WSN的网络安全管理机制研究

本文提出一种基于多项式的WSN密钥管理方案.基站通过计算节点秘密信息构成的多项式来生成网络的全局密钥,节点通过全局密钥可以认证网络中的合法节点.节点用全局密钥经过对称多项式密钥交换来生成与簇头节点之间的会话密钥.该方案能够动态更新密钥,从而解决了由于节点被捕获所导致的信息泄露、密钥连通性下降和密钥更新通信开销大等问题.性能分析表明,该方案与现有的密钥预分配方案相比,具有更低的存储开销、通信开销、良好的扩展性和连通性.     

无线传感器网络中具有撤销功能的自愈组密钥管理方案

在有限域F_q上构造基于秘密共享的广播多项式,提出一种具有节点撤销功能的组密钥更新方案.同时,基于单向散列密钥链建立组密钥序列,采用组密钥预先更新机制,容忍密钥更新消息的丢失,实现自愈.分析表明,在节点俘获攻击高发的环境中,方案在计算开销和通信开销方面具有更好的性能.     

基于身份的空间网络组密钥管理方案

针对现有组密钥管理方案无法适应空间网络的问题,提出了一种基于身份的空间网络组密钥管理方案.方案设置了一个由卫星节点组成的多播服务节点集合,协助多播群组完成公共参数的生成和广播,解决了组成员开销不平衡的问题;为同一群组提供服务的节点动态可变,避免了单点失效问题.与现有方案相比,本方案在满足安全要求的基础上,具有更小的计算、存储和通信开销.     

移动ad hoc网络预分配非对称密钥管理方案

为了降低移动ad hoc网络非对称密钥管理中的通信开销,基于组合公钥思想,将ElGamal方案与预分配密钥方式相结合,提出一种基于身份的预分配非对称密钥管理方案(PAKMS)。该方案通过私钥生成中心为节点预分配主密钥子集及基于时间获得节点密钥更新的方式,从方法上降低了移动ad hoc网络非对称密钥管理中的通信开销;私钥生成中心为节点预分配主密钥子集的方式也使节点在网络运行阶段不再依赖私钥生成中心为节点分配和更新密钥。由此,弱化了基于身份密钥管理中存在的私钥托管问题对网络安全的影响。与典型方案对比分析表明,该方案在提供节点密钥更新服务的情况下能够有效降低网络通信开销。此外,对方案的安全性进行了详细证明。     

基于双向散列链具有撤销能力的自愈组密钥分发机制

提出了一种MANET中基于双向散列链具有撤销能力的自愈组密钥分发机制.通过建立会话密钥之间的冗余关联,实现了在不增加管理节点负担的情况下,合法节点利用当前广播信息和自身秘密信息自主恢复由于网络原因遗失会话的组密钥.利用撤销多项式管理者实现了对节点的撤销能力,此外赋予节点与其生命期相对应的秘密掩码值集合.安全分析和效率分析表明在保证安全属性的前提下,降低了通信开销和存储开销.     

实现位置及时间绑定的密钥分发——防御传感器网络节点复制攻击的新方法

提出了一种新的防御思路:通过使复制节点无法与邻居节点建立成对密钥的方式,来达到消除复制节点攻击威胁的目的,由此设计了一种基于多项式的成对密钥分发方法LTB(location and time binding).LTB把每个节点的密钥信息与其部署位置和时间信息绑定起来,使每个节点只能在其部署位置与邻居节点建立成对密钥.由于复制节点的部署位置不同于原捕获节点,因此LTB能够有效阻止其与邻居节点建立成对密钥.LTB相比现有各种周期性复制节点检测机制的优势是它彻底消除了复制节点攻击隐患而且协议开销更低,通信开销从O(pn3/2)下降到O(n),其中,p是检测周期数,n是网络节点个数.     

