsalltherecipientnodeswiththehashH(K1)oftherstbatchkeyK1.DependingonthescenarioswhereBABRAisapplied,dierentmethodscanbeusedtobootstrapthehashvalue.Wewilldiscussthisissuelater.Afterbootstrapping,thesourcenodecansendoutbatchesofbroadcastedpacketsonebyoneanddisclosethecorrespondingbatchkeyslately(Fig. 7-2 ).Eachbatchisnotnecessarytobesentrightaftertheendofthepreviousbatch.Therefore,BABRAcanbeadaptedtodierentdatarates. 150

PAGE 151

Theauthenticatedbroadcastingstream. Inhostileenvironments,theadversarycaninjectjamminginterferenceandcausepacketloss.Thenodesinthejammedareawillseekhelpfromthesurroundingneighborstorecoverthelostinformationsuchaskeysorkeyhashes.Tofacilitatesuchlocalcollaboration,eachrecipientnodekeepsthelatestkkeysreceivedfromthesourcenode.WewilldiscussthisissueinSection 7.3.5 6 9 45 46 81 ]. 151

PAGE 152

c+P;(7{1)wherel>1isaconstant,Ristheradiusofnodecoverage,cisthespeedoflight,andPisthepacketprocessingdelay.Forthenetworkbroadcast,theDPvalueDnshouldbelargerthanthetimethatapacketistransmittedoverthemaximumdiameterLofthenetwork,andthuscanbesetas RR c+P;(7{2)wheren>1isaconstant. 152

PAGE 153

7-3 givesthekeysurvivalprobabilitiesPversusthekeydisclosetimestwhenthepacketlossrateplvariesfrom0.2to0.8.Wecanseebysimplydisclosingmultipletimes,thebatchkeycanbereceivedwithveryhighprobability.Itisworthnotingthattodisclosekeymultipletimesisthesimplestforwarderrorcorrection(FEC)methodtocounteractpacketlossincommunications.MorecomplexandrobustFECmethodscanalsobeusedheretoincreasetheresiliencetothekeyloss.OneexampleistouseReed-Solomoncodes.Wedonotdiscussthisissuehereforthesakeofpagelimit.Thesecondmethodiscarriedoutjustincasethatitisunluckythatallthetreceptionsofbatchkeyfail.Insuchacase,therecipientnodewillseekhelpfromitsneighborsrightaftertheexpirationoftheKPtimer.Forthekeylossduringthenetworkbroadcast,thenodewilllocallybroadcastamessagetorequestitsneighborsforthelostkey:a!:hj;H(Kai+1);MAC(j;H(Kai+1);Kai)i;wherejistheindexofthebatchofwhichthekeyislost,Kai+1isthekeyassociatedwiththenextbatchofnodea'slocalbroadcaststream,andKaiisthekeyofthecurrentbatchofa'slocalbroadcaststream.Thereforethismessageisauthenticatedbythelocalbroadcastauthentication.Theadversarycannotspoofthemessage.IfaneighbornodebknowsthekeyKj,itwillreplyamessagethroughalocalbroadcastmessage:b!:hKj;H(Kbi+1);MAC(Kj;H(Kbi+1);Kbi)i;whereKbi+1isthekeyassociatedwiththenextbatchofnodeb'slocalbroadcaststream,andKbiisthekeyofthecurrentbatchofb'slocalbroadcaststream.Thismessageisalso 153

PAGE 154

Thekeysurvivalprobability. authenticatedsothatitcannotbespoofed.Inaddition,thekeyKjisbroadcasted,sonodebhasnobonusofreplyingbogusmessagesbecausenearbynodesthatalsohaveKjcancheckwhethernodebliestonodea.Thislocalmonitoringhasbeenusedinmisbehaviordetection.Oneexampleisdiscussedin[ 84 ].WhennodeagetsKjfromitsneighborb,itwillbroadcastKjagainthroughitslocalauthenticatedbroadcastsothatitsneighborsknowthatitreallygetsKj.Ifnoneofnodea'sneighborsknowsKj,theywillcontinuetheaboveprocedureuntilsomenodecanreplywithKj.Forexample,ifnodebdoesnotgetKjbutitsneighborcknowsKj,thenbcanlearnKjfromc.ThenbcanbroadcastKjifithasarequestfroma. 154

PAGE 155

155

PAGE 156

156

PAGE 157

81 ].A32-bitbatchindexcansupportabroadcaststreamupto4971daysifthesourcekeepssendingbatchescontinuously.AsforthekeyhashineachBABRApacket,itslengthshouldguaranteethatnotwokeyshavethesamehashvalue.Otherwise,theadversarycanspoofbroadcastedpackets.Consideringthe32-bitbatchindex,thenumberofkeysinBABRAis232.Accordingtothebirthdayparadox[ 85 ],a64-bitkeyhashisenoughtoguaranteethatallthe232keysgeneratedierenthashvalueswithaprobabilitycloseto1.ThoughBABRAintroducestheadditionalpacketoverheadforthekeyhash,itisworthbecauseoftheeliminationofthetimesynchronizationrequirement.LikeTESLA,BABRAalsorequireseverynodetobuerpacketsbeforethecorrespondingkeyisdisclosed.Thedierenceisthemanagementofkeys.InTESLA,thesourcenodehastomanageakeychain,whichhasalengthdeterminedbythelifetimeofthebroadcaststream.However,tomanagesuchakeychainmaynotbefeasiblewhenthesourcewantstobroadcastforalongtime.InBABRA,allthekeysareindependent.TheeliminationofkeychainsmakesBABRAsuitableforboththenetworkbroadcastbybasestationandthelocalbroadcastbysensornodes.EachnodeinBABRAcachesthelatest 157

PAGE 158

158

PAGE 159

86 ]isanecientmethodtodelivermultimediacontenttoagroupofreceiversandisgainingpopularapplicationssuchasliveshow,IPTV,realtimestockquotesbroadcast,videoconferenceorinteractivegames.Authenticationiscriticalinsecuringmulticaststreams[ 87 { 89 ]becauseitprovestheoriginofamulticaststream.Anidealapproachistoattachasignaturetoeachpacketandleteachreceiververifythesignaturetoauthenticatethepacket.However,existingdigitalsignaturealgorithmsarecomputationallyexpensive.Foratypicalmulticastapplication,thesenderisapowerfulserver,butreceiverscanhavevariouscomputationandcommunicationcapabilitiesandusuallyarelesspowerfulthanthesender.Theidealapproachraisesaseriouschallengetothereceiver'scomputationalcapabilityandmaynotbeaordableinmostrealtimemulticastapplications.Inordertoreducethenumberofsignaturevericationoperation,conventionalschemes[ 90 { 95 ]divideamulticaststreamintoblocks,associateeachblockwithasignature,andspreadtheeectofthesignatureacrossallthepacketsintheblockthroughsomeecientoperationssuchashashchainsorredundancycodes.Inthisway,thecomputationrequirementisreducedtoonesignaturevericationplussomehashordecodingoperationsper-blockinsteadofper-packet.Theblock-basedapproachsuersfromsomedrawbacksinreality.Someschemes[ 90 { 95 ]usehashchainstolinkpacketstotheirblocksignaturesandotherschemes[ 102 { 107 ]useerasurecodesorerrorcorrectioncodestoprotectblocksignatures.Hashandcodingestablishrelationshipamongallthepacketsinoneblock.Howevertherelationshipmakesexistingschemesvulnerabletopacketloss,whichisverycommonincurrentInternetandwirelessnetworks.Thelossofacertainnumberofpacketscanresultinthefailureofauthenticationofotherreceivedpackets.Inanextremecase,thelossof 159

PAGE 160

3 109 { 113 ]toverifythesignaturesofanynumberofpacketsatthesametime.Thereforeourschemeiscalledmulticastauthenticationbasedonbatchsignature(MABS).Themaincontributionsaremadeasfollows:1.MABSisperfectlyresilienttopacketlossinthesensethatnomatterhowmanypacketsarelost,therestcanalsobeveriedbyreceivers.Incontrast,mostconventionalschemescannottotallysolvethepacketlossproblem;2.Byusingbatchsignatures,MABScancompletelyeliminateauthenticationlatencyatthesenderandreceivers.Thisisasignicantimprovementtothequalityofrealtimeapplicationscomparedwithconventionalblock-basedschemes;3.WeproposethreeimplementationsofMABSincludingtwonewbatchsignatureschemesbasedonBLS[ 111 ]andDSA[ 112 ],whicharemoreecientthantheexistingonebasedonRSA[ 3 ]; 160

PAGE 161

90 { 95 ]intheliterature.Inthehashchainschemes[ 90 { 95 ],amulticaststreamisdividedintoblocks,eachofwhichisassociatedwithasignature.Ineachblock,thehashofeachpacketisembeddedintoseveralotherpacketsinadeterministicorprobabilisticway.Thehashesformchainslinkingeachpackettotheblocksignature.Thereceiververiestheblocksignatureandauthenticatesallthepacketsthroughhashchains.Aspecialhashchainschemeisthetreechainingscheme[ 100 101 ],whichconstructsahashtreeforeachblockofmessages.Therootofthetreeissignedbythesender.Eachpacketcarriesthesignedrootandseveralhashes.Whenthereceiverreceivesonepacketintheblock,heusestheauthenticationinformationinthepackettoauthenticateit.Thebueredauthenticationinformationisfurtherusedtoauthenticateotherpacketsinthesameblock.However,withoutthebueredauthenticationinformation,eachpacketisindependentlyveriablewithatrade-oofper-packetsignatureverication.Inthesignatureamortizationschemes[ 102 { 107 ],asignatureisgeneratedfortheconcatenationofthehashesofallthepacketsinoneblock.Anerasurecodingorforwarderrorcorrectioncodingalgorithmisusedtochoptheblocksignatureintomanypiecesandattacheachpacketwithonepiece.Thecodingapproachmakesthereceiverbecapableofrecoveringtheblocksignaturewhenreceivingatleastacertainnumberofpieces. 161

PAGE 162

79 119 { 122 ]usesharedkeysbetweenthesenderandthereceivertoauthenticatemulticaststreams.Thoughtheyaremoreecientthanthoseusingsignatures,theycannotprovidenon-repudiationasthesignatureapproach.Inthispaper,wefocusonthesignatureapproach. 82 ].Inthischapter,wefocusonmulticastauthentication. 162

PAGE 163

90 { 95 ]useblock-basedsignaturestoreducethecomputationaloverheadbutalsoincuratrade-oofvulnerabilitytopacketlossandauthenticationlatencyatthesenderand/orreceivers.Unlikethoseschemes,weusepacket-basedsignatureasintheidealapproach,becausetheindependencyamongpacketscantotallyeliminatethevulnerabilitytopacketloss.Thereforetheproblemishowtoreducethecomputationoverheadatreceivers.Inordertoavoidtheexpensivepacket-basedsignatureverication,weuseanecientcryptographicprimitivecalledbatchsignature[ 3 109 { 113 ]tosimultaneouslyverifythesignaturesofanynumberofpackets.Whenthereceivercollectsnpackets: 163

