WO2009071891A1

WO2009071891A1 - Method and apparatus for operating secure sensor networks

Info

Publication number: WO2009071891A1
Application number: PCT/GB2008/004003
Authority: WO
Inventors: Chunming Rong; Dingyi Pei; Junwu Dong
Original assignee: Prekubator As; Butler, Michael, John
Priority date: 2007-12-03
Filing date: 2008-12-03
Publication date: 2009-06-11
Also published as: GB201011156D0; GB0723617D0; GB2467890A

Abstract

A method of deploying a distributed sensor network which comprises a plurality of sensor nodes (2a, 2b, 2c, 2d) each communicating wirelessly with nodes (2a, 2b, 2c, 2d) which are within wireless range, using key-based encryption with each node being assigned a predetermined number of keys from a set of cryptographic keys, such that a given node may only exchange information directly with another node if the two have a key in common, wherein the keys have been distributed among the nodes by (i) associating each key in the set of keys with a respective key point in a projective space over a finite field; (ii) associating each sensor with a respective rational normal curve in the same projective space; and (iii) for a given sensor, assigning to that sensor the predetermined number of keys, being those keys that are associated with the key points that lie on the rational normal curve associated with that given sensor.

Description

Method and Apparatus for Operating Secure Sensor Networks

This invention relates to methods and apparatus for deploying and operating secure distributed sensor networks.

Sensor networks typically comprise several low-cost, autonomous, battery-operated nodes, each of which can communicate wirelessly with other nodes within its immediate neighbourhood. They can be used to monitor physical conditions such as temperature, pollution or noise over an extensive area. In a distributed sensor network, the nodes are distributed in a random fashion, meaning that the network topology is unknown before deployment. Each node is usually very limited in memory capacity and processing capabilities.

In many applications, the information transmitted by nodes in a sensor network is confidential or is required to be protected from malicious interference. It is therefore desirable in such circumstances to encrypt the wireless communications.

Due to the limited processing capabilities and memory capacity of each node, use of a symmetric encryption algorithm is desirable as it will typically having shorter keys and less computationally intensive operations than a public-key algorithm of comparable security. The simplest implementation would be for all the nodes in a given network to share one symmetric key; however, this leaves the system vulnerable if the one key is discovered by an attacker.

It is known to improve the security of such systems by using sensors each of which knows several keys, but with any two sensors not necessarily having identical sets of keys, the keys being distributed in such a way that the compromise of some of the keys does not compromise the entire system. If two sensors wish to communicate but do not share a key in common, they may nonetheless be able to do so by relaying messages via one or more additional sensors with which one or both of them does share a key. A disadvantage of employing a plurality of keys is that, for nodes having storage capacity for only a limited number of keys, the probability of any two nodes sharing a key in common, and therefore being able to communicate directly, may no longer be 1 and will typically reduce as the number of keys increases.

In particular, in known systems, the probability that two arbitrary nodes share a key in common typically tends to zero as the number of nodes in the system increases; i.e. the ability of nodes to communicate reliably and efficiently worsens as the number of nodes increases.

It is therefore an object of the present invention to improve on known systems for deploying and operating secure distributed sensor networks.

Viewed from a first aspect, the present invention provides a method of deploying a distributed sensor network which comprises a plurality of sensor nodes each communicating wirelessly with nodes which are within wireless range, using key- based encryption with each node being assigned a predetermined number of cryptographic keys from a predetermined set of cryptographic keys, such that a given node may only exchange information directly with another node if the two nodes have a cryptographic key in common, wherein the cryptographic keys have been distributed among the nodes of the sensor network by (i) associating each key in the set of cryptographic keys with a respective key point in a projective space over a finite field; (ii) associating each sensor with a respective rational normal curve in the same projective space; and (iii) for a given sensor, assigning to that sensor the predetermined number of keys, being those keys that are associated with the key points that lie on the rational normal curve associated with that given sensor.

