一种安全网络管理协议的设计与实现

文章以SNMP简单网络管理协议为参照对象,针对SNMP协议现有的一些安全隐患及管理效率的不足,从安全性增强和新型管理库(TLV)设计的角度介绍了一种增强型安全网络管理协议的设计思路及实现方案,并且通过介绍该协议在工程中的应用情况,体现了使用该协议可增加网络传输安全性、可扩展性强和可提高管理效率等优势。     

An effective key management scheme for heterogeneous sensor networks

Security is critical for sensor networks used in military, homeland security and other hostile environments. Previous research on sensor network security mainly considers homogeneous sensor networks. Research has shown that homogeneous ad hoc networks have poor performance and scalability. Furthermore, many security schemes designed for homogeneous sensor networks suffer from high communication overhead, computation overhead, and/or high storage requirement. Recently deployed sensor network systems are increasingly following heterogeneous designs. Key management is an essential cryptographic primitive to provide other security operations. In this paper, we present an effective key management scheme that takes advantage of the powerful high-end sensors in heterogeneous sensor networks. The performance evaluation and security analysis show that the key management scheme provides better security with low complexity and significant reduction on storage requirement, compared with existing key management schemes.     

一种基于混合策略的动态组播密钥管理方案

组播密钥管理是当前组播安全研究的热点问题。在分析现有方案的基础上，考虑一种混合策略：将基于组的层次结构机制Iolus与基于密钥层次结构机制LKH的优点结合起来，提出了一种适合大型动态组播的可扩展的分层分组方式的密钥管理方案。该方案有效地降低了密钥更新的代价，具有较高的效率与较好的可扩展性．适合于解决大型动态组播的密钥管理问题。     

一种基于冗余路径的自组网密钥管理方案研究

基于部分分布式门限机制的密钥管理方案能提供高的安全性,但认证成功率较低,可扩展性差;基于证书链的密钥管理方案适合自组网的特点,但不能满足高安全要求的应用环境.在Hubaux证书链方案的基础上,文中提出了基于冗余路径的自组网密钥管理方案,该方案提高了系统的安全性,防止了不诚实节点的欺骗攻击;仿真结果表明,通过增加本地节点存储的证书数量,可以达到较高的认证成功率,满足自组网应用的高安全要求.     

IEEE 802.16规范中的安全机制

无线城域网(WMAN)面临着各种安全威胁,其规范IEEE 802.16中定义了保密子层实现认证、密钥协商与数据保密.早期规范中的认证与密钥管理协议为保密密钥管理(PKM),数据保密机制包含基于DES-CBC和AES-CCM的两个解决方案.PKM协议存在单向认证、PKI部署困难、无法实现基于用户的认证、缺乏组播密钥协商等缺陷.DES-CBC加密方案也有算法脆弱性、缺乏完整性保护、无抗重放保护等不足.最新的移动性规范IEEE802.16e中引入了灵活的EAP认证框架,消除旧的PMK协议的缺陷,并可满足移动性带来的新安全需求.     

Hierarchical Tree Structure Based Clustering Schemes for Secure Group Communication

In recent years, many network applications are developed based on group communications (GC), in which the security has to be provided in terms of confidentiality, authenticity and integrity of messages delivered between the group members. A Hierarchical tree structure has to be constructed in such a way that it can handle large dynamic groups with the effective key formation and key distribution. In this paper, an Optimal Cluster Hierarchical Tree (OCHT) structure is presented for effective group communication. The proposed OCHT structure provides a novel solution for multicast key management with decentralized architecture to ensure scalability, reliability and cost effectiveness. Simulation results reveal that proposed OCHT based decentralized architectures provide better performance when compared with existing Logical Hierarchical Tree (LKH). The parameters used for simulation are Memory Overhead, Throughput, Packet Delivery Ratio, End-to-End Latency and Energy consumption.     