WSN中同构模型下动态组密钥管理方案

研究了同构网络模型的组密钥管理问题,首次给出了一个明确的、更完整的动态组密钥管理模型,并提出了一种基于多个对称多项式的动态组密钥管理方案。该方案能够为任意多于2个且不大于节点总数的节点组成的动态多播组提供密钥管理功能,解决了多播组建立、节点加入、退出等所引发的与组密钥相关的问题。该方案支持节点移动,具有可扩展性,并很好地解决了密钥更新过程中多播通信的不可靠性。组成员节点通过计算获得组密钥,只需要少量的无线通信开销,大大降低了协商组密钥的代价。分析比较认为,方案在存储、计算和通信开销方面具有很好的性能,更适用于资源受限的无线传感器网络。     

适合于无线传感器网络的混合式组密钥管理方案

针对无线传感器网络中经常出现节点加入或退出网络的情况,提出了一种安全有效的混合式组密钥管理方案.多播报文的加密和节点加入时的组密钥更新,采用了对称加密技术;而系统建立后,组密钥的分发和节点退出后的组密钥更新,采用了基于身份的公钥广播加密方法.方案可抗同谋、具有前向保密性、后向保密性等安全性质.与典型组密钥管理方案相比,方案在适当增加计算开销的情况下,有效降低了节点的存储开销和组密钥更新通信开销.由于节点的存储量、组密钥更新开销独立于群组大小,方案具有较好的扩展性,适合应用于无线传感器网络环境.     

WSN中基于全同态加密的对偶密钥建立方案

针对Guo等人基于排列的多对称多项式方案提出一种攻击方法,证明其方案未能突破容忍门限,并不能抵御大规模节点俘获攻击。通过引入全同态加密提出一种对偶密钥建立方案,使共享密钥计算过程在加密状态下完成,.阻止了敌手获得与多项式有关的信息,成功应对了大规模节点俘获攻击。提出一种全同态加密体制的间接实现方法,降低了方案的存储及计算复杂度。分析及实验表明本方案的存储、计算和通信开销完全满足无线传感器网络的要求。     

改进的无线传感器网络密钥预分发方案

针对现有的无线传感器网络密钥预分发方案密钥易泄露,不可追溯泄密传感器节点等产生的信息泄露问题,新方案改进了已有的基于多项式密钥预分发方案,将节点位置信息和身份信息引入传输信息的路径中,并经过密钥更新及管理说明,连通性和安全性分析。证明新方案提高了已有方案的抗捕获性,易于基站即时发现捕获节点,即时进行调整和明确所接收到的信息的来源。易于用在军事领域及不安全环境中进行信息监测及传输。     

A Full Connectable and High Scalable Key Pre-distribution Scheme Based on Combinatorial Designs for Resource-Constrained Devices in IoT Network

Considering the internet of things (IoT), end nodes such as wireless sensor network, RFID and embedded systems are used in many applications. These end nodes are known as resource-constrained devices in the IoT network. These devices have limitations such as computing and communication power, memory capacity and power. Key pre-distribution schemes (KPSs) have been introduced as a lightweight solution to key distribution in these devices. Key pre-distribution is a special type of key agreement that aims to select keys called session keys in order to establish secure communication between devices. One of these design types is the using of combinatorial designs in key pre-distribution, which is a deterministic scheme in key pre-distribution and has been considered in recent years. In this paper, by introducing a key pre-distribution scheme of this type, we stated that the model introduced in the two benchmarks of KPSs comparability had full connectivity and scalability among the designs introduced in recent years. Also, in recent years, among the combinatorial design-based key pre-distribution schemes, in order to increase resiliency as another criterion for comparing KPSs, attempts were made to include changes in combinatorial designs or they combine them with random key pre-distribution schemes and hybrid schemes were introduced that would significantly reduce the design connectivity. In this paper, using theoretical analysis and maintaining full connectivity, we showed that the strength of the proposed design was better than the similar designs while maintaining higher scalability.

