Real-world deployments of wireless sensor networks require secure communication. In many application cases it is sufficient to provide message authentication at the sink. To implement this requirement using symmetric ciphers, keys shared between each sensor node and the sink have to be established and kept fresh during network operation. This paper presents a key distribution scheme based on the well known Elliptic Curve Diffie-Hellman key exchange mechanism that allows us to fulfil the previously outlined requirements efficiently. The DHB-KEY scheme requires only the distribution of a single sink-initiated broadcast message to set individual keys on all sensor nodes. Thus, DHB-KEY has a low complexity and preserves scarce resources such as bandwidth and energy. In the paper we present a protocol specification based on the DHB-KEY scheme and its implementation for the well known TinyOS platform. A physical intrusion detection system in an office building is used to evaluate the protocol implementation. The evaluation shows that DHB-KEY is practical in real-world deployments.