Encryption is often used to ensure the confidentiality of data messages exchanged in networks of wireless nodes, and key distribution is an important problem because the security of the system depends on keeping the secret keys secret. Traditional ways to handle this problem are by using symmetric ciphers to distribute the keys or to use asymmetric (public key) algorithms. Public key algorithms inherently have some attributes that make key distribution a simpler problem, but they are more computationally intensive than symmetric key algorithms. Symmetric key algorithms tend to be more efficient for resource-constrained nodes but offer no intrinsic help for the problem of key distribution. A traditional way to address key distribution without using asymmetric ciphers is to use either the old key to encrypt the new key or to use a key distribution key (some call this a “master key”) to encrypt the new key. However both of these solutions have potential problems. In the first instance, if a key is compromised, i.e. learned by an unauthorized agent, then the new key is trivially also retrieved by this unauthorized party because the new key is encrypted with the old compromised key. Anyone who knows the old key can, if they are listening at the right time, also discover the new key. In the latter case, in which a key distribution key is used to encrypt the new key, the problem is similar because if the key distribution key is compromised, then all subsequent key changes are also compromised. Additionally, there is the question of how one securely changes the key distribution key.
Co-pending, commonly assigned, patent application Ser. No. 12/418,787, filed Apr. 6, 2009, titled “Simplified Secure Symmetrical Key Management,” describes a key management system in which the sending cryptographic keys over a network, even in encrypted form, is avoided. As described therein, nodes of the network are each provided with a seed value and a seed identifier. Each seed value has a corresponding unique seed identifier which is maintained within the system. Within each authorized node, the seed value is combined with a local node identifier, such as a serial number or other unique identifier, to form a cryptographic key that is then used by the node to encrypt and/or decrypt data transmitted and received by that node. The cryptographic key is not transmitted over the network, and each node is able to create a different cryptographic key for use in communicating with other nodes.
A key recovery mechanism is also described in application Ser. No. 12/418,787. According to that mechanism, if a received message fails to decrypt properly at a node due to failing to have the latest seed value from which to derive the cryptographic key, the node that has received this message can securely recover from this key mismatch. The node sends the seed identifier for the seed value it presently knows. This seed identifier can be sent unencrypted. At a head end or other location of the network, a seed server receives this failure message, looks up the corresponding seed value for the received seed identifier and also the current (new) seed value and seed identifier that the node should be using. It then encrypts the new seed value and seed identifier using the old cryptographic key derived from the old seed value and sends the encrypted new seed value and identifier back to the node, so that it can update its key. The node may use its old cryptographic key to decrypt the message and recover the new seed value and new seed identifier. Thereafter, the node can generate a new cryptographic key using the new seed value and its local identifier. Receipt of the new seed value may be acknowledged by the node sending back an acknowledgement message which is encrypted using the new cryptographic key derived from the new seed value. Thus, with this key recovery mechanism, cryptographic keys may be easily updated by changing a single seed value at the seed server. The seed server then sends the encrypted new seed value and seed identifier from which each downstream node may then derive an updated unique cryptographic key value.