An advantage of this system is that, as the number of nodes increases, there remains a relatively high probability of any two nodes which are within wireless range of each other having at least one key in common so that they can communicate directly; for example a probability of at least 0.5. In the preferred implementation of the system, regardless of the number of nodes, the probability of any two nodes which are within wireless range of each other having at least one key in common does not drop below 5/8; i.e. 0.625.

The prior art teaches systems in which the probability is sometimes less than 5/8; in particular, in some prior art arrangements, the probability of any two nodes having at least one key in common tends to zero as the number of nodes increases.

In some prior art arrangements, for k keys per node with k > 1 and b nodes with b > ((8k/5) - 1 )², the probability of any two nodes having at least one key in common is always less than 0.625. By contrast, in preferred embodiments of the present invention, the probability of any two nodes in wireless range of each other having at least one key in common is always greater than 0.625. Therefore, it is greater than 0.625 in the particular case when k > 1 and b > ((8k/5) -I)².

In preferred embodiments, the keys are assigned deterministically; for example, by using a combinatorial design to assign keys to each node. This contrasts to a probabilistic approach, in which the keys for each node are picked randomly from a pool of keys.

In some prior art arrangements (e.g. so-called Blom-based predistribution schemes), keys are not assigned directly to nodes, but instead nodes are assigned secrets which may subsequently be used by a pair of nodes to establish a pair- wise secret key. This need for an additional key-establishment step is disadvantageous as it places an additional computational burden on the nodes, which typically have limited processing power and constrained battery life. No such subsequent key- establishment step is required in the present invention, since keys are assigned to nodes directly.

Thus viewed from another aspect, there is provided a distributed sensor network which comprises a number (b) of sensor nodes each communicating wirelessly with nodes which are within wireless range, using key-based encryption with each node being assigned a predetermined number (k) of cryptographic keys from a predetermined set of cryptographic keys, such that a given node may only exchange information directly with another node if the two nodes have a cryptographic key in common, wherein k > 1, b > ((8k/5) -I)² and the probability of any two nodes which are within wireless range of each other having at least one key in common is greater than 0.625.

It is desirable that no single cryptographic key is assigned to all the sensor nodes. Due perhaps to storage constraints in each node, however, the number of keys able to be stored in each node is typically constrained and is typically significantly smaller than the total number of nodes in the network. In preferred implementations of the invention, the system affords resiliency against attack such that, if all the keys of an arbitrary node are considered "compromised" (i.e. known to an attacker), the probability that an arbitrary pair of remaining nodes cannot communicate directly as they do not share a non-compromised key in common is relatively low. Preferably in implementations with more than 8 keys per node, this probability does not rise above 0.1 , regardless of the number of nodes in the system. In preferred implementations, the probability tends to 0 as the number of nodes in the system increases.

Viewed from another aspect, there is provided a method for determining the respective cryptographic keys to be assigned to a plurality of sensor nodes of a distributed sensor network, the network comprising a plurality of sensor nodes each communicating wirelessly with nodes which are within wireless range, using key- based encryption with each node being assigned a predetermined number of cryptographic keys from a predetermined set of cryptographic keys, such that a given node may only exchange information directly with another node if the two nodes have a cryptographic key in common, wherein the cryptographic keys to be assigned to respective nodes are determined by (i) associating each key in the set of cryptographic keys with a respective key point in a projective space over a finite field; (ii) associating each sensor with a respective rational normal curve in the same projective space; and (iii) for a given sensor, determining the predetermined number of keys that are to be assigned to that sensor, being those keys that are associated with the key points that lie on the rational normal curve associated with that given sensor.

The probability of any two nodes having at least one key in common preferably decreases monotonically for increasing numbers of nodes in the sensor network.