PAGE 164

3 ],weproposeanothertwoschemesbasedonBLS[ 111 ]andDSA[ 112 ],whicharemoreecientthanbatchRSA. 8.4.1.1RSARSA[ 3 ]isaverypopularcryptographicalgorithminmostsecurityprotocols.InordertouseRSA,asenderchoosestwolargerandomprimesPandQtogetN=PQ,andthencalculatestwoexponentse;d2ZNsuchthated=1mode(N),where(N)=(P1)(Q1).Thesenderpublishes(e;N)ashispublickeyandkeepsdinsecretashisprivatekey.Asignatureofamessagemcanbegeneratedas=(h(m))dmodN,whereh()isacollision-resistanthashfunction.Thesendersendsfm;gtothereceiverthatcanverifytheauthenticityofthemessagembycheckinge=h(m)modN. 109 110 ]canbeused.Givennpacketsfmi;ig;i=1;:::;n,wheremiisthedatapayloadandiisthecorrespondingsignature,thereceivercanrstcalculatehi=h(mi)andthenperformthefollowingverication: 164

PAGE 165

Beforethebatchverication,thereceivermustensureallthemessagesaredistinct.OtherwisethebatchRSAisvulnerabletotheforgeryattack[ 110 ].Thisiseasytoimplementbecausesequencenumbersarewidelyusedinmanynetworkprotocolsandcanensureallthemessagesaredistinct.Ithasbeenprovedin[ 110 ]thatwhenallthemessagesaredistinct,thebatchRSAisresistanttosignatureforgeryaslongastheunderlyingRSAalgorithmissecure.Theattackermaynotforgesignaturesbutmanipulateauthenticpacketstoproduceinvalidsignatures.Forexample,giventwopacketsfmi;igandfmj;jgfori6=j,anattackercanmodifythemintofmi;igandfmj;j=g.Themodiedpacketscanstillpassthebatchverication,butthesignatureofeachpacketisnotcorrect(thatiswhythebatchRSAvericationiscalledscreeningin[ 110 ]).However,theattackercandothisonlywhenhegetsfmi;igandfmj;jg,whichmeansthemessagemiandmjhavebeencorrectlysignedbythesender.Therefore,thisattackisofnoharmtothereceiver[ 110 ]. 165

PAGE 166

111 ]andDSA[ 112 ],whichcanreducethecomputationcomplexityatthesender. 111 ]. OnemeritofBLSsignatureisthatitcangenerateaveryshortsignature.Ithasbeenshownin[ 111 ]thatann-bitBLSsignaturecanprovideasecuritylevelequivalenttosolvingadiscretelogproblem(DLP)[ 113 ]overaniteeldofsizeapproximately26n.Therefore,a171-bitBLSsignatureprovidesthesamelevelofsecurityasa1024-bitDLP-basedsignatureschemesuchasDSA.Thisisaverynicechoiceinthescenariowherecommunicationoverheadisanimportantissue. 166

PAGE 167

WecanprovethatourbatchBLSissecuretosignatureforgeryaslongasBLSissecuretosignatureforgery.Theorem1SupposeanattackerAcanbreakthebatchBLSbyforgingsignatures,anotherattackerBcanbreakBLSunderthechosenmessageattackbycolludingwithA.Proof.SupposeBisgivenn1messagesandtheirvalidsignaturesfmi;ig;i=1;:::;n1,Bcanforgeasignaturenforanychosenmessagemn,suchthatfmn;ngsatisestheBLSsignaturescheme,bycolludingwithAinthefollowingsteps:1.Bsendsnmessagesmi;i=1;:::;nandn1signaturesi;i=1;:::;n1toA;2.BecauseAcanbreakthebatchBLSscheme,Ageneratesnfalsesignaturesi0;i=1;:::;nthatpassthebatchBLSverication,thenreturnstoBavalueV=Qni=1i0;3.Bcomputesn=V=Qn1i=1iasthesignatureformi,because 111 ],ourbatchBLSschemeisalsosecuretoforgeryunderthechosenmessageattack. 167

PAGE 168

111 ],thesigningoperationismoreecientthanRSAsignaturegeneration.Moreover,BLScanbeimplementedoverellipticcurves[ 71 72 ],whichhavebeenshownintheliteraturetobemoreecientthanniteintegereldsonwhichRSAisimplemented.Therefore,wecanexpectthatourbatchBLSismoreaordablebythesenderthanbatchRSAandalsoachievecomputationeciencyatthereceiver. 112 ]isanotherpopulardigitalsignalalgorithm.UnlikeRSA,whichisbasedonhardnessoffactoringtwolargeprimes,DSAisdeemedsecurebasedonthedicultyofsolvingDLP[ 113 ].AbatchDSAsignatureschemewasproposedin[ 114 ]butlaterwasfoundinsecure[ 115 ].Harnimprovedthesecurityof[ 114 ]in[ 116 117 ].Unfortunately,BoydandPavlovskipointedoutin[ 118 ]thatHarn'sworkisstillvulnerabletomaliciousattacks.HereweproposeabatchDSAschemebasedonHarn'sworkandcounteracttheattackdescribedin[ 118 ]. 117 ],somesystemparametersaredenedas:1.p,aprimelongerthan512-bit;2.q,a160-bitprimedivisorofp1;3.g,ageneratorofZpwithorderq,i.e.,gq=1modp; 168

PAGE 169

((gsr1yhr1)modp)modq=((g(s+hx)r1)modp)modq=(gkmodp)modq=r: ((gPni=1siri1yPni=1hiri1)modp)modq=nYi=1ri: 169

PAGE 170

((gPni=1siri1yPni=1hiri1)modp)modq=((gPni=1(si+hix)ri1)modp)modq=(gPni=1kimodp)modq=nYi=1ri: 118 ]pointedoutanattackagainsttheHarnbatchDSAscheme[ 117 ]whereanattackercanforgesignaturesforanychosenmessagesetthathasnotbeensignedbythesender.Theprocessis:1.chooseBandC,calculateA=(gByCmodp)modq;2.foranymessagesetmi,i=1;:::;n,randomlychooseri,i=1;:::;n2;3.computern1andrntoensurethat 4.randomlychoosesi,i=1;:::;n1andcomputesntoensurethat Theprobabilitythatfmi;ri;sig,i=1;:::;nareforgedmessagessatisfyingthebatchvericationis1 2[ 118 ]. 170

PAGE 171

8{9 )andEq.( 8{10 )becauseparametersA,C,hivaluesareknown.Byintroducingriintothehashoperation,thehashvalueshiinEq.( 8{10 )areunknowntotheattacker.Thereforetheattackercannotcomputerivaluesandtheforgeryattackdiscussedin[ 118 ]isdefeated.LikethecasesinbatchRSAandourbatchBLS,theattackermaymanipulateauthenticpacketsfmi;(ri;si)gtoproduceinvalidsignaturesfmi;(ri0;si0)g,whichcanstillpassthebatchverication.Theattackercankeepriunchanged,randomlychoosesi0,i=1;:::;n1andsolvesn0satisfying However,thisattackdoesnotaectthecorrectnessandauthenticityofmessagesbecausetheyhavebeenreallysignedbythesender[ 118 ].Therefore,thereceivercanstillacceptthembecausethebatchvericationsucceeds. 171

PAGE 172

92 ],augmentedchain(AugChain)[ 96 ],PiggyBack[ 94 ],treechain(Tree)[ 101 ]andSAIDA[ 103 ].Theseschemesarerepresentativesofhashchain,treechainandcodingschemesandarewidelyusedinperformanceevaluationintheliterature. 92 ],wechoosethechaincongurationof5-11-17-24-36-39,whichhasthebestperformanceamongallthecongurationsoflength6asisshownin[ 92 ].ForAugChain[ 96 ],wechooseC3;7chainconguration.ForPiggyBack[ 94 ],wechoosetwoclasspriorities.ForTreechain[ 101 ],wechoosebinarytree.ForSAIDA[ 103 ],wechoosetheerasurecode(256;128).Foralltheseschemes,wechoosetheblocksizeof256packetsandsimulateover100blocks.Weconsidertherandomlossandtheburstlosswithamaximumlosslengthof10packets.ThevericationratesunderdierentlossratesaregiveninFig. 8-1 andFig. 8-2 .WecanseethatthevericationratesofEMSS[ 92 ],augmentedchain(AugChain)[ 96 ]andPiggyBack[ 94 ]aredecreasedquicklywhenthelossrateisincreasing.Thereasonisthathashchainsresultinthecorrelationamongpacketsandthiscorrelationisvulnerabletopacketloss.SAIDA[ 103 ]illustratesaresiliencetopacketlossuptoacertainthreshold,becauseofthethresholdperformanceoferasurecodes.OurMABSandTreeschemes[ 101 ]haveperfectresiliencetopacketlossinthesensethatallthereceivedpacketscanbeauthenticated.ThisisbecauseallthepacketsinMABSandTreeschemesareindependentfromeachother.Aswewillshowlater,however,Treeachievesthisindependencybyincurringlargeoverheadandauthenticationlatencyatthesenderandthereceiver,whileourMABSdoesnothavethesedrawbacks. 172

PAGE 173

Vericationrateundertherandomlossmodel. 173

PAGE 174

Vericationrateundertheburstlossmodelwiththemaximumburstlength10. WeshowthelatencyindierentschemesinTable 8-1 .Inparticular,weconsiderhowmanypacketsneedtobebueredforonepackettobesignedorveriedatthesenderoreachreceiver.Wecanseethatexistingschemesallrequirethatthesenderand/oreachreceiverbueruptooneblockofpackets.OurMABSdoesnothavelatencyatthesenderandthereceiver.Thesendercansendoutonepacketrightaftersigningit,andeachreceivercanverifyallthepacketshehasreceivedwheneverthehigherlayerapplicationrequires,becausethereisnorelationshipamongpacketsandnolimitonthenumber 174