     

A new hybrid key pre-distribution scheme for wireless sensor networks

This article presents a novel hybrid key pre-distribution scheme based on combinatorial design keys and pair-wise keys. For the presented scheme, the deployment zone is cleft into equal-sized cells. We use the combinatorial design based keys to secure intra-cell communication, which helps to maintain low key storage overhead in the network. For inter-cell communication, each cell maintain multiple associations with all the other cells within communication range and these associations are secured with pair-wise keys. This helps to ensure high resiliency against compromised sensor nodes in the network. We provide in-depth analysis for the presented scheme. We measure the resiliency of the presented scheme by calculating fraction of links effected and fraction of nodes disconnected when adversary compromises some sensor nodes in the network. We find that the presented scheme has high resiliency than majority of existing schemes. Our presented scheme also has low storage overhead than existing schemes.

     

Ad hoc网中基于哈希的对偶密钥预分配方案

随机密钥预分配是无线Ad hoc网络中最有效的密钥管理机制。提出了一个适用于Ad hoc网络的基于哈希函数的对偶密钥预分配方案。方案利用哈希函数的单向性,由哈希链形成密钥池,节点仅需预分发数量较少的密钥,就能与邻近节点有效建立对偶密钥。方案具有较低的存储成本与计算开销,同时能达到完全连通性,并能动态管理节点与密钥。分析表明,方案具有较好的有效性和安全性,更适合Ad hoc网络。     

A Hybrid Key Predistribution Scheme for Sensor Networks Employing Spatial Retreats to Cope with Jamming Attacks

In order to provide security services in wireless sensor networks, a well-known task is to provide cryptographic keys to sensor nodes prior to deployment. It is difficult to assign secret keys for all pairs of sensor node when the number of nodes is large due to the large numbers of keys required and limited memory resources of sensor nodes. One possible solution is to randomly assign a few keys to sensor nodes and have nodes be able to connect to each other with some probability. This scheme has limitations in terms of the tradeoffs between connectivity and memory requirements. Recently, sensor deployment knowledge has been used to improve the level of connectivity while using lesser amounts of memory space. However, deployment based key predistribution schemes may cause a large number of nodes to be cryptographically isolated if nodes move after key pre-distribution. Mobility may be necessitated for reasons depending on applications or scenarios. In this paper, we consider mobility due to spatial retreat of nodes under jamming attacks as an example. Jamming attacks are easy and efficient means for disruption of the connectivity of sensors and thus the operation of a sensor network. One solution for mobile sensor nodes to overcome the impact of jamming is to perform spatial retreats by moving nodes away from jammed regions. Moved nodes may not be able to reconnect to the network because they do not have any shared secret with new neighbors at new locations if strict deployment knowledge based key predistribution is employed. In this paper, we propose a hybrid key predistribution scheme that supports spatial retreat strategies to cope with jamming attacks. Our scheme combines the properties of random and deployment knowledge based key predistribution schemes. In the presence of jamming attacks, our scheme provides high key connectivity (similar to deployment knowledge based schemes) while reducing the number of isolated nodes. We evaluate the performance of our scheme through simulations and analysis.     

一种新的基于辛空间的密钥预分配方案

密钥预分配是无线传感器网络中最具挑战的安全问题之一。 该文基于有限域上辛空间中子空间之间的正交关系构造了一个新的组合设计,并基于该设计构造了一个密钥预分配方案。令V 是有限域上8维辛空间中的一个(4,2)型子空间,V 中每一个(1,0)型子空间看作密钥预分配方案中的一个节点,所有的(2,1)型子空间看作该方案的一个密钥池。将整个目标区域划分为若干个大小相同的小区,每个小区有普通节点和簇头两种类型的传感器节点。小区内的普通节点采用基于辛空间的密钥预分配方案分发密钥,不同小区内节点所用密钥池互不相同,因此不同小区内的节点需通过簇头建立间接通信,不同小区内簇头采用完全密钥预分配方式分发密钥。与其他方案相比,该方案的最大优势是网络中节点的抗捕获能力较强,且随着网络规模的不断扩大,网络的连通概率逐渐趋于1。     