Viewed from a further aspect, the invention provides a method of adding a new sensor to an existing distributed sensor network having a plurality of sensor nodes each being assigned a predetermined number of cryptographic keys from a set of available keys, there being a predetermined association between the keys and points in a projective space over a finite field; the method comprising the steps of: selecting a rational normal curve in said projective space to be associated with the new sensor; loading the new sensor with the predetermined number of keys, each key being respectively associated with a point lying on said rational normal curve in accordance with the predetermined association; and adding the new sensor to the sensor network.

Viewed from a further aspect, there is provided a method for determining the cryptographic keys to be assigned to a new sensor to be added to an existing distributed sensor network having a plurality of sensor nodes each being assigned a predetermined number of cryptographic keys from a set of available keys, there being a predetermined association between the keys and points in a projective space over a finite field; the method comprising the steps of: selecting a rational normal curve in said projective space to be associated with the new sensor; and determining the predetermined number of keys that are to be assigned to that sensor, being those keys that are associated with key points that lie on the rational normal curve associated with the new sensor.

Preferably, the selected rational normal curve for the new sensor is not already associated with a sensor of said sensor network. Viewed from a still further aspect, the invention provides a method of distributing cryptographic keys among a plurality of sensor nodes, wherein each node receives a predetermined, constant plurality of keys and wherein the probability of an arbitrary pair of nodes having at least one key in common tends to a non-zero limit as the number of nodes increases.

In general, in the implementation of aspects of the invention, communication between two nodes of a distributed sensor network comprises the steps of: encrypting data on a first node using a cryptographic key selected from a first set of cryptographic keys stored on the first node; communicating the encrypted data to a second node; and decrypting the data on the second node using the same cryptographic key selected from a second set of cryptographic keys stored on the second node.

In some implementations, communications between nodes may be classified as confidential or non-confidential and the communication of non-confidential data may be permitted without encryption; in such cases the restriction, according to aspects of the invention, that nodes may only communicate if they share a key in common is to be understood to apply only when confidential data is to be communicated.

In general in a distributed sensor network in accordance with aspects of the invention, preferably there is no one key that is assigned to all of the nodes; and more preferably there is no one key that is assigned to a substantial proportion of the nodes.

Certain preferred embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings, in which:

Figure 1 is a schematic view of a sensor node suitable for use with the method of the invention; Figure 2 is a diagram of a distributed sensor network in accordance with the method of the invention; and

Figure 3 is a table showing some typical parameters for different sensor networks.

Figure 1 shows a sensor node 2 having a sensor 4 for measuring ambient temperature, pressure, noise, atmospheric pollution, or the like. It also has an antenna 6 and a communications module 8 for two-way wireless communication with neighbouring nodes. A battery 10 provides power to the node; however, other power sources such as an external power connection, a solar cell, or energy harvesting from ambient vibrations are all also possible.

The key store 12 is an area of memory able to hold one or more cryptographic keys. These keys are used by the cryptography engine 14 to encrypt outgoing messages and to decrypt incoming messages. The engine 14 is also able to perform key exchange protocols, message hashing, message authentication, random number generation, and other cryptographic operations. It is further able to negotiate which key to use from the key store 12 when initiating secure communication with a neighbouring sensor node.

Figure 2 shows four sensor nodes 2a, 2b, 2c, 2d substantially as described above in proximity to one another. The dashed circles 16a, 16b, 16c, 16d indicate their respective effective wireless ranges. The bold lines indicate the possible direct wireless communication pathways between pairs of nodes. While one sensor node 2c is able to communicate directly with any of the other nodes 2a, 2b, 2c, these three other nodes are not all in direct range of each other. In particular, one node 2d has in its range 16d only one other node 2c. If this node 2d is to communicate with either of the two nodes 2a, 2b not in its range 16d, it must relaying the messages through the intermediary node 2c.