PAGE 175

Authenticationlatencyofdierentschemes. SchemesSenderReceiver EMSS[ 92 ]1nAugChain[ 96 ]pnPiggyBack[ 94 ]n1Tree[ 101 ]n1SAIDA[ 103 ]nmMABS11 ofpacketsineachbatchverication.ThiscangreatlyincreasetheQoSperformanceofmulticaststreams. 8-2 .Alltheconventionalschemesrequireonesignature(eithersigningorverication)operationandatleastnhashingoperationsonablockofnpackets.SAIDA[ 103 ]evenrequiresadditionalcodingoperation.OurMABScanachievethesamelevelcomputationaleciencyatthereceiverasconventionalschemeswhileincreasingthecomputationaloverheadatthesender.Thisisaordablebecauseusuallythesenderismuchmorepowerfulthanreceivers.Moreover,weproposeourbatchBLSandbatchDSAthataremoreecientthanthebatchRSAandthusthesenderhasmoreoptionstochooseaccordingtoitscapability.WecomparethecomputationaloverheadofthreebatchsignatureschemesinTable 8-3 .RSAandBLSrequireonemodularexponentiationatthesenderandDSArequirestwomodularmultiplicationswhenrvalueiscomputedo-line.Usuallyonec-bitmodularexponentiationisequivalentto1:5cmodularmultiplicationsoverthesameeld[ 110 118 ].Moreover,ac-bitmodularexponentiationinDLPisequivalenttoac 175

PAGE 176

Computationoverheadofdierentschemesforoneblock. SchemesSenderReceiver EMSS[ 92 ]1S+nH1V+nHAugChain[ 96 ]1S+nH1V+nHPiggyBack[ 94 ]1S+nH1V+nHTree[ 101 ]1S+(2n1)H1V+nlognHSAIDA[ 103 ]1S+nH+1EC1V+nH+1EDMABSnS1V Computationaloverheadofdierentbatchschemes. SchemesSender(perpacket)Receiver(pernpackets) BatchRSA1E1E+(2n2)MBatchBLS1E2P+(2n2)MBatchDSA2M2E+3nM 123 ]onthecomputationaloverheadofsignatureschemesonPIII1GHzCPU,thesigningandvericationtimefor1024-bitRSAwitha1007-bitprivatekeyare7:9msand0:4ms,for157-bitBLSare2:75msand81ms,andfor1024-bitDSAwitha160-bitprivatekey(withoutprecomputingrvalue)are4:09msand4:87ms.WecanobservethatforBLSandDSAthesigningisecientbutthevericationisexpensive,andviceversaforRSA.Therefore,wecansavemorecomputationalresourceatthereceiverbyusingourbatchBLSandbatchDSAthanbatchRSA.ItisalsomeaningfultouseourbatchBLSandbatchDSAatthereceivertosavecomputationresources. 8-4 .Conventionalschemesattachalargenumberofhashesplusonesignaturetoeachblock.MABSrequiresonesignatureforeachpacket,butthisoverheadiscomparablewithconventionalschemesconsideringthosehashes.WealsocomparethelengthoftwopopularhashalgorithmMD5[ 124 ]andSHA-1[ 125 ]andthesignaturelengthofthreesignaturealgorithmsinTable 8-5 .Giventhesame 176

PAGE 177

Communicationoverheadofdierentschemesforoneblock. SchemesOverheadperPacket EMSS[ 92 ]1S+dnH(d6)AugChain[ 96 ]1S+2nHPiggyBack[ 94 ]1S+(2nPri=1ki)HTree[ 101 ]nS+nlognHSAIDA[ 103 ]1S+n2 Communicationoverheadofsignatureschemes. SchemesLength(bits) MD5128SHA-1160RSA1024BLS171DSA320 securitylevelas1024-bitRSA,BLSgeneratesa171-bitsignatureandDSAa320-bitsignature.ItisclearthatbyusingBLSorDSA,MABScanachievemorebandwidtheciencythanusingRSA,andcouldbeevenmoreecientthanconventionalschemesusingalargenumberofhashes. 107 126 { 130 ].AnOWAcanbeusedfor 177

PAGE 178

178

PAGE 179

90 { 92 94 96 102 ],thisoneisvulnerabletopacketlossbecauseifthesignatureforaislost,thesetofpacketscannotbeauthenticated.(2)Weusethebatchvericationtoauthenticatepacketsandthismethodisperfectlyresilienttopacketloss.Therefore,herewedonotneeda.WeonlyusetheRecoveralgorithmtocheckwhethertwopacketsbelongtothesameset.AnecientmethodtoconstructOWAsistheMerklehashtree[ 47 ].Herewetakeabinarytreeforexample(Fig. 8-3 ).Thesenderconstructsabinarytreefor8packets.Eachleafisahashofonepacket.Eachinternalnodeisthehashvalueonbothitsleftandrightchildrenandtherootistheaccumulatorofthesepackets.Thewitnessofonepacketisthesetofthesiblingsofthenodesalongthepathfromthepackettotheroot.Forexample,thewitnessofthepacketP3isfH4;H1;2;H5;8gandtheaccumulatorcanberecoveredasH1;8=H((H1;2;(H(P3);H4));H5;8).ConstructingaMerkletreeisveryecientbecauseonlyhashoperationisperformed.Meanwhile,theone-waypropertyofhashoperationensuresthatgiventherootofaMerkletreeitisinfeasibletondoutapacket,whichisnotinthesetassociatedwiththeMerkletreeandfromwhichthereisapathtotheroot.Whenthesenderhasasetofpacketsforbroadcast,itgeneratesaMerkletreeforthesetandattachesawitnesstoeachpacket.Therootcanberecoveredbasedoneachpacketanditsmark.Eachreceivercanndwhethertwopacketsbelongtothesamesetbycheckingwhethertheyleadtothesamerootvalue.Therefore,therecoveredrootshelpclassifyreceivedpacketsintodisjointsets.Onceasetisauthentic,thecorresponding 179

PAGE 180

AnexampleofMerkletree. rootcanbeusedtoauthenticatetherestofpacketsunderthesameMerkletreewithoutbatch-verifyingthem,whichsavescomputationoverheadateachreceiver.Fig. 8-4 illustratesthedetailsofMABSincludingtheDoScountermeasure.Atthesenderpart,thesendergeneratesamulticaststream.Foreachmessagemi,thesendercomputesasignatureiaccordingtosomesignaturealgorithm.ThenthesenderconstructsOWAsonfmi;igandcomputesawitnesswibasedonOWAalgorithms.Thereforeeachpacketispi=fmi;i;wig.Thesepacketsaresentoveralossyandhostilechanneltomanyreceiversthroughmulticastrouting.Atthereceiverpart,thereceivergetsastreamofpacketsincludingbothauthenticandpotentiallyforgedones.Atrst,thereceiverusestheOWARecoveralgorithmtoclassifyreceivedpacketsintodisjointsets.Eachsetconsistsofpacketspi=fmi;igwherewiisnolongerneeded.BecausethepropertiesofOWAcanensurethatauthenticpacketsandforgedpacketsfallintodierentsets,thereceivercanperformtheBatchVerifyalgorithmovereachset.Ifthevericationoveronesetsucceeds,thesetofpacketsisauthentic.Otherwise,thesetofpacketsisforgedandcanbedroppedwithoutfurthervericationoneachpacket.Thetraditionalblock-basedapproachisvulnerabletoDoS.Becausethereisnoltering,eachreceiverhastorecovertherelationshipamongauthenticpacketsmixedwith 180

PAGE 181

MABSarchitectureincludingtheDoScountermeasure. forgedpackets,whichisverytimeandcomputationallyintensive.Intheextremecase,adeadlockcanformatthereceiverwhenthereceivingbuerisexhaustedbyamixingofforgedpacketsandauthenticpacketswithoutblocksignatures.Thoseauthenticpacketsarewaitingforsignatures,butsignaturescannotbereceivedbecausethereceivingbuerisexhaustedbyforgedpackets.Inourdesign,authenticpacketsandforgedpacketsareseparatedintodisjointsets.Thebatchvericationiscarriedoutovereachset.Therefore,eachbatchvericationcanauthenticateasetofpacketsandnomoreisneeded.Thedeadlockexperiencedbytheblock-basedprotocolscanalsobeeliminated.Ifanattackerwantstoinjectsomeforgedpacketsintothebatchconsistingofauthenticpackets,hemustbreaktheone-waypropertyofMerkletree.However,thisattemptfailsbecausegiventherootofaMerkletreeitisinfeasibletondoutapacketfromwhichthereisapathtotherootduetotheone-waypropertyofhashfunctions.Therefore,byusingMerkletree,ourdesigncanecientlydefeatDoSattacks. 181

PAGE 182

Comparisonsbetweentheblock-basedapproachandthebatch-basedapproach. SchemesDoSResilienceComputationalOverheadCommunicationOverhead HashchainsPoorO(1S+nH)O(1S+nH);(>1)(m;n)-CodingPoorO(1S+nH+1C)O(1S+n2 However,theincreasedDoSresiliencecomeswithmoreoverhead,whichisshowninTable 8-6 .Forthecomputationaloverhead,boththeblock-basedprotocolsandourdesignrequireonesignaturevericationoperationonablockorabatchnpackets.Inaddition,theprotocolsusinghashchainsalsorequirenhashes,andtheonesusingcodingrequiresnhashesandonecodingoperation.Ourdesignrequiresnlognhashes,whichismoreexpensivethantheonesusinghashchainsandlessexpensivethantheonesusingcoding.However,theoverallcomputationoverheadofalltheseprotocolsateachreceiverisatthesamelevelsincehashoperationismuchmoreecient(ontheorderofs)thansignatureoperation(ontheorderofms).Forthecommunicationoverheadovernpackets,conventionalprotocolsrequireanoverheadofonesignatureandO(n)hashes,whileourdesignrequiresanoverheadofnsignatureandO(nlogn)hashes.Theincreasedoverheadisatrade-oforincreasedsecurity.However,whenBLSisused[ 111 ],thesignaturelengthis171bits.Amostwell-knownhashalgorithmSHA-1generatesahashvalueof160bits.Therefore,ourprotocolcanalsoachievethesamelevelofcommunicationeciencyasconventionalprotocols. 182

PAGE 183

183

PAGE 184

132 ],whichisthebaseofWiMAX(worldwideinteroperabilityformicrowaveaccess)[ 133 ],isseenasapromisingtechnologyfornextgenerationbroadbandwirelessaccess.ComparedwithIEEE802.11standard[ 134 ],itoperatesatlargerfrequencybandupto66GHZ,coverslongerdistanceupto50km,andsupportsQoSservices.Therefore,802.16becomesanidealchoiceforbroadbandwirelessaccesssystemssuchasWLANs(wirelesslocalareanetworks)orWMANs(wirelessmetropolitanareanetworks).IEEE802.16denestwomodes.InthePMP(point-to-multipoint)mode,SSs(subscriberstations,suchaslaptops)canreachtheBS(basestation)inonehop.Otherwise,SSsshalloperateintheMeshmodesuchthatthoseSSsformamultihopnetwork,whichiscalledmeshnetwork[ 135 ],totheBS.ComparedwiththePMPtopology,themeshtopologyextendsBScoverage,anditsexibilityoninstallationandcongurationmakeitapromisingarchitectureforfutureWLANsandWMANs.InFig. 9-1 ,forexample,multiplelaptopscanformaWLANofameshtopology,multiplewirelessrouterscanformaWMANofameshtopology,andthemeshWMANbridgesthegapbetweenWLANsandtheInternet.Amongallthetopicsinwirelessnetworks,securityisdrawingintenseattentionrecently.WhenIEEE802.11isgettingmoreandmorepopularinthedeploymentofWLANs,manyvulnerabilitieshavebeenfoundintheliterature[ 136 { 140 ].Thisbecomesamajorobstacletomanysecurity-criticalwirelessapplicationssuchasonlineshoppingorsecurecommunications.ThelessonsfromIEEE802.11makepeoplemorecautiousandleadtotheincorporationofsecuritydesignintoIEEE802.16.BasedonDOCSIS(dataovercableserviceinterfacespecications)[ 141 ],whichwasdesignedtosolvethelastmileproblemforcablesystems, 184

