Self-healing group key distribution with time-limited node revocation for wireless sensor networks

A novel key distribution scheme with time-limited node revocation is proposed for secure group communications in wireless sensor networks. The proposed scheme offers two important security properties: the seal-healing re-keying message distribution which features periodic one-way re-keying with implicitly authentication, efficient tolerance for the lost re-keying messages, and seamless Traffic Encryption Key (TEK) switch without disrupting ongoing data transmissions; and the time-limited dynamic node attachment and detachment, so that both forward and backward secrecy is assured by dual directional hash chains. It is shown that the communication and computation overhead of the proposed protocol is light, and the protocol is robust under poor communication channel quality and frequent group node topology change.     

Host mobility key management in dynamic secure group communication

The key management has a fundamental role in securing group communications taking place over vast and unprotected networks. It is concerned with the distribution and update of the keying materials whenever any changes occur in the group membership. Wireless mobile environments enable members to move freely within the networks, which causes more difficulty to design efficient and scalable key management protocols. This is partly because both member location dynamic and group membership dynamic must be managed concurrently, which may lead to significant rekeying overhead. This paper presents a hierarchical group key management scheme taking the mobility of members into consideration intended for wireless mobile environments. The proposed scheme supports the mobility of members across wireless mobile environments while remaining in the group session with minimum rekeying transmission overhead. Furthermore, the proposed scheme alleviates 1-affect-n phenomenon, single point of failure, and signaling load caused by moving members at the core network. Simulation results shows that the scheme surpasses other existing efforts in terms of communication overhead and affected members. The security requirements studies also show the backward and forward secrecy is preserved in the proposed scheme even though the members move between areas.     

The VersaKey framework: versatile group key management

Middleware supporting secure applications in a distributed environment faces several challenges. Scalable security in the context of multicasting or broadcasting is especially hard when privacy and authenticity is to be assured to highly dynamic groups where the application allows participants to join and leave at any time. Unicast security is well-known and has widely advanced into production state. But proposals for multicast security solutions that have been published so far are complex, often require trust in network components, or are inefficient. In this paper, we propose a framework of new approaches for achieving scalable security in IP multicasting. Our solutions assure that newly joining members are not able to understand past group traffic and that leaving members may not follow future communication. For versatility, our framework supports a range of closely related schemes for key management, ranging from tightly centralized to fully distributed, and even allows switching between these schemes on-the-fly with low overhead. Operations have low complexity [O(log N) for joins or leaves], thus granting scalability even for very large groups. We also present a novel concurrency-enabling scheme, which was devised for fully distributed key management. In this paper, we discuss the requirements for secure multicasting, present our flexible system, and evaluate its properties based on the existing prototype implementation     

A location‐aware peer‐to‐peer overlay network

This work describes a novel location‐aware, self‐organizing, fault‐tolerant peer‐to‐peer (P2P) overlay network, referred to as Laptop. Network locality‐aware considerations are a very important metric for designing a P2P overlay network. Several network proximity schemes have been proposed to enhance the routing efficiency of existing DHT‐based overlay networks. However, these schemes have some drawbacks such as high overlay network and routing table maintenance overhead, or not being completely self‐organizing. As a result, they may result in poor scalability as the number of nodes in the system grows. Laptop constructs a location‐aware overlay network without pre‐determined landmarks and adopts a routing cache scheme to avoid maintaining the routing table periodically. In addition, Laptop significantly reduces the overlay maintenance overhead by making each node maintain only the connectivity between parent and itself. Mathematical analysis and simulations are conducted to evaluate the efficiency, scalability, and robustness of Laptop. Our mathematical analysis shows that the routing path length is bounded by log_d N, and the joining and leaving overhead is bounded by d log_d N, where N is the number of nodes in the system, and d is the maximum degree of each node on the overlay tree. Our simulation results show that the average latency stretch is 1.6 and the average routing path length is only about three in 10 000 Laptop nodes, and the maximum degree of a node is bounded by 32. Copyright © 2006 John Wiley & Sons, Ltd.     