The nodes are arranged to implement a key predistribution scheme consisting of three phases: key predistribution, shared key discovery, and path-key establishment. A sensor node is initially loaded with a fixed number of keys. Each key is assigned a unique identifier. After the deployment of a distributed sensor network, the shared-key discovery phase takes place, where any two nodes in wireless communication range exchange their list of key identifiers with each other, and look for their common keys. If they share one or more common keys, they can pick one of them as their secret key for cryptographic communication. The path-key establishment phase takes place if there is no common key between a pair of nodes. A sequence of nodes is called a path. To establish a secure path with node j, a node i needs to find a path between itself and the node j such that any two adjacent nodes (in the radio coverage range) in the path have a common key. Thus messages from the node i can reach the node j securely.

A "combinatorial design" is a pair of sets (M, E ), where M is a finite set of points and E is a finite set of subsets of M, called blocks. Let M = {x, 11 < i < v} and E = {E_j \\ <j < b}, where: each block E_j has k points of M; each point of M appears in k blocks; and any pair of points from M appears in exactly one block of E.

Any combinatorial design (M E ) can be used to establish a key pre-distribution scheme for a distributed sensor network. Assume the sensor network has b sensor nodes N_\, ... , N_b. In a such a scheme, the points of Mare mapped to a set of v keys, where each key AT₁, for 1 < / < v, is chosen randomly from some particular key-space. Each E_j is assigned to a sensor node N_j and is used to specify which keys are given to the node; i.e. the sensor node N_j receives the set of A: keys {K_t |JC, e E_j).

The key predistribution phase of the present embodiment uses combinatorial designs based on the rational normal curves (RNCs) in the projective space PG(n, F_?), where n denotes the dimension of the space and F_? denotes the finite field with q elements. The sensor nodes may share multiple keys. Let p denote the probability that a pair of nodes shares at least one key. It can be shown that, for n = 2, Hm p = -,

*→∞ 8 where b is the number of sensor nodes. This result shows that the scheme provides a highly-secure connection between sensor nodes even for large numbers of nodes.

Let F₉ be the finite field with q elements and n > 2 be a positive integer. Let PG{n, F₉) be the projective space of dimension n over F₉. A point of PG(n, F₉) is denoted by (xo, Xi, ... , X_n) where x, e F₉, for 0 < / < n, are not all zero. If λ is a nonzero element of F₉, then (λxø, λxi, ... , λx_n) and (xo, Jc₁, ... , X_n) denote the same point of PG(n, F_g). Suppose that T is a non-singular matrix over F_q of order n+1, then T generates a one-to-one transformation of points in PG(n, F₉) defined by PG(n, F₉) → PG(n, F₉)

(X₀ , X₁ , . .. , X_n ) \— > (X₀ , X₁ , . . . , X_n) 1.

It is called a projective transformation ofPG(n, F_q). The group of all projective transformations of PG(n, F_q) is denoted by PGL_n+1(F₉). It is simply the factor group of the linear group GL_n+I (F₉) of order n+1 over its subgroup {λl_n+ι | λ ≠ 0} where I_n+ι is the identity matrix.

We define a curve C in PG(n, F₉) to be the image of the map PG(I, F₉) → PG{n, F₉) (X₀₅X₁) (-> (x_o ^Λ,x_o ⁿx,,...,<) . (1) The projective line PG(I, F₉) consists of the following q +1 points: {(l,α) : α e F,} u{(0,l)} .

Therefore, the curve C consists of the following q +1 points:

{(\,a,a²,...,aⁿ) : a e F_q} v{(0,0,0,...,0,\)} . (2)

It is easy to see that the q +1 points in Equation (2) are all the solutions of the following system of homogeneous equations:

{Xf -X_IAX_I+] = O, l ≤ i ≤ n -l

The image of the curve C under any projective transformation is called a "Rational Normal Curve" (RNC). The m points p, = (x_l0, x,i, ... , x_ιn) ≡ PG(n, F₉) (1 < / < m) are called "linearly independent" if the rank of the matrix (xι_j)\<,<m, o<_/≤n is ^m- The following properties of RNCs are well known to those skilled in the art:

- There are q +1 points on each RNC in PG(n, F_?). For n < q, any n +1 points on an RNC are linearly independent. - Suppose that q > n + 2. For any n +3 points in PG(n, F_?), among which any n +1 points are linearly independent, there exists a unique RNC passing through these n + 3 points.

