We consider the problem of securing communication between sensor nodes in large-scale sensor networks. We propose a distributed, deterministic key management protocol designed to satisfy authentication and confidentiality, without the need of a key distribution center. Our scheme is scalable since every node only needs to hold a small number of keys independent of the network size, and it is resilient against node capture and replication due to the fact that keys are localized; keys that appear in some part of the network are not used again. Another important property of our protocol is that it is optimized for message broadcast; each node shares one pairwise key with all of its immediate neighbors, so only one transition is necessary to broadcast a message. Furthermore, our scheme is suited for data fusion and aggregation processing; if necessary, nodes can "peak" at encrypted data using their cluster key and decide upon forwarding or discarding redundant information. Finally, we describe a mechanism for evicting compromised nodes as well as adding new nodes. A security analysis is discussed and simulation experiments presented.