Geographic server distribution model for key revocation

Key management is one of the important issues in ensuring the security of network services. The aim of key management is to ensure availability of the keys at both the receiver’s and the sender’s ends. Key management involves two aspects: key distribution and key revocation. Key distribution involves the distribution of keys to various nodes with secrecy to provide authenticity and privacy. Key revocation involves securely and efficiently managing the information about the keys which have been compromised. This paper presents the geographic server distributed model for key revocation which concerns about the security and performance of the system. The concept presented in this paper is more reliable, faster and scalable than the existing Public Key Infrastructure (PKI) framework in various countries, as it provides optimization of key authentication in a network. It proposes auto-seeking of a geographically distributed certifying authority’s key revocation server, which holds the revocation lists by the client, based on the best service availability. The network is divided itself into the strongest availability zones (SAZ), which automatically allows the new receiver to update the address of the authentication server and replace the old address with the new address of the SAZ, in case it moves to another location in the zone, or in case the server becomes unavailable in the same zone. In this way, it reduces the time to gain information about the revocation list and ensures availability and, thus, improvement of the system as a whole. Hence, the proposed system results in scalable, reliable and faster PKI infrastructure and will be attractive for the users who frequently change their location in the network. Our scheme eases out the revocation mechanism and enables key revocation in the legacy systems. It discusses the architecture as well as the performance of our scheme as compared to the existing scheme. However, our scheme does not call for the entire change in PKI, but is compatible with the existing scheme. Our simulations show that the proposed scheme is better for key revocation.     

Group and hierarchical key management for secure communications in internet of things

Different devices with different characteristics form a network to communicate among themselves in Internet of Things (IoT). Thus, IoT is of heterogeneous in nature. Also, Internet plays a major role in IoT. So, issues related to security in Internet become issues of IoT also. Hence, the group and hierarchical management scheme for solving security issues in Internet of Things is proposed in this paper. The devices in the network are formed into groups. One of the devices is selected as a leader of each group. The communication of the devices from each group takes place with the help of the leader of the corresponding group using encrypted key to enhance the security in the network. Blom's key predistribution technique is used to establish secure communication among any nodes of group. The hierarchy is maintained such that the security can be increased further, but the delay is increased as it takes time to encrypt at every level of hierarchy. Hence, the numbers of levels of hierarchy need to be optimized such that delay is balanced. Hence, this algorithm is more suitable for delay‐tolerant applications. The performance of the proposed Algorithm is evaluated and is proved to perform better when compared with the legacy systems like Decentralized Batch‐based Group Key Management Protocol for Mobile Internet of Things (DBGK).     

基于身份的SIP认证与密钥协商机制研究

因为简单、灵活和易扩展等特点,SIP得到了越来越广泛的应用,但SIP本身缺少有力的安全机制使其面临很多安全威胁。本文对SIP中的安全威胁和已有安全机制进行了分析,提出一种基于身份的SIP认证与密钥协商方案,通过3次交互实现双向认证,并在该过程中完成密钥协商。方案不需要公钥证书,以用户身份标识作为公钥,降低了计算复杂度和通信开销,保证了SIP消息传递过程中的完整性和真实性。     

一种有效的无线传感器网络广播密钥管理方案

无线传感器网络具有自组织、自管理和能量有限等特性,使其安全性面临严峻的挑战。该文在分析现存组播密钥管理方案的基础上,提出了一种基于BIP(Broadcast Incremental Protocol)和EBS(Exclusion Basis Systems)算法的广播密钥管理方案EBKMP。该方案对生成的广播树进行分组,根据相邻组间海明距离尽量小的原则分配密钥,增强安全性同时有效降低了组成员异动引起的密钥更新消耗。通过与几种经典密钥管理方案对比,证明EBKMP在通信、存储性能和抗合谋攻击能力等方面有显著改善。     

The VersaKey framework: versatile group key management

Middleware supporting secure applications in a distributed environment faces several challenges. Scalable security in the context of multicasting or broadcasting is especially hard when privacy and authenticity is to be assured to highly dynamic groups where the application allows participants to join and leave at any time. Unicast security is well-known and has widely advanced into production state. But proposals for multicast security solutions that have been published so far are complex, often require trust in network components, or are inefficient. In this paper, we propose a framework of new approaches for achieving scalable security in IP multicasting. Our solutions assure that newly joining members are not able to understand past group traffic and that leaving members may not follow future communication. For versatility, our framework supports a range of closely related schemes for key management, ranging from tightly centralized to fully distributed, and even allows switching between these schemes on-the-fly with low overhead. Operations have low complexity [O(log N) for joins or leaves], thus granting scalability even for very large groups. We also present a novel concurrency-enabling scheme, which was devised for fully distributed key management. In this paper, we discuss the requirements for secure multicasting, present our flexible system, and evaluate its properties based on the existing prototype implementation     