PAGE 185

Meshnetworks. IEEE802.16denesaPKM(privacyandkeymanagement)protocol.Itprovidessubscriberswithprivacy,authentication,orcondentialityacrossthexedbroadbandwirelessnetwork.ItdoesthisbyapplyingcryptographictransformstoMPDUscarriedacrossconnectionsbetweenSSandBS.However,IEEE802.16securitystillneedstobeexaminedbeforeitsdeployment.SincemeshnetworksaregainingmoreandmoreinterestsandIEEE802.16isseenasoneofpromisingtechniquestobuildupmeshnetworks,webelievethatitisnecessarytoanalyzethesecurityofIEEE802.16inmeshnetworks.However,thereareonlyafewworkoverviewingthepotentialvulnerabilitiesofIEEE802.16inPMPmode[ 142 { 144 ].Inthischapter,weanalyzethesecurityofIEEE802.16inmeshmode[ 145 ],pointoutseveralpotentialthreatsandproposesomepossiblesolutions.WendoutthatthoughIEEE802.16providessomesecuritymeasuresinconventionalone-hopnetworks,itisveryvulnerabletomaliciousattacksinmultihopenvironments.Wealsoproposesomesecurityimprovements. 185

PAGE 186

186

PAGE 187

46 ].ByclaimingashorterpathtoBS,forexample,amaliciousnodehasmuchmorechancetobecomeaSponsornode.Inthisway,theSponsornodecanlurethenetworkentrytracinthelocalarealikeaSinkhole[ 33 ].ThentheSponsornodecanmonitor,modifyorspooftheauthorizationinformationexchangedbetweennewnodesandBS.AnexampleisillustratedinFig. 9-2 ,wherenodeAcancreateasinkholeandbecomestheSponsorfornodesBandC.Inaddition,falsetopologicalinformationcontainedinMSH-NCFGmessagescancheatthenewSSintoforminganincorrectviewofnetworktopology,whichcanintroduceproblemstoroutingprotocols. 187

PAGE 188

Sinkholeattacks. AttackerscanevenreplayMSH-NCFGmessagesinsteadofmodifyingorspoong.OneexampleistheWormholeattack[ 61 ].AsisillustratedinFig. 9-3 .Attackersestablishasecretchannel,tunnelMSH-NCFGmessagesfromnodesAandBthroughthechannelandreplaythem.Inthisway,nodesAandBbelievetheyareneighborsofeachother.AttackerscanalsorecordMSH-NCFGmessagesatoneplace,moveandreplythematanotherplace.Obviously,thedistortednetworktopologycanbecomeaseriousattacktoroutingprotocols. 9-4 ).TheCandidatenoderstsendsaPKM-REQ:AuthInfomessagetotheAuthorizationcenter.ThemessageonlycarriestheX.509certicateforthemanufactureroftheCandidatenode. 188

PAGE 189

Wormholeattacks. ThentheCandidatesendsaPKM-REQ:AuthRequestmessagetotheAuthorizationcenter.ThemessagecontainstheCandidate'sX.509certicateissuedbyitsmanufacturer,theCandidate'scryptographiccapabilities,theCandidate'sBasicCID.TheAuthorizationcenterveriestheCandidate'sX.509certicatewithitsmanufacturer'spublickeyextractedfromthePKM-REQ:AuthInfomessage.Ifthevericationfails,theAuthorizationcentersimplyrepliestotheCandidateaPKM-RSP:AuthRejectmessagecontaininganerror-codeandadisplay-string.IftheCandidateisauthentic,theAuthorizationcenterrepliesaPKM-RSP:AuthReplymessage.ThismessagecontainsanAK(authorizationkey)encryptedwiththeCandidate'spublickey,theAKlifetime,theAKsequencenumber,SA-descriptors,PKMconguration,anOSS(operatorsharedsecret),theOSSlifetime,theOSSsequencenumber.InthePMPmode,theAKisusedfortheCandidatetoaccessthenetwork.IntheMeshmode,however,theCandidateshallusetheOSStoaccessthenetwork.HeretheOSSissharedbyallthenodesinthemeshnetwork. 189

PAGE 190

Nodeauthorization. BecausetheCandidateusuallycannotcommunicatewiththeAuthorizationcenterdirectlyintheMeshmode,theSponsornodehelptotunnelthePKM-REQmessagesfromtheCandidatetotheAuthorizationcenterthroughUDPprotocolandforwardthePKM-RSPmessagestunneledbackfromtheAuthorizationcentertotheCandidate.TheaboveprocessissupposedtoguaranteetheauthenticityoftheCandidatebeforeitjoinsthenetwork.However,allthemessagesarenotencryptedandauthenticated.ThoughtheAKinPKM-RSP:AuthReplymessagesisencrypted,itisuselessintheMeshmode.Hence,thereareseveralsecurityholesfailingthegoaloftheauthorizationprocess.First,allthemessagescanbeinterceptedandmodiedbyattackersbetweentheCandidateandtheSponsor.ThoughwecanassumetheUDPtunnelcanpreventeavesdroppingandtamperingfromattackersbetweentheSponsorandtheAuthorizationcenterbecauseallthelinksbetweentheSponsorandtheAuthorizationaresecuredbyMAClayerTEKs,wecannotguaranteetheloyaltyoftheSponsor.Therefore,amaliciousSponsorasaninternalattackercanalsointerceptallthemessagesandmodifythem.InthePKM-REQ:AuthRequestmessage,theCandidateincludesitscryptographiccapabilities.TheAuthorizationcenterchoosesfromthemasetofcryptographicalgorithmsthattheCandidatenodeusestocommunicatewiththenetwork.The 190

PAGE 191

140 ].InthePKM-RSP:AuthReplymessage,theinformationofallSAsthattheCandidatecanaccessiscontained.AnauthorizedSSshouldgettheservicestowhichithassubscribed.ButattackerscanmodifytheSAinformationandremoveanySAsothattheSSgetslessorevennoservice,leadingtotheDoS(DenialofService)attack.Inaddition,anOSSisincludedinthePKM-RSP:AuthReply.TheOSSisusedasaglobalkeysharedbyallthenodesinthenetwork.TheCandidateshallusetheOSStoestablishlinkswithneighborsandaccessthenetwork.Unfortunately,theOSScanbeinterceptedbyattackerssuchthattheycanuseittojointhenetwork.AttackerscanevenmodifyitsothatthenewnodegetswrongOSSandthusfailstojointhenetwork.Moreover,attackerscanreducetheOSSlifetimesothattheCandidatehastoupdateitsOSSmorefrequently,leadingtofasterenergyconsumption.BecausethePKM-RSP:AuthRejectmessageisnotauthenticated,attackerscanspoofthemessagesuchthattheCandidatefailsintheauthorizationprocess,leadingtotheDoSattack.Theentireauthorizationprocessiscarriedoutinoneconnection,butthereisnocleardenitionofAuthorizationSAthatisassociatedwiththeconnection[ 142 ].ThereforetheAuthorizationcenterisincapableofdistinguishingtheauthorizationmessagesfromdierentauthorizationprocesses.Allthemessagesinanauthorizationprocesscanbereplayed.InFig. 9-5 ,forexample,anattackercaninterceptaPKM-REQ:AuthRequestmessageandlaterreplayittotheBSB.TheBScannotdistinguishitfromnewPKM-REQ:AuthRequestmessagesandthenreplywithaPKM-RSP:AuthReplymessage. 191

PAGE 192

Replayattacks. Inthisway,theattackercanlearntheOSS.Inanothercase,theattackercanreplaytheinterceptedPKM-REQ:AuthRequesttoanothermeshdomainregisteredatBSA.AswellBSAwillacceptthemessageandreplywithaPKM-RSP:AuthReplymessage,whichdisclosestheOSSusedbyBSA.TheauthorizationprocessisasymmetricinthattheAuthorizationcenterauthenticatestheCandidatebutnotviceversa.ThisrendersattackersanopportunitytoimpersonatetheAuthorizationcenter 9-6 .AnattackercanachievethisgoalbyinterceptingPKM-RSPmessagesfromtheAuthorizationcenterandreplayingthemortotallyforgingthosemessages.TheCandidatenodecannotverifytheauthenticityofthosemessages.Thiswillleavetheentirenetworkunderthecontroloftheattackerandbecomeamajorthreattotheauthorizationprocess.ThisisalsothecaseinthePMPmode[ 142 ]. 9-7 ).Allthemessagesexchangedbetweentwo 192

PAGE 193

Falsebasestation. neighboringnodesareencapsulatedintheMSH-NCFG:NeighborLinkEstablishmentmessages.WhennodeAneedstoestablishalinkwithnodeB,Asendsachallenge,HMACfOSS,framenumber,IDofnodeA,IDofnodeBg,wheretheOSSistheglobalkeyobtainedintheauthorizationprocessandtheframenumberisthelastknownframenumberinwhichnodeBsentanMSH-NCFGmessage.Uponreceivingthechallenge,nodeBcomputesthesamevaluebecauseitknowstheOSSandthefamenumber.Ifthetwovaluesdonotmatch,nodeBreturnsarejection.Ifamatchisachieved,nodeBacceptsthelinkandrepliesachallengeresponsecontainingHMACfOSS,framenumber,IDofnodeB,IDofnodeAg,wheretheframenumberistheoneoftheMSH-NCFGmessagethatnodeAjustsent.NodeBalsorandomlyselectsandincludesanunusedLinkIDindicatingthelinkfromBtoA.Uponreceivingthechallengeresponse,nodeAveriesitlikenodeBdoes.Ifamatchisachieved,nodeArepliesanAccept.ItalsorandomlyselectsandincludesanunusedLinkIDindicatingthelinkfromAtoB.Otherwise,arejectionisreturned.Thesecurityofthe3-wayhandshakedependsonthesecrecyofOSS,whichmakestheauthenticationbetweenneighborstooweak.AsismentionedinSection 9.3.2 ,theOSSis 193