- Let n > 2 be an integer and q > n + 2 be a prime power. Then the total number of RNCs in PG(n, F₉) is

"(n+l) ₎ n+1 q ² π /=3 ^' "¹⁾ <³>

For instance, there are 13795185600 RNCs when q = 7 and n = 3.

Let N denote all the sets of points in PG(n, F_?) such that each set consists of at most n + 3 points in which any 1 < m < n + 1 points are linearly independent. For any set P GJV with \P\ = r there exist λ_r rational normal curves passing through all the points of P, where

(n+r)(n-r+l) _n-_r+\ ,--2 λ_r =q ² tø-ir² πtø' -υlltø-^1'). f°r2 ^<r^< «,

Consider now the intersection of any two RNCs. Let C be a fixed RNC and let P be a set of points where P c C and IPI= r. Define //c(P) =#{C'n C = P, C'is an RNC}. This is the number of RNCs that intersect with C precisely at the set of points P. Any set P ^N with |P|= r < n +2 can be mapped onto the set {p_\, p₂, ... , p_r}, where p_x = (1, 0, 0, ... , 0, 0),

P₂ = (O, 1, 0, ... , 0, 0),

p_n+l = (0, 0, 0, ... , 0, 1),

P_n+2 = (\, 1, 1. ... . 1, 1).

Hence, the number// 'd.P) does not depend on the particular curve C and the particular set P; rather, it depends only on the number r =\P\. Henceforth it will be denoted by μ 'd^r) instead of μ 'dP ) .

By the recursion formula

the number μ'c(r) (1 < r < n +1) can be caluclated in the order μ'dn+2), μ'dn+1), ..., μ'dl) successively. The term of the sum in the right-hand side of (4) denotes the number of RNCs whose intersections with C contain but are not equal to P. It is zero when r = n +2.

Define μd^r) , for 1 < r < n +2, to be the number of RNCs that intersect with C at r points, and the number μc to be the number of RNCs (excluding Q that have a nonempty intersection with C. Then

Mc(r) = (^{q +} %c(r) , (5) and

Let Ci, C₂ be any two RNCs. Define the number μ(P) to be the number of pairs (Ci, C₂) having CiHC₂ = P, the number μ(r) to be the number of pairs (Ci, C₂) having IC₁DC₂I= r, and the number// to be the number of pairs (C₁, C₂) having C_\C\C₂≠ 0. Then _v

and

where b is the total number of RNCs in PG(n, ¥_g) given in equation (3).

Let M be the set of all points in the projective space PG(n, F_q) with dimension n over the finite field F_?, and E be the set of all RNCs in PG(n, F_?). Then the pair of sets (M, E) is a combinatorial design.

The key pre-distribution scheme for wireless sensor networks is designed using RNCs. The points in M are identified with a set of v keys, where

v = - . q -\

For 1 < i < v, each key Ki is randomly chosen from some specified key-space. The sensor nodes are denoted N₁, N_2> ■■■ , Nb, where b is the number of RNCs as given in equation (3). Let E₁, E₂, ... , E_b denote all the RNCs. For 1 <j < b, each node Nj receives the set of keys corresponding to the points in E, . Thus each sensor node 2 receives q +1 keys, by the first property of RNCs given above.

In the present embodiment, the value of n in the key predistribution scheme is set equal to 2.

It may not be possible to select parameter q to give a number b of RNCs in PG(I, F_g) precisely equalling the desired number of sensor nodes 2 in the distributed network. In particular, q is likely to be constrained by the memory capacity of the key store 12 in the sensor nodes 2 (each node receives q +1 keys) and the required cryptographic strength of the system (insofar as this determines the bit-length of the keys). In such cases, a randomly-selected subset of all the RNCs in PG{2, F₉) is chosen to be used in the scheme, of size equal to the number of sensor nodes.