安全组播密钥管理的层次结构研究

组播是面向组接收者的有效数据通信方式,其重要性正日益突出。组管理协议(IGMP)不提供成员接入控制。为保护通信机密性,安全组播使用不为组外成员所知的业务密钥来加密数据,并随组成员关系变化而动态更新。密钥管理成为安全组播研究的核心问题。为支持大规模安全组播,引入了逻辑密钥层次结构,以使密钥管理具有可扩展性。在对逻辑密钥层次作具体分析的基础上,本文就密钥树最优结构问题作了理论上的探讨,并取得了与实验一致的结论。     

A study of encoding overhead in network management protocols

Next‐Generation Network (NGN) is a critical scenario in terms of network management because of its network dimension, its number of users and its heterogeneity. Since the introduction of the Simple Network Management Protocol (SNMP) at the beginning of the 1990s, much effort has been devoted to the development of new network management technologies. Both the Desktop Management Task Force (DMTF) and the Internet Engineering Task Force (IETF) have developed different network and system management protocols, such as Common Open Policy Service, Web‐Based Enterprise Management, Network Configuration and even adapted other protocols, such as Diameter and Web Services. A network management technology with poor scalability could compromise NGN management and ultimately NGN network behaviour. This paper analyses the network overhead of several management technologies developed by the DMTF and IETF, and goes on to compare their results with the usage of SNMP. Furthermore, some deployment recommendations are proposed for performance optimization in NGNs. Copyright © 2012 John Wiley & Sons, Ltd.     

基于SNMP的EPON网管系统的设计与实现

以太无源光网络(EPON)即将成为宽带接入的最有效的通信方法,为EPON系统提供一个稳定、有效的网络管理系统显得尤为重要。简单网络管理协议(SNMP)是当今应用最广泛的网络管理协议。本文分析了基于SNMP的EPON网管结构,按配置管理、性能管理、故障管理、安全管理等功能设计了EPON网管系统,并分别在管理站和代理站上予以实现。     

An Efficient,Scalable Key Transport Scheme (ESKTS) for Delay/Disruption Tolerant Networks

In the past, security protocols including key transport protocols are designed with the assumption that there are two parties communication with each other and an adversary tries to intercept this communication. In Delay/Disruption Tolerant Networking (DTN), packet delivery relies on intermediate parties in the communication path to store and forward the packets. DTN security architecture requires that integrity and authentication should be verified at intermediate nodes as well as at end nodes and confidentiality should be maintained for end communicating parties. This requires new security protocols and key management to be defined for DTN as traditional end-to-end security protocols will not work with DTN. To contribute towards solving this problem, we propose a novel Efficient and Scalable Key Transport Scheme (ESKTS) to transport the symmetric key generated at a DTN node to other communicating body securely using public key cryptography and proxy signatures. It is unique effort to design a key transport protocol in compliance with DTN architecture. ESKTS ensures that integrity and authentication is achieved at hop-by-hop level as well as end-to-end level. It also ensures end-to-end confidentiality and freshness for end communicating parties. This scheme provides a secure symmetric key transport mechanism based on public key cryptography to exploit the unique bundle buffering characteristics of DTN to reduce communication and computation cost .     

ECC-CoAP: Elliptic Curve Cryptography Based Constraint Application Protocol for Internet of Things