A practical quadratic residues based scheme for authentication and privacy in mobile RFID systems

In this paper we propose a novel approach to authentication and privacy in mobile RFID systems based on quadratic residues and in conformance to EPC Class-1 Gen-2 specifications. Recently, Chen et al. (2008) [10] and Yeh et al. (2011) [11] have both proposed authentication schemes for RFID systems based on quadratic residues. However, these schemes are not suitable for implementation on low-cost passive RFID tags as they require the implementation of hash functions on the tags. Consequently, both of these current methods do not conform to the EPC Class-1 Gen-2 standard for passive RFID tags which from a security perspective requires tags to only implement cyclic redundancy checks (CRC) and pseudo-random number generators (PRNG) leaving about 2.5k–5k gates available for any other security operations. Further, due to secure channel assumptions both schemes are not suited for mobile/wireless reader applications. We present the collaborative authentication scheme suitable for mobile/wireless reader RFID systems where the security of the server–reader channel cannot be guaranteed. Our schemes achieves authentication of the tag, reader and back-end server in the RFID system and protects the privacy of the communication without the need for tags to implement expensive hash functions. Our scheme is the first quadratic residues based scheme to achieve compliance to EPC Class-1 Gen-2 specifications. Through detailed security analysis we show that the collaborative authentication scheme achieves the required security properties of tag anonymity, reader anonymity, reader privacy, tag untraceability and forward secrecy. In addition, it is resistant to replay, impersonation and desynchronisation attacks. We also show through strand space analysis that the proposed approach achieves the required properties of agreement, originality and secrecy between the tag and the server.     

Secure Relay Selection of Cognitive Two-Way Denoise-and-Forward Relaying Networks

In this paper, secrecy performance of a cognitive two-way denoise-and-forward relaying network consisting of two primary user (PT and PD) nodes, two secondary source (SA and SB) nodes, multiple secondary relay (\({\textit{SR}}_i\)) nodes and an eavesdropper (E) node is considered, where SA and SB exchange their messages with the help of one of the relays using a two-way relaying scheme. The eavesdropper tries to wiretap the information transmitted between SA and SB. To improve secrecy performance of the network, two relay selection schemes called maximum sum rate and maximum secrecy capacity based relay selection (MSRRS and MSCRS) are proposed and analyzed in terms of intercept probability. It is proved that the MSRRS and MSCRS schemes have the same secrecy performance. Two parameters called average number gain and average cost gain are proposed to show the performance of the proposed relay selection schemes. Numerical results demonstrated that with 10 relay nodes, the proposed relay selection schemes can achieve, respectively, 3.7 dB and 1.9 dB’s improvements in terms of the reduced intercept probability and the enhanced secrecy capacity compared to the traditional round-robin scheme.     

Scalable secure group communication over IP multicast

We introduce and analyze a scalable rekeying scheme for implementing secure group communications Internet protocol multicast. We show that our scheme incurs constant processing, message, and storage overhead for a rekey operation when a single member joins or leaves the group, and logarithmic overhead for bulk simultaneous changes to the group membership. These bounds hold even when group dynamics are not known a priori. Our rekeying algorithm requires a particular clustering of the members of the secure multicast group. We describe a protocol to achieve such clustering and show that it is feasible to efficiently cluster members over realistic Internet-like topologies. We evaluate the overhead of our own rekeying scheme and also of previously published schemes via simulation over an Internet topology map containing over 280 000 routers. Through analysis and detailed simulations, we show that this rekeying scheme performs better than previous schemes for a single change to group membership. Further, for bulk group changes, our algorithm outperforms all previously known schemes by several orders of magnitude in terms of actual bandwidth usage, processing costs, and storage requirements.     