The number of keys in common between any two sensor nodes 2 equals the number of points in common between their corresponding two RNCs, which, in the present embodiment, may range between 0 and 4. If two nodes 2a, 2b share one or more keys in common, one of these keys can be used as the secret key in encrypted direct communication between the nodes.

Each sensor node 2a, 2b, 2c, 2d can communicate with nodes only within its wireless range 16a, 16b, 16c, 16d or "neighbourhood". Suppose that two nodes TV, and Nj (2a, 2b) are in each other's neighbourhoods 16a, 16b. The probability that N, and N_j share at least one key is

^P b-V where the parameter μc is the number of nodes that share some keys with the given node C, as defined in equation (6).

For n - 2, it can be shown that lim_/> =§ . (10)

Furthermore, it can be shown that/? decreases monotonically to 5/8 in the case that n = 2 and q > 3.

If two nodes 2a, 2b within the same neighbourhood 16a, 16b do not share any key in common and need to communicate securely, they need to establish a path-key. For any two non-intersecting RNCs C₁ and C₂ there are λ₂ RNCs passing through any two points p\ and/?₂ of Ci and C₂ respectively. There are therefore at least λ₂ RNCs intersecting both C_\ and C₂. From this it follows that, if all the nodes are within the same neighbourhood as each other, there will always be a "two-hop" path between any two nodes 2a, 2b of the distributed network; i.e. a path that uses a third node 2c as an intermediary in order to establish a session path-key between the two nodes 2a, 2b which they can then use to communicate directly with each other.

Relaxing the condition that all nodes are within range of each other, secure communication between two nodes iV, and Nj (2a, 2d) lying outside each other's neighbourhoods 16a, 16d requires an intermediary node Nh (2c) to relay messages between them. If they share a key in common, secure communication is possible, irrespective of what keys the intermediary node N_h (2c) holds. However, if the two nodes N, and N_j (2a, 2d) have no key in common, secure communication is still possible provided that there is an intermediary node Nh (2c) located in the intersection of the neighbourhoods of N, and Nj that shares at least one key with iV,- (2a) and at least one key with N_j (2d).

Suppose that there are η nodes located in the intersection of neighbourhoods 16a, 16d of Ni and N_j. The probability/?' that Ni and N_j do not share any key but that there exists a node N_h in the intersection of their neighbourhoods such that N_h does share keys with both JV) and N_j has an estimated upper bound:

If a sensor node N_h is detected as having had its cryptographic keys compromised by an attacker, then all of its q +1 keys should no longer be used by any sensor node in the network. If all the common keys of nodes iV, and Nj are contained in Nh, then Ni and N_j can no longer directly communicate securely, adversely affecting the connectivity of the network.

Let fail(\) denote the probability that an arbitrary link is affected by the compromise of a random node. For any integer n > 2,

In general, the compromise of s random nodes will affect a given link with probability roughly equal to /«7(*) = 1 -(1 -/«7(1))' .

Figure 3 shows some typical values of fail(l) in the case where n = 2, for various numbers of keys per node. It is apparent from the table that, when the number of keys per node {q + 1) is greater or equal to 8, the value oϊfail(l) < 0.1. It is therefore trivially the case that, for these examples, the value of ^'fail(l) is also less than 0.1 when there are strictly greater than 8 keys per node. Furthermore it can be seen that the value oϊfail(l) diminishes as the number of nodes (Jb) increases.

Claims

1. A method of deploying a distributed sensor network which comprises a plurality of sensor nodes each communicating wirelessly with nodes which are within wireless range, using key-based encryption with each node being assigned a predetermined number of cryptographic keys from a predetermined set of cryptographic keys, such that a given node may only exchange information directly with another node if the two nodes have a cryptographic key in common, wherein the cryptographic keys have been distributed among the nodes of the sensor network by (i) associating each key in the set of cryptographic keys with a respective key point in a projective space over a finite field; (ii) associating each sensor with a respective rational normal curve in the same projective space; and (iii) for a given sensor, assigning to that sensor the predetermined number of keys, being those keys that are associated with the key points that lie on the rational normal curve associated with that given sensor.