PAGE 194

Linkestablishment. sharedbyallnodesandtherearemanyopportunitiesforattackerstogetit.Forexample,amaliciousnodecandiscloseittoanexternalattacker,ortheattackerdirectlyeavesdropsitwhenanewnodegetsaPKM-RSP:AuthReplymessagefromitsSponsornode.UsingtheOSS,theattackercanjointhenetworkwithoutbeingauthorizedandestablishlinkswithitsneighbor.Thentheattackercangetservicesfromitsneighbors. 9-8 ).AnSScanstarttoupdateitsTEKsbysendingaPKM-REQ:KeyRequestmessagecontainingSS-Certicate,SAID,HMAC-Digest.ItsneighborveriestheSS-Certicate.Ifthevericationsuccesses,theneighborreplieswithaPKM-RSP:KeyReplycontainingSAID,oldTEKparameters,newTEKparameters,HMAC-Digest.Otherwise,theneighborreplieswithaPKM-RSP:KeyReject.ToprotectthecondentialityofTEKs,TheSS'spublickeyextractedfromthePKM-REQ:KeyRequestmessageisusedtoencryptTEKparameters.ToprotecttheintegrityofTEKs,theHMAC-Digestsareattachedtothesemessages.However,thoseHMAC-DigestsarecalculatedwiththeOSS.ThisleadstopossiblemessagetamperingwhentheOSSisdisclosedtoattackers.Insuchacase,attackerscannotndTEKs,buttheycanspoofaPKM-RSP:KeyReplyincludingfalseTEKsencryptedwithSS'spublickeyandauthenticatethemessagewiththeOSS. 194

PAGE 195

TEKupdate. 146 ]andAESinCCMmode[ 147 ].DES-CBCprovidescondentialitybyencryptingtheMACPDUpayloadwithcorrespondingTEKs.AES-CCMprovidescondentialityandauthenticityfortheMACPDUpayload.Particularly,AES-CCMalgorithmappendsan8-bytICV(IntegrityCheckValue)totheendofthepayloadandthenencryptingboththepayloadandtheICV.Therefore,DES-CBCisweakerthanAES-CCMbecausethemessagesencryptedbyDES-CBCcanbetamperedorspoofed.DES-CBCisrequiredbyalltheimplementationsofIEEE802.16devicesbutAES-CCMisoptional.AttackerscanlaunchtheSecurityLevelRollbackattackasismentionedinSection 9.3.2 tocheattheSSandBSintousingDES-CBC,whichcangiveattackersmoreopportunitiestoattackthedatatrac. 132 ]ispassedin2005asIEEE802.16e[ 148 ].Thisamendmentincreasesthesupporttomobiledevicesandthesecurity.TheoriginalPKMprotocolinIEEE802.16becomesthePKMv1protocolinIEEE802.16e,andanew 195

PAGE 196

149 ].TheRSA-basedauthenticationissimilartothatin802.16.Thehandshakeislike:1.RSA-Request(SS!BS):MS Random,MS Certicate,SAID,SigSS.2.RSA-Reply(SSBS):MS Random,BS Random,Encryptedpre-PAK,KeyLifetime,KeySequenceNumber,BS Certicate,SigBS.3.RSA-Acknowledgement(SS!BS):BS Random,AuthResultCode,Error-Code,Display-String,SigSS.Herethedierencesare:randomnumbersareincludedinauthenticationmessagestopreventreplayattacks;theBSincludesitsowncerticateintheauthenticationreplymessagetoproveitsidentity.TheoptionalEAP-basedauthenticationcanbeusedindependentlyorcombinedwiththeRSA-basedone.TherealEAPmethodsarenotspeciedin802.16e.BoththemethodssupportmutualauthenticationbetweenSSandBS,whichisasignicantimprovementto802.16.AmasterAK(AuthorizationKey)isestablishedbetweenSSandBSduringauthentication.ThentheSSusestheAKtonegotiatesecuritycapabilitiesandacquireavailableSAinformation.Threemessagesaredenedforthehandshake:SA-TEK-Challenge,SA-TEK-RequestandSA-TEK-Response.Thesemessagesareauthenticatedwithmessageauthenticationdigests.Thereforeattackerscannotforgethesemessages.InadditiontotheDES-CBCandAES-CCMmethodsin802.16,802.16ealsodenesanAES-CTRmode[ 150 ]andanAES-CBCmode[ 151 ]toprotecttheMACPDUpayload.ThesetwomethodsprovidecondentialitybyencryptingtheMACPDUpayload. 196

PAGE 197

197

PAGE 198

71 72 ].ECCcanachievethesamelevelofsecurityasRSAwithsmallerkeysizes.Ithasbeenshownthat160-bitECCprovidescomparablesecurityto1024-bitRSAand224-bitECCprovidescomparablesecurityto2048-bitRSA[ 73 ].Underthesamesecuritylevel,smallerkeysizesofECCoermeritsoffastercomputational 198

PAGE 199

199

PAGE 200

[1] C.E.Shannon,\Communicationtheoryofsecrecysystems,"BellSystemTechnicalJournal,vol.28,pp.656{715,Oct.1949. [2] W.DieandM.E.Hellman,\Newdirectionsincryptography,"IEEETransactionsonInformationTheory,vol.IT-22,no.6,pp.644{654,Nov.1976. [3] R.L.Rivest,A.Shamir,andL.Adleman,\Amethodforobtainingdigitalsignaturesandpublic-keycryptosystems,"CommunicationsoftheACM,vol.21,no.2,pp120{126,Feb.1978. [4] S.Basagni,K.Herrin,D.Bruschi,andE.Rosti,\Securepebblenets,"Proceedingsofthe2ndACMInternationalSymposiumonMobileAdHocNetworking&Computing(Mobihoc'01),LongBeach,CA,Oct.2001,pp.156{163. [5] A.Menezes,P.vanOorschot,andS.Vanstone,HandbookofAppliedCryptography,CRCPress,ISBN:0-8493-8523-7,Oct.1996. [6] A.Perrig,R.Szewczyk,J.D.Tygar,V.Wen,andD.E.Culler,\SPINS:Securityprotocolsforsensornetworks,"WirelessNetworks,KluwerAcademicPublishers,vol.8,pp.521{534,2002. [7] R.Blom,\Anoptimalclassofsymmetrickeygenerationsystems,"ProceedingsofAdvancesinCryptology:EUROCRYPT'84,Paris,France,Apr.1984,pp.335{338. [8] C.Blundo,A.DeSantis,A.Herzberg,S.Kutten,U.Vaccaro,andM.Yung,\Perfectly-securekeydistributionfordynamicconferences,"Proceedingsofthe12thAnnualInternationalCryptologyConferenceonAdvancesinCryptology(CRYPTO'92),Aug.1992,pp.471{486. [9] Y.ZhouandY.Fang,\Ascalablekeyagreementschemeforlargescalenetworks,"Proceedingsofthe2006IEEEInternationalConferenceonNetworking,SensingandControl(ICNSC'06),Ft.Lauderdale,Florida,Apr.2006,pp.631{636. [10] Y.ZhouandY.Fang,\Scalableanddeterministickeyagreementforlargescalenetworks,"toappearinIEEETransactionsonWirelessCommunications. [11] W.Lou,W.LiuandY.Fang,\SPREAD:Enhancingdatacondentialityinmobileadhocnetworks,"Proceedingsofthe23rdAnnualJointConferenceoftheIEEEComputerandCommunicationsSocieties(INFOCOM'04),HongKong,China,Mar.2004,vol.4,pp.2404{2413. [12] A.Shamir,\Howtoshareasecret,"CommunicationsoftheACM,vol.22,no.11,pp.612{613,Nov.1979. [13] L.EschenauerandV.Gligor,\Akeymanagementschemefordistributedsensornetworks,"Proceedingsofthe9thACMConferenceonComputerandCommunica-tionsSecurity(CCS'02),WashingtonD.C.,Nov.2002,pp.41{47. 200

PAGE 201

J.Spencer,Thestrangelogicofrandomgraphs,AlgorithmsandCombinatorics22,Springer-Verlag2000,ISBN3-540-41654-4. [15] H.Chan,A.PerrigandD.Song,\Randomkeypredistributionschemesforsensornetworks,"Proceedingsofthe2003IEEESymposiumonSecurityandPrivacy(SP'03),Berkeley,CA,May2003,pp.197{213. [16] R.D.Pietro,L.V.ManciniandA.Mei,\Randomkey-assignmentforsecurewirelesssensornetworks,"Proceedingsofthe1stACMWorkshoponSecurityofAdhocandSensorNetworks(SASN'03),Fairfax,VA,2003,pp.62{71. [17] W.Du,J.Deng,Y.S.Han,andP.K.Varshney,\Apairwisekeypre-distributionschemeforwirelesssensornetworks,"Proceedingsofthe10thACMConferenceonComputerandCommunicationsSecurity(CCS'03),Washington,DC,Oct.2003,pp.42{51. [18] D.LiuandP.Ning,\Establishingpairwisekeysindistributiedsensornetworks,"Proceedingsofthe10thACMConferenceonComputerandCommunicationsSecurity(CCS'03),Washington,DC,Oct.2003,pp.52{61. [19] D.Liu,P.Ning,andR.Li,\Establishingpairwisekeysindistributedsensornetworks,"ACMTransactionsonInformationandSystemSecurity,vol.8,no.1,pp.41{77,Feb.2005. [20] J.HwangandY.Kim,\Revisitingrandomkeypre-distibutionschemesforwirelesssensornetworks,"Proceedingsofthe2ndACMWorkshoponSecurityofAdhocandSensorNetworks(SASN'04),Washington,DC,Oct.2004,pp.43{52. [21] J.LeeandD.R.Stinson,\Deterministickeypre-distributionschemesfordistributedsensornetworks,"Proceedingsofthe11thInternationalWorkshoponSelectedAreasinCryptography(SAC'04),Waterloo,Canada,Aug.2004,pp.294{307. [22] J.LeeandD.R.Stinson,\Acombinatorialapproachtokeypre-distributionmechanismsforwirelesssensornetworks,"Proceedingsofthe2005IEEEWirelessCommunicationsandNetworkingConference(WCNC'05),NewOrleans,LA,Mar.2005,pp.1200{1205. [23] S.A.CamtepeandB.Yener,\Combinatorialdesignofkeydistributionmechanismsforwirelesssensornetworks,"IEEE/ACMTransactionsonNetworking,vol.15,no.2,pp.346-358,Apr.2007. [24] D.S.SanchezandH.Baldus,\Adeterministicpairwisekeypre-distributionschemeformobilesensornetworks,"Proceedingsofthe1stIEEE/CreateNetInternationalConferenceonSecurityandPrivacyforEmergingAreasinCommunicationsNetworks(SECURECOMM'05),Athens,Greece,Sep.2005,pp.277{288. [25] H.ChanandA.Perrig,\Pike:peerintermediariesforkeyestablishmentinsensornetworks,"Proceedingsofthe24thAnnualJointConferenceoftheIEEEComputer