无线传感器网络密钥预分配蜂窝模型

要达到无线传感器网络的安全通信,必须对网络中节点之间的通讯数据用密钥进行必要的加密。文章使用蜂窝模型分组方案,把节点按照预测的地理位置关系分组,给处于相同组或是相邻组的节点之间分配共享密钥,使节点的分组模式和查询更符合节点广播特征。蜂窝模型密钥预分配机制极大的提高密钥利用率,减少了密钥分配和维护代价,使传感器网络的安全性和连通性极大的提高。     

An improved key distribution mechanism for large-scale hierarchical wireless sensor networks

Wireless sensor networks are often deployed in hostile environments and operated on an unattended mode. In order to protect the sensitive data and the sensor readings, secret keys should be used to encrypt the exchanged messages between communicating nodes. Due to their expensive energy consumption and hardware requirements, asymmetric key based cryptographies are not suitable for resource-constrained wireless sensors. Several symmetric-key pre-distribution protocols have been investigated recently to establish secure links between sensor nodes, but most of them are not scalable due to their linearly increased communication and key storage overheads. Furthermore, existing protocols cannot provide sufficient security when the number of compromised nodes exceeds a critical value. To address these limitations, we propose an improved key distribution mechanism for large-scale wireless sensor networks. Based on a hierarchical network model and bivariate polynomial-key generation mechanism, our scheme guarantees that two communicating parties can establish a unique pairwise key between them. Compared with existing protocols, our scheme can provide sufficient security no matter how many sensors are compromised. Fixed key storage overhead, full network connectivity, and low communication overhead can also be achieved by the proposed scheme.     

传感器网络中基于三元多项式的密钥管理方案

提出一种新的密钥管理方案KMTP(key management based on ternary polynomial)。基站为每个节点建立唯一性标识,保证节点合法性;基于三元多项式设计簇内和簇间密钥预分配算法,可以保证秘密多项式的破解门限值分别大于簇内节点和分簇总数,理论上难以破解;通过构造安全连通邻接表,设计簇间多跳路由选择算法,保证通信阶段的安全;引入更新参数和更新认证数,保证密钥更新阶段的安全。仿真表明,相比已有方案,KMTP开销较小,且能够提供更高的安全性。     

SBK: A Self-Configuring Framework for Bootstrapping Keys in Sensor Networks

Key pre-distribution has been claimed to be the only viable approach for establishing shared keys between neighboring sensors after deployment for a typical sensor network. However, none of the proposed key pre-distribution schemes simultaneously achieves good performance in terms of scalability in network size, key-sharing probability between neighboring sensors, memory overhead for keying information storage, and resilience against node capture attacks. In this paper, we propose SBK, an in-situ self-configuring framework to bootstrap keys in large-scale sensor networks. SBK is fundamentally different compared to all key pre-distribution schemes. It requires no keying information pre-deployment. In SBK, sensors differentiate their roles as either service nodes or worker nodes after deployment. Service sensors construct key spaces, and distribute keying information in order for worker sensors to bootstrap pairwise keys. An improved scheme, iSBK, is also proposed to speed up the bootstrapping procedure. We conduct both theoretical analysis and simulation study to evaluate the performances of SBK and iSBK. To the best of our knowledge, SBK and iSBK are the only key establishment protocols that simultaneously achieve good performance in scalability, key-sharing probability, storage overhead, and resilience against node capture attacks.     

传感器网络随机密钥对模型密钥管理方案改进

在传感器网络中有必要应用加密技术对节点间的通信进行保护。基于随机密钥对模型的传感器网络的密钥管理方案（BPKP），实现了包括初始密钥对向量预分配，通信密钥对向量的建立和通信密钥对向量更新。对BPKP的性能分析表明：BPKP具有高网络连通性、高安全性和低耗能的优点。