2. A method as claimed in claim 1 , wherein the probability of any two nodes which are within wireless range of each other having at least one key in common so that they can communicate directly is at least 0.5.

3. A method as claimed in claim 2, wherein the probability of any two nodes which are within wireless range of each other having at least one key in common so that they can communicate directly is at least 0.625.

4. A method as claimed in claim 3, wherein the arrangement is such that if there are k keys per node, with k > 1 and b nodes with b > ((8k/5) -I)², the probability of any two nodes which are within wireless range of each other having at least one key in common is at least 0.625.

5. A method as claimed in any preceding claim, wherein the number of keys per node is greater than 8, and the probability that, if all of the keys of a particular node are compromised, any two remaining nodes cannot communicate directly, as they do not share a non-compromised key, is no greater than 0.1.

6. A method for determining the respective cryptographic keys to be assigned to a plurality of sensor nodes of a distributed sensor network, the network comprising a plurality of sensor nodes each communicating wirelessly with nodes which are within wireless range, using key-based encryption with each node being assigned a predetermined number of cryptographic keys from a predetermined set of cryptographic keys, such that a given node may only exchange information directly with another node if the two nodes have a cryptographic key in common, wherein the cryptographic keys to be assigned to respective nodes are determined by (i) associating each key in the set of cryptographic keys with a respective key point in a projective space over a finite field; (ii) associating each sensor with a respective rational normal curve in the same projective space; and (iii) for a given sensor, determining the predetermined number of keys that are to be assigned to that sensor, being those keys that are associated with the key points that lie on the rational normal curve associated with that given sensor.

7. A method of adding a new sensor to an existing distributed sensor network having a plurality of sensor nodes each being assigned a predetermined number of cryptographic keys from a set of available keys, there being a predetermined association between the keys and points in a projective space over a finite field; the method comprising the steps of: selecting a rational normal curve in said projective space to be associated with the new sensor; loading the new sensor with the predetermined number of keys, each key being respectively associated with a point lying on said rational normal curve in accordance with the predetermined association; and adding the new sensor to the sensor network.

8. A method for determining the cryptographic keys to be assigned to a new sensor to be added to an existing distributed sensor network having a plurality of sensor nodes each being assigned a predetermined number of cryptographic keys from a set of available keys, there being a predetermined association between the keys and points in a projective space over a finite field; the method comprising the steps of: selecting a rational normal curve in said projective space to be associated with the new sensor; and determining the predetermined number of keys that are to be assigned to that sensor, being those keys that are associated with key points that lie on the rational normal curve associated with the new sensor.

9. A method as claimed in claim 8, wherein the selected rational normal curve for the new sensor is not already associated with a sensor of said sensor network.

10. A distributed sensor network which comprises a number (b) of sensor nodes each communicating wirelessly with nodes which are within wireless range, using key-based encryption with each node being assigned a predetermined number (k) of cryptographic keys from a predetermined set of cryptographic keys, such that a given node may only exchange information directly with another node if the two nodes have a cryptographic key in common, wherein k > 1 , b > ((8k/5) - 1 )² and the probability of any two nodes which are within wireless range of each other having at least one key in common is greater than 0.625.

11. A sensor network as claimed in claim 10, wherein k > 8, and the probability that, if all of the keys of a particular node are compromised, any two remaining nodes cannot communicate directly as they do not share a non-compromised key is no greater than 0.1.

12. A method of distributing cryptographic keys among a plurality of sensor nodes, wherein each node receives a predetermined, constant plurality of keys and wherein the probability of an arbitrary pair of nodes having at least one key in common tends to a non-zero limit as the number of nodes increases.