PAGE 202

[26] F.DelgoshaandF.Fekri,\Keypre-distributioninwirelesssensornetworksusingmultivariatepolynomials,"Proceedingsofthe2ndAnnualIEEECommunica-tionsSocietyConferenceonSensorandAdHocCommunicationsandNetworks(SECON'05),SantaClara,CA,Sep.2005,pp.118{129. [27] F.DelgoshaandF.Fekri,\Thresholdkey-establishmentindistributedsensornetworksusingamultivariatescheme,"Proceedingsofthe25thIEEEInternationalConferenceonComputerCommunications(INFOCOM'06),Barcelona,Spain,Apr.2006,pp.1{12. [28] I.F.Akyildiz,W.Su,Y.Sankarasubramaniam,andE.Cayirci,\Asurveyonsensornetworks,"IEEECommunicationMagazine,vol.40,no.8,pp.102{114,Aug.2002. [29] J.M.Kahn,R.H.KatzandK.S.J.Pister,\Nextcenturychallenges:MobilenetworkingforSmartDust,"Proceedingsofthe5thAnnualACM/IEEEInterna-tionalConferenceonMobileComputingandNetworking(MOBICOM'99),Seattle,WA,Aug.1999,pp.217{278. [30] G.J.Pottie,W.J.Kaiser,\Wirelessintegratednetworksensors,"CommunicationsoftheACM,vol.43,no.5,pp.51{58,May2000. [31] CrossbowTechnology, [32] AtmelCorporation, [33] C.KarlofandD.Wagner,\Secureroutinginwirelesssensornetworks:attacksandcountermeasures,"Proceedingsofthe1stIEEEInternationalWorkshoponSensorNetworkProtocolsandApplications(SNPA'03),Anchorage,AK,May2003,pp.113{127. [34] R.AndersonandM.Kuhn,\Tamperresistance-acautionarynote,"PProceed-ingsofthe2ndUSENIXWorkshoponElectronicCommerce,Oakland,CA,Nov.1996,pp.1{11. [35] A.WoodandJ.Stankovic,\Denialofserviceinsensornetworks,"IEEEComputerMagzine,vol.35,no.10,pp.54{62,Oct.2002. [36] D.LiuandP.Ning,\Location-basedpairwisekeyestablishmentsforrelativelystaticsensornetworks,"Proceedingsofthe1stACMWorkshoponSecurityofAdhocandSensorNetworks(SASN'03),Fairfax,VA,Oct.2003,pp.72{82. [37] W.Du,J.Deng,Y.S.Han,S.ChenandP.K.Varshney,\Akeymanagementschemeforwirelesssensornetworksusingdeploymentknowledge,"Proceedingsofthe23rdAnnualJointConferenceoftheIEEEComputerandCommunicationsSocieties(INFOCOM'04),HongKong,China,Mar.2004,pp.586{597. 202

PAGE 203

D.Huang,M.Mehta,D.Medhi,andL.Harn,\Location-awarekeymanagementschemeforwirelesssensornetworks,"Proceedingsofthe2ndACMWorkshoponSecurityofAdhocandSensorNetworks(SASN'04),Washington,DC,Oct.2004,pp.29{42. [39] Z.YuandY.Guan,\Arobustgroup-basedkeymanagementschemeforwirelesssensornetworks,"Proceedingsofthe2005IEEEWirelessCommunicationsandNetworkingConference(WCNC'05),NewOrleans,LA,Mar.2005,vol.4,pp.1915{1920. [40] D.Liu,P.NingandW.Du,\Group-basedkeypre-distributioninwirelesssensornetworks,"Proceedingsofthe4thACMWorkshoponWirelessSecurity(WISE'05),Cologne,Germany,Sep.2005,pp.11{20. [41] L.Zhou,J.NiandC.V.Ravishankar,\Ecientkeyestablishmentforgroup-basedwirelesssensordeployments,"Proceedingsofthe4thACMWorkshoponWirelessSecurity(WISE'05),Cologne,Germany,Sep.2005,pp.1{10. [42] L.Zhou,J.NiandC.V.Ravishankar,\Supportingsecurecommunicationanddatacollectioninmobilesensornetworks,"Proceedingsofthe25thIEEEInternationalConferenceonComputerCommunications(INFOCOM'06),Barcelona,Spain,Apr.2006,pp.1{12. [43] F.Anjum,\Locationdependentkeymanagementusingrandomkey-predistributioninsensornetworks,"Proceedingsofthe5thACMWorkshoponWirelessSecurity(WISE'06),LosAngeles,CA,Sep.2006,pp.21{30. [44] T.Ito,H.Ohta,N.Matsuda,andT.Yoneda,\Akeypre-distributionschemeforsecuresensornetworksusingprobabilitydensityfunctionofnodedeployment,"Proceedingsofthe3rdACMWorkshoponSecurityofAdhocandSensorNetworks(SASN'05),Alexandria,VA,Nov.2005,pp.69{75. [45] Y.Zhou,Y.ZhangandY.Fang,\LLK:Alink-layerkeyestablishmentschemeinwirelesssensornetworks,"Proceedingsofthe2005IEEEWirelessCommunicationsandNetworkingConference(WCNC'05),NewOrleans,LA,Mar.2005,vol.4,pp.1921{1926. [46] Y.Zhou,Y.ZhangandY.Fang,\Keyestablishmentinsensornetworksbasedontrianglegriddeploymentmodel,"Proceedingsofthe2005IEEEMilitaryCommunicationsConference(MILCOM'05),AtlanticCity,NJ,Oct.2005,vol.3,pp.1450{1455. [47] R.Merkle,\Securecommunicationoverinsecurechannels,"CommunicationsoftheACM,vol.21,no.4,pp.294{299,Apr.1978. [48] Y.ZhouandY.Fang,\Atwo-layerkeyestablishmentschemeforwirelesssensornetworks,"toappearinIEEETransactionsonMobileComputing. 203

PAGE 204

Y.ZhouandY.Fang,\Scalablelink-layerkeyagreementinsensornetworks,"Proceedingsofthe2006IEEEMilitaryCommunicationsConference(MILCOM'06),Washington,DC,Oct.2006,pp.1{6. [50] W.Du,L.FangandP.Ning,\LAD:localizationanomalydetectionforwirelesssensornetworks,"JournalofParallelandDistributedComputing,AcademicPress,Inc.,vol.66,no.7,pp.874{886,Jul.2006. [51] Y.ZhouandY.Fang,\Defendagainsttopologicalattacksinsensornetworks,"Proceedingsofthe2005IEEEMilitaryCommunicationsConference(Milcom'05),AtlanticCity,NJ,Oct.2005,vol.2,pp.768{773. [52] Y.ZhouandY.Fang,\Alocation-basednamingmechanismforsecuringsensornetworks,"WirelessCommunicationsandMobileComputing,SpecialIssueonWirelessNetworksSecurity,Wiley,vol.6,no.3,pp.347{355,May2006. [53] N.Sastry,U.ShankarandD.Wagner,\Securevericationoflocationclaims,"Proceedingsofthe2003ACMWorkshoponWirelessSecurity(WISE'03),SanDiego,CA,Sep.2003,pp.1{10. [54] P.Corke,R.PetersonandD.Rus,\Networkedrobots:yingrobotnavigationusingasensornet,"Proceedingsofthe11thInternatonalSymposiumofRoboticsResearch(ISRR'03),Siena,Italy,Oct.2003,pp.234{243. [55] C.Savarese,J.RabaeyandJ.Beutel,\Locationingindistributedad-hocwirelesssensornetworks,"Proceedingsofthe26thIEEEInternationalConferenceonAcoustics,Speech,andSignalProcessing(ICASSP'01),SaltLakeCity,UT,May2001,pp.2037{2040. [56] C.Karlof,N.SastryandD.Wagner,\TinySec:Alinklayersecurityarchitectureforwirelesssensornetworks,"Proceedingsofthe2ndACMInternationalConferenceonEmbeddedNetworkedSensorSystems(SENSYS'04),Baltimore,MD,Nov.2004,pp.162{175. [57] H.T.KungandD.Vlah,\Ecientlocationtrackingusingsensornetworks,"Proceedingsofthe2003IEEEWirelessCommunicationsandNetworkingConference(WCNC'03),March,2003,vol.3,pp.1954{1961. [58] R.Brooks,P.RamanathanandA.Sayeed,\Distributedtargetclassicationandtrackinginsensornetworks,"ProceedingsoftheIEEE,vol.91,no.8,pp.1163{1171,2003. [59] M.Bellare,R.CanettiandH.Krawczyk,\Keyinghashfunctionsformessageauthentication,"Proceedingsofthe16thAnnualInternationalCryptologyConferenceonAdvancesinCryptology(CRYPTO'96),SantaBarbara,CA,Aug.1996,pp.1{15. [60] J.Newsome,E.Shi,D.Song,andA.Perrig,\Thesybilattackinsensornetworks:analysis&defenses,"Proceedingsofthe3rdIEEEInternationalSymposiumon

