We describe LEAP+ (Localized Encryption and Authentication Protocol), a key management protocol for sensor networks that is designed to support in-network processing, while at the same time restricting the security impact of a node compromise to the immediate network neighborhood of the compromised node. The design of the protocol is motivated by the observation that different types of messages exchanged between sensor nodes have different security requirements, and that a single keying mechanism is not suitable for meeting these different security requirements. LEAP+ supports the establishment of four types of keys for each sensor node: an individual key shared with the base station, a pairwise key shared with another sensor node, a cluster key shared with multiple neighboring nodes, and a global key shared by all the nodes in the network. LEAP+ also supports (weak) local source authentication without precluding in-network processing. Our performance analysis shows that LEAP+ is very efficient in terms of computational, communication, and storage costs. We analyze the security of LEAP+ under various attack models and show that LEAP+ is very effective in defending against many sophisticated attacks, such as HELLO flood attacks, node cloning attacks, and wormhole attacks. A prototype implementation of LEAP+ on a sensor network testbed is also described.