Constraint Application Protocol (CoAP), an application layer based protocol, is a compressed version of HTTP protocol that is used for communication between lightweight resource constraint devices in Internet of Things (IoT) network. The CoAP protocol is generally associated with connectionless User Datagram Protocol (UDP) and works based on Representational State Transfer architecture. The CoAP is associated with Datagram Transport Layer Security (DTLS) protocol for establishing a secure session using the existing algorithms like Lightweight Establishment of Secure Session for communication between various IoT devices and remote server. However, several limitations regarding the key management, session establishment and multi-cast message communication within the DTLS layer are present in CoAP. Hence, development of an efficient protocol for secure session establishment of CoAP is required for IoT communication. Thus, to overcome the existing limitations related to key management and multicast security in CoAP, we have proposed an efficient and secure communication scheme to establish secure session key between IoT devices and remote server using lightweight elliptic curve cryptography (ECC). The proposed ECC-based CoAP is referred to as ECC-CoAP that provides a CoAP implementation for authentication in IoT network. A number of well-known cryptographic attacks are analyzed for validating the security strength of the ECC-CoAP and found that all these attacks are well defended. The performance analysis of the ECC-CoAP shows that our scheme is lightweight and secure.

     

基于矩阵的无线传感器网络SNEP改进

针对网络安全加密协议(SNEP)存在过于依赖基站、密钥计算耗能大、密钥分发安全性较低的问题,采用了分簇式结构,引入矩阵与多密钥空间理论对SNEP进行改进。节点之间可利用加载的矩阵信息自主进行通信密钥计算。通过分析可知,该方案可降低基站依赖性,防范女巫攻击,并对基站的计算、存储需求降低,节点计算与存储开销没有明显增加,网络具有较高的安全性,可扩展性较好。     

MANET中高效的安全簇组密钥协商协议

针对移动自组网中组密钥管理面临的诸多挑战,提出一种高效的安全簇组密钥协商协议(ESGKAP,effi-cient and secure group key agreement protocol).ESGKAP基于提出的高性能层簇式CCQ_n网络模型,有效地减少了组密钥协商过程中的秘密贡献交互开销,增加了协议的灵活性、可扩展性和容错性.ESGKAP无需控制中心,由秘密分发中心构造门限秘密共享,所有成员通过协商生成簇组密钥,提高了方案的安全性,且基于ECC密码体制提高了簇组密钥生成的效率.同时,提出高效的签密及门限联合签名方案,确保簇组成员能够对接收的簇组密钥份额进行验证,进一步增加了方案的安全性.使用串空间模型对ESGKAP方案进行了形式化分析,证明了其正确性和安全性.最后,通过与BD、A-GDH和TGDH协议比较,表明ESGKAP能有效减少节点和网络资源消耗,很好地适用于特定的移动自组网环境,具有更为明显的安全和性能优势.     

Exploring Performance of Hypercube Structure for Multicast in Mobile Ad Hoc Networks

Performance of multicast routing protocol in mobile ad hoc networks is mostly characterized by underlying forwarding structure. Currently, general structures based on tree/mesh based scheme cannot handle with transmission efficiency, robustness to dynamic topology, scalability, and load balancing functionalities at the same time. To handle above key performance factors concurrently, we propose a new virtual backbone architecture for multicast, which is based on hierarchical hypercube structure. Due to the natural properties of hypercube structure, we can achieve efficiency, robustness and load balance in mobile ad hoc networks where links are frequently broken owing to nodes’ free immigration. Furthermore, scalability problem is naturally resolved by hierarchical structure. Finally, through simulation results, we have proven good scalability by demonstrating that our structure can provide higher packet delivery ratio with low control overhead and better scalability than tree/mesh based scheme without regard to the number of group members.     

Autonomous Shared Key Management Scheme for Space Networks

Key management is more difficult in space networks than in ground wireless networks as long time delay, large scale and difficult maintain. The main challenge is how to handle 1-affects- $n$ problem,which becomes more serious as space entities spread over a wide geographic area. To solve the question, this paper proposes a one-to-many mapping shared key agreement, which is based on one-to-many encryption mechanism model. In the proposed key agreement, each entity has different decryption key and shares an encryption key. When an entity joins or leaves network, updated keys only are a public encryption key and its decryption key. However, the other entities’ secret key remains unchanged, so as to each member has the ability to update key autonomously and securely, legitimate member has capability of revoke it’s secret decryption key independency without other member’s agreement. Consequently the performance of the proposed key management scheme is unrelated to the network scale, node mobility and topology structure. It is shown that our proposed key management scheme not only improves the efficiency and flexibility for space networks, but also achieves good security properties, including forward security and backward security and many more by theoretical analyses.