PAGE 205

[61] Y.Hu,A.PerrigandD.B.Johnson,\Packetleashes:adefenseagainstwormholeattacksinwirelessnetworks,"Proceedingsofthe22ndAnnualJointConferenceoftheIEEEComputerandCommunicationsSocieties(INFOCOM'03),SanFrancisco,CA,Mar.2003,vol.3,pp.1976{1986. [62] L.HuandD.Evans,\Usingdirectionalantennastopreventwormholeattacks,"Proceedingsofthe11thAnnualNetworkandDistributedSystemSecuritySymposium(NDSS'04),SanDiego,CA,Feb.2004. [63] W.WangandB.Bhargava,\Visualizationofwormholesinsensornetworks,"Pro-ceedingsofthe2004ACMWorkshoponWirelessSecurity(WISE'04),Philadelphia,PA,Oct.2004,pp.51{60. [64] S.Zhu,S.SetiaandS.Jajodia,\LEAP:ecientsecuritymechanismforlarge-scaledistributedsensornetworks,"Proceedingsofthe10thACMConferenceonComputerandCommunicationsSecurity(CCS'03),Washington,DC,Oct.2003,pp.62{72. [65] Y.Zhang,W.Liu,W.Lou,andY.Fang,\Securingsensornetworkswithlocation-basedkeys,"Proceedingsofthe2005IEEEWirelessCommunicationsandNetworkingConference(WCNC'05),NewOrleans,LA,Mar.2005,vol.4,pp.1909{1914. [66] B.Parno,A.PerrigandV.Gligor,\Distributeddetectionofnodereplicationattacksinsensornetworks,"Proceedingsofthe2005IEEESymposiumonSecurityandPrivacy(SP'05),Berkeley/Oakland,CA,May2005,pp.49{63. [67] Y.Zhou,Y.ZhangandY.Fang,\Accesscontrolinwirelesssensornetworks,"toappearinElsevierAdHocNetworks,SpecialIssueonSecurityinAdHocandSensorNetworks. [68] R.Watro,D.Kong,S.Cuti,C.Gardiner,C.Lynn,andP.Kruus,\TinyPK:securingsensornetworkswithpublickeytechnology,"Proceedingsofthe2ndACMWorkshoponSecurityofAdhocandSensorNetworks(SASN'04),Washington,DC,Oct.2004,pp.59{64. [69] J.R.Douceur,\TheSybilattack,"Proceedingsofthe1stInternationalWorkshoponPeer-to-PeerSystems(IPTPS'02),Cambridge,MA,Mar.2002,pp.251{260. [70] D.J.Malan,M.WelshandM.D.Smith,\Apublic-keyinfrastructureforkeydistributioninTinyOSbasedonellipticcurvecryptography,"Proceedingsofthe1stIEEEInternationalConferenceonSensorandAdHocCommunicationsandNetworks(SECON'04),SantaClara,CA,Oct.2004,pp.71{80. [71] N.Koblitz,\EllipticCurveCryptosystems,"MathematicsofComputation,vol.48,pp.203{209,1987. 205

PAGE 206

V.Miller,\UsesofEllipticCurvesinCryptography,"AdvancesinCryptology-CRYPTO'85,SantaBarbara,CA,1985,pp.417{426. [73] S.Vanstone,\ResponsestoNIST'sproposal,"CommunicationsoftheACM,vol.35,pp.50{52,Jul.1992. [74] O.Goldreich,S.GoldwasserandS.Micali,\Howtoconstructrandomfunctions,"JournaloftheACMvol.33,no.4,pp.792{807,1986. [75] N.Gura,A.Patel,A.Wander,H.Eberle,andS.C.Shantz,\ComparingellipticcurvecryptographyandRSAon8-bitCPUs,"Proceedingsofthe6thInterna-tionalWorkshoponCryptographicHardwareandEmbeddedSystems(CHES'04),Cambridge,MA,Aug.2004,pp.119{132. [76] D.W.Carman,P.S.KruusandB.J.Matt,\Constraintsandapproachesfordistributedsensornetworksecurity,"NAILabsTechnicalReport#00-010,Sep.2000. [77] A.Perrig,J.StankovicandD.Wagner,\Securityinwirelesssensornetworks,"CommunicationsoftheACM,vol.47,no.6,pp.53{57,Jun.2004. [78] M.Manzo,T.RoostaandS.Sastry,\Timesynchronizationattacksinsensornetworks,"Proceedingsofthe3rdACMWorkshoponSecurityofAdhocandSensorNetworks(SASN'05),Alexandria,VA,Nov.2005,pp.107{116. [79] Y.ZhouandY.Fang,\BABRA:batch-basedbroadcastauthenticationinwirelesssensornetworks,"Proceedingsofthe49thAnnualIEEEGlobalTelecommunicationsConference(GLOBECOM'06),SanFrancisco,CA,Nov.2006,pp.1{5. [80] A.Perrig,R.Canetti,B.Brisco,D.Song,andD.Tygar,\TESLA:multicastsourceauthenticationtransformintroduction,"IETFworkingdraft,draft-ietf-msec-tesla-intro-01.txt. [81] D.LiuandP.Ning,\Ecientdistributionofkeychaincommitmentsforbroadcastauthenticationindistributedsensornetworks,"Proceedingsofthe10thAnnualNetworkandDistributedSystemSecuritySymposium(NDSS'03),SanDiego,CA,Feb.2003. [82] S.RafaeliandD.Hutchison,\Asurveyofkeymanagementforsecuregroupcommunication,"ACMComputingSurveys,vol.35,no.3,pp.309{329,Sep.2003. [83] A.Perrig,R.Canetti,D.Song,andJ.D.Tygar,\Ecientandsecuresourceauthenticationformulticast,"Proceedingsofthe8thAnnualNetworkandDistributedSystemSecuritySymposium(NDSS'01),SanDiego,CA,Feb.2001. [84] I.Khalil,S.BagchiandC.Nita-Rotaru,\DICAS:detection,diagnosisandisolationofcontrolattacksinsensornetworks,"Proceedingsofthe1stIEEE/CreateNetInter-nationalConferenceonSecurityandPrivacyforEmergingAreasinCommunicationsNetworks(SECURECOMM'05),Athens,Greece,Sep.2005,pp.89{100. 206

PAGE 207

C.Kaufman,R.PerlmanandM.Speciner.NetworkSecurity:privatecommunicationinapublicworld,2ndEdition,Prentice-Hall,2002. [86] S.E.Deering,\MulticastroutingininternetworksandextendedLANs,"Proceed-ingsofthe1988ACMSymposiumonCommunicationsArchitecturesandProtocols(SIGCOMM'88),Stanford,CA,Aug.1988,pp.55{64. [87] T.BallardieandJ.Crowcroft,\Multicast-specicsecuritythreatsandcounter-measures,"Proceedingsofthe2thAnnualNetworkandDistributedSys-temSecuritySymposium(NDSS1995),SanDiego,CA,Feb.1995,pp.2{16. [88] P.JudgeandM.Ammar,\Securityissuesandsolutionsinmulicastcontentdistribution:asurvey,"IEEENetworkMagzine,vol.17,no.1,pp.30{36,Jan./Feb.2003. [89] Y.Challal,H.BettaharandA.Bouabdallah,\Ataxonomyofmulticastdataoriginauthentication:issuesandsolutions,"IEEECommunicationSurveys&Tutorials,vo.6,no.3,pp.34{57,2004. [90] R.GennaroandP.Rohatgi,\Howtosigndigitalstreams,"InformationandComputation,AcademicPress,vol.165,no.1,pp.100{116,Feb.2001. [91] R.GennaroandP.Rohatgi,\Howtosigndigitalstreams,"Proceedingsofthe17thAnnualCryptologyConferenceonAdvancesinCryptology(CRYPTO'97),SantaBarbara,CA,Aug.1997. [92] A.Perrig,R.Canetti,J.D.Tygar,andD.Song,\Ecientauthenticationandsigningofmulticaststreamsoverlossychannels,"Proceedingsofthe2000IEEESymposiumonSecurityandPrivacy(SP'00),Berkeley,CA,May2000,pp.56{75. [93] Y.Challal,H.BettaharandA.Bouabdallah,\A2Cast:anadaptivesourceauthenticationprotocolformulticaststreams,"Proceedingsofthe9thInterna-tionalSymposiumonComputersandCommunications(ISCC'04),Alexandria,Egypt,Jun.2004,vol.1,pp.363{368. [94] S.MinerandJ.Staddon,\Graph-basedauthenticationofdigitalstreams,"Proceed-ingsofthe2001IEEESymposiumonSecurityandPrivacy(SP'01),Oakland,CA,May2001,pp.232{246. [95] Z.Zhang,Q.Sun,W-CWong,J.ApostolopoulosandS.Wee,\Acontent-awarestreamauthenticationschemeoptimizedfordistortionandoverhead,"Proceedingsofthe2006IEEEInternationalConferenceonMultimediaandExpo(ICME'06),Toronto,Canada,Jul.2006,pp.541{544. [96] P.GolleandN.Modadugu,\Authenticatingstreameddatainthepresenceofrandompacketloss,"Proceedingsofthe8thAnnualNetworkandDistributedSystemSecuritySymposium(NDSS'01),SanDiego,CA,Feb.2001. 207

PAGE 208

Z.Zhang,Q.SunandW-CWong,\Aproposalofbuttery-graphybasedstreamauthenticationoverlossynetworks,"Proceedingsofthe2005IEEEInternationalConferenceonMultimediaandExpo(ICME'05),Amsterdam,Netherlands,Jul.2005. [98] S.Ueda,N.Kawaguchi,H.ShigenoandK.Okada,\StreamauthenticationschemefortheuseovertheIPtelephony,"Proceedingsofthe18thInternationalConferenceonAdvancedInformationNetworkingandApplication(AINA'04),Fukuoka,Japan,Mar.2004,vol.2,pp.164{169. [99] A.ChanandE.RogersSr.,\Agraph-theoreticalanalysisofmulticastauthentication,"Proceedingsofthe23rdInternationalConferenceonDistributedComputingSystems(ICDCS'03),Providence,RI,May2003,pp.155{162. [100] C.K.WongandS.S.Lam,\Digitalsignaturesforowsandmulticasts,"Proceed-ingsofthe6thInternationalConferenceonNetworkProtocols(ICNP'98),Austin,TX,Oct.1998,pp.198{209. [101] C.K.WongandS.S.Lam,\Digitalsignaturesforowsandmulticasts,"IEEE/ACMTransactionsonNetworking,vol.7,no.4,pp.502{513,Aug.1999. [102] J.M.Park,E.K.P.Chong,andH.J.Siegel,\Ecientmulticastpacketauthenticationusingsignatureamortization,"Proceedingsofthe2002IEEESymposiumonSecurityandPrivacy(SP'02),Berkeley,CA,May2002,pp.227{240. [103] J.M.Park,E.K.P.Chong,andH.J.Siegel,\Ecientmulticaststreamauthenticationusingerasurecodes,"ACMTransactionsonInformationandSystemSecurity,vol.6,no.2,pp.258{285,May2003. [104] A.PannetratandR.Molva,\Authenticatingrealtimepacketstreamsandmulticasts,"Proceedingsofthe7thIEEEInternationalSymposiumonComput-ersandCommunications(ISCC'02),Taormina/GiardiniNaxos,Italy,Jul.2002,pp.490{495. [105] A.PannetratandR.Molva,\Ecientmulticastpacketauthentication,"Pro-ceedingsofthe10thAnnualNetworkandDistributedSystemSecuritySymposium(NDSS'03),SanDiego,CA,Feb.2003. [106] Y.WuandT.Li,\Videostreamauthenticationinlossynetworks,"Proceedingsofthe2006IEEEWirelessCommunicationsandNetworkingConference(WCNC'06),LasVegas,NV,Apr.2006,vol.4,pp.2150{2155. [107] C.Karlof,N.Sastry,Y.Li,A.Perrig,andJ.D.Tygar,\DistillationcodesandapplicationstoDoSresistantmulticastauthentication,"Proceedingsofthe11thAnnualNetworkandDistributedSystemSecuritySymposium(NDSS'04),SanDiego,CA,Feb.2004. 208

PAGE 209

C.A.Gunter,S.Khanna,K.Tan,andS.Venkatesh,\DoSprotectionforreliablyauthenticatedbroadcast,"Proceedingsofthe11thAnnualNetworkandDistributedSystemSecuritySymposium(NDSS'04),SanDiego,CA,Feb.2004. [109] L.Harn,\BatchverifyingmultipleRSAdigitalsignatures,"IEEElectronicLetters,vol.34,no.12,pp.1219{1220,Jun.1998. [110] M.Bellare,J.A.GarayandT.Rabin,\Fastbatchvericationformodularexponentiationanddigitalsignatures,"ProceedingsofAdvancesinCryptology:EUROCRYPT'98,Espoo,Finland,May1998,pp.236{250. [111] D.Boneh,B.LynnandH.Shacham,\Shortsignaturesfromtheweilpairing,"Proceedingsofthe7thInternationalConferenceontheTheoryandApplicationofCryptologyandInformationSecurityAdvancesinCryptology:ASIACRYPT'01,GoldCoast,Australia,Dec.2001,pp.514{532. [112] FIPSPUB186,Digitalsignaturestandard(DSS),May1994. [113] T.ElGamal,\Apublickeycryptosystemandasignatureschemebasedondiscretelogarithms,"IEEETransactionsonInformationTheory,vol.IT-31,no.4,pp.469{472,Jul.1985. [114] D.Naccache,D.M'Raihi,S.Vaudenay,andD.Raphaeli,\CanD.S.A.beimproved?complexitytrade-oswiththedigitalsignaturestandard,"ProceedingsofWorkshopontheTheoryandApplicationofCryptographicTechniquesAdvancesinCryptology:EUROCRYPT'94,Perugia,Italy,May1995,pp.77{85. [115] C.H.LimandP.J.Lee,\SecurityofinteractiveDSAbatchverication,"IEEElectronicLetters,vol.30,no.19,pp.1592{1593,Sep.1994. [116] L.Harn,\DSA-typesecureinteractivebatchvericationprotocols,"IEEElectronicLetters,vol.31,no.4,pp.257{258,Feb.1995. [117] L.Harn,\BatchverifyingmultipleDSA-typedigitalsignatures,"IEEElectronicLetters,vol.34,no.9,pp.870{871,Apr.1998. [118] C.BoydandC.Pavlovski,\Attackingandrepairingbatchvericationschemes,"Proceedingsofthe6thInternationalConferenceontheTheoryandApplicationofCryptologyandInformationSecurityAdvancesinCryptology:ASIANCRYPT'00,Kyoto,Japan,Dec.2000,pp.58{71. [119] Y.Desmedt,Y.Frankel,andM.Yung,\Multi-receiver/multi-sendernetworksecurity:ecientauthenticatedmulticast/feedback,"Proceedingsofthe11thAnnualJointConferenceoftheIEEEComputerandCommunicationsSocieties(INFOCOM'92),Florence,Italy,May1992,vol.3,pp.2045{2054. [120] R.Canetti,J.Garay,G.Itkis,D.Micciancio,M.Naor,andB.Pinkas,\Multicastsecurity:ataxonomyandsomeecientconstructions,"Proceedingsofthe18th

PAGE 210

[121] F.Bergadano,D.CavagninoandB.Crispo,\Individualsingle-sourceauthenticationonthembone,"Proceedingsofthe2000IEEEInternationalConferenceonMultime-diaandExpo(ICME'00),NewYork,NY,Jul.2000,vol.1,pp.541{544. [122] A.Perrig,\TheBiBaone-timesignatureandbroadcastauthenticationprotocol,"Proceedingsofthe8thACMConferenceonComputerandCommunicationsSecurity(CCS'01),Philadelphia,PA,Nov.2001,pp.28{37. [123] P.Barreto,H.Kim,B.Lynn,andM.Scott,\Ecientalgorithmsforpairing-basedcryptosystems",Proceedingsofthe22ndAnnualInternationalCryptologyConferenceonAdvancesinCryptology:CRYPTO'02,SantaBarbara,CA,Aug.2002,pp.354{368. [124] R.Rivest,\TheMD5message-digestalgorithm,"RFC1319,April1992. [125] D.EastlakeandP.Jones,USsecurehashalgorithm1(SHA1),RFC3174,Sep.2001. [126] N.BaricandB.Ptzmann,\Collision-freeaccumulatorsandfail-stopsignatureschemeswithouttrees,"ProceedingsofInternationalConferenceontheTheoryandApplicationofCryptographicTechniquesAdvancesinCryptology:EUROCRYPT'97,Konstanz,Germany,May1997,pp.480{494. [127] J.BenalohandM.deMare,\Onewayaccumulators:adecentralizedalternativetodigitalsignatures,"ProceedingsofInternationalConferenceontheTheoryandApplicationofCryptographicTechniquesAdvancesinCryptology:EUROCRYPT'93,Lofthus,Norway,May1993,pp.274{285. [128] J.CamenischandA.Lysyanskaya,\Dynamicaccumulatorsandapplicationtoecientrevocationofanonymouscredentials,"Proceedingsofthe22ndAnnualInternationalCryptologyConferenceonAdvancesinCryptology:CRYPTO'02,SantaBarbara,CA,Aug.2002,pp.61{76. [129] M.Goodrich,R.TamassiaandJ.Hasic,\Anecientdynamicanddistributedcryptographicaccumulator,"Proceedingsofthe5thInternationalConferenceonInformationSecurity(ICIS'02),2002,pp.372{388. [130] K.Nyberg,\Fastaccumulatedhashing,"Proceedingsofthe3rdInternationalWorkshoponFastSoftwareEncryption(FSE'96),Cambridge,UK,Feb.1996,pp.83{87. [131] T.Sander,\Ecientaccumulatorswithouttrapdoorextendedabstracts,"Pro-ceedingsofthe2ndInternationalConferenceonInformationandCommunicationSecurity(ICICS'99),Sydney,Australia,Nov.1999,pp.252{262. 210

PAGE 211

IEEEStd802.16-2004,IEEEstandardforlocalandmetropolitanareanetworks,part16:airinterfaceforxedbroadbandwirelessaccesssystems,June2004. [133] WiMAXForum,http://www.wimaxforum.org/home/,May2006. [134] IEEEStd802.11-1999,Informationtechnology-telecommunicationsandinfor-mationexchangebetweensystems-localandmetropolitanareanetworks-specicrequirements-part11:wirelesslanmediumaccesscontrol(MAC)andphysicallayer(PHY)specications,1999. [135] I.F.Akyildiz,X.WangandW.Wang,\Wirelessmeshnetworks:asurvey,"ComputerNetworks,Elsevier,vol.47,pp.445{487,Mar.2005. [136] N.Borisov,I.GoldbergandD.Wagner,\Interceptingmobilecommunications:theinsecurityof802.11,"Proceedingsofthe7thAnnualInternationalConferenceonMobileComputingandNetworking(Mobicom'01),Rome,Italy,Jul.2001,pp.180{189. [137] W.A.Arbaugh,N.Shankar,Y.C.Wan,andK.Zhang,\Your802.11wirelessnetworkhasnoclothes,"IEEEWirelessCommunicationsMagizine,vol.9,no.6,pp.44{51,Dec.2002. [138] J.BellardoandS.Savage,"802.11denial-of-serviceattacks:realvulnerabilitiesandpracticalsolutions,"Proceedingsofthe12thUSENIXSecuritySymposium(SEC'03),Washington,DC,Aug.2003,pp.15{28. [139] A.Mishra,N.L.Petroni,W.A.Arbaugh,andT.Fraser,\SecurityissuesinIEEE802.11wirelesslocalareanetworks:asurvey,"WirelessCommunicationsandMobileComputing,Wiley,vol.4,no.8,pp.821{833,Dec.2004. [140] C.He,J.C.Mitchell,\SecurityanalysisandimprovementsforIEEE802.11i,"Proceedingsofthe12thAnnualNetworkandDistributedSystemSecuritySymposium(NDSS'05),SanDiego,CA,Feb.2005,pp90{110. [141] DOCSISHome,http://www.cablemodem.com/,May2006. [142] D.JohnstonandJ.Walker,\OverviewofIEEE802.16security,"IEEESecurity&PrivacyMagzine,vol.2,no.3,pp.40{48,May/Jun.2004. [143] M.Barbeau,"Wimax/802.16threatanalysis,"Proceedingsofthe1stACMInternationalWorkshoponQualityofService&SecurityinWirelessandMobileNetworks(Q2SWINET'05),Montreal,Canada,Oct.2005,pp.8{15. [144] F.Yang,H.Zhou,L,Zhang,andJ.Feng,"AnimprovedsecurityschemeinWMANbasedonIEEEstandard802.16,"Proceedingsofthe2005InternationalConferenceonWirelessCommunications,NetworkingandMobileComputing(WCNMC'05),Wuhan,China,Sep.2005,vol.2,pp.1191{1194. 211

PAGE 212

Y.ZhouandY.Fang,\Securityofieee802.16inmeshmode,"Proceedingsofthe2006IEEEMilitaryCommunicationsConference(Milcom2006),Washington,DC,Oct.2006,pp.1{6. [146] IETFRFC2405,TheESPDES-CBCCipherAlgorithmWithExplicitIV,November1998. [147] IETFRFC3610,CounterwithCBC-MAC(CCM),September2003. [148] IEEEStd802.16e-2005,IEEEstandardforlocalandmetropolitanareanetworks,part16:airinterfaceforxedandmobilebroadbandwirelessaccesssystems,amendment2:physicalandmediumaccesscontrollayersforcombinedxedandmobileoperationinlicensedbandsandcorrigendum1,December2005. [149] IETFRFC3748,ExtensibleAuthenticationProtocol(EAP),June2004. [150] IETFRFC3686,UsingAdvancedEncryptionStandard(AES)CounterModeWithIPsecEncapsulatingSecurityPayload(ESP),January2004. [151] IETFRFC3602,TheAES-CBCCipherAlgorithmandItsUsewithIPsec,September2003. 212

PAGE 213

YunZhoureceivedaB.E.degreeinelectronicinformationengineering(2000)andanM.E.degreeincommunicationandinformationsystem(2003)fromtheDepartmentofElectronicEngineeringandInformationScienceattheUniversityofScienceandTechnologyofChina,Hefei,China.HeiscurrentlypursuingthePh.D.degreeintheDepartmentofElectricalandComputerEngineeringattheUniversityofFlorida,Gainesville,USA.Hisresearchinterestsareintheareasofsecurity,cryptography,wirelesscommunicationsandnetworking,signalprocessing,andoperatingsystems.HeisastudentmemberoftheIEEE. 213