基于EBS和属性加密的抗共谋组密钥管理方案

The major advantages of EBS-based key management scheme are its enhanced network survivability, high dynamic performance, and better support for network expansion. But it suffers from the collusion problem, which means it is prone to the cooperative attack of evicted members. A novel EBS-based collusion resistant group management scheme utilizing the construction of Cipher-text-Policy Attribute-Based Encryption (CP-ABE) is proposed. The new scheme satisfies the desired security properties, such as forward secrecy, backward secrecy and collusion secrecy. Compared with existing EBS-based key management scheme, the new scheme can resolve EBS collusion problem completely. Even all evicted members work together, and share their individual piece of information, they could not access to the new group key. In addition, our scheme is more efficient in terms of communication and computation overhead when the group size is large. It can be well controlled even in the case of large-scale application scenarios .     

Providing secrecy in key management protocols for large wireless sensors networks

This paper defines a new protocol KeEs for the key establishment that meets the security requirements of the threat model proposed. The KeEs protocol assures forward and backward secrecy of the session key, so that if any set of the session keys is compromised, even including the current session key, these compromised keys do not undermine neither the security of future session keys, nor the security of past session keys. We illustrate the protocol in two different scenarios, one in which a Base Station acts as a synchronizer for re-keying the sensors, and a second scenario based on a completely distributed approach where the sensors rely only on themselves to achieve synchronization in the re-keying process. For both scenarios the KeEs protocol requires minimal overhead in terms of computations and transmissions. Finally, in KeES none of the resources needed by a generic sensor is bounded to the size of the WSN.     

Design of a user anonymous password authentication scheme without smart card

Recently, Jiang et al. and He et al. independently found security problems in Chen et al.'s remote user authentication scheme for non‐tamper‐proof storage devices like Universal Serial Bus stick and proposed improvements. Nonetheless, we detect that the schemes proposed by Jiang et al. and He et al. overlook a user's privacy. We also observe that Jiang et al.'s scheme is vulnerable to insider attack and denial of service attacks and lacks forward secrecy. We point out that the password changing facility in He et al.'s scheme is equivalent to undergoing registration, whereas in Jiang et al.'s scheme, it is unsuitable. Moreover, the login phase of both the schemes is incapable to prevent the use of wrong password leading to the computation of an unworkable login request. Therefore, we design a new scheme with user anonymity to surmount the identified weaknesses. Without adding much in communication/computational cost, our scheme provides more security characteristics and keeps the merits of the original schemes. As compared with its predecessor schemes, the proposed scheme stands out as a more apt user authentication method for common storage devices. We have also presented a formal proof of security of the proposed scheme based on the logic proposed by Burrows, Abadi and Needham (BAN logic). Copyright © 2014 John Wiley & Sons, Ltd.     

A New Object Searching Protocol for Multi-tag RFID

This paper proposes a secure and lightweight object searching scheme using Radio Frequency Identification (RFID) technology. The proposed scheme assumes that the objects are attached with multiple number of RFID tags which helps to increase the detection probability of the objects. Security risks such as eavesdropping, information leakage, traceability, man-in-the-middle attack, forward secrecy, backward secrecy, replay attack, de-synchronization attack and impersonation attack are involved in the authentication process. The proposed scheme addresses these issues and utilizes multiple number of tags in an object to increase difficulty for the adversary to mount these attacks. The proposed scheme has advantage over existing schemes that use single RFID tag which are more vulnerable to attacks. This paper considers the resource constraints of RFID tags and hence tries to make the proposed scheme lightweight. Necessary analysis has been carried out to evaluate the security and the other requirements such as computation, communication and storage overhead.     

A new hybrid key pre-distribution scheme for wireless sensor networks

This article presents a novel hybrid key pre-distribution scheme based on combinatorial design keys and pair-wise keys. For the presented scheme, the deployment zone is cleft into equal-sized cells. We use the combinatorial design based keys to secure intra-cell communication, which helps to maintain low key storage overhead in the network. For inter-cell communication, each cell maintain multiple associations with all the other cells within communication range and these associations are secured with pair-wise keys. This helps to ensure high resiliency against compromised sensor nodes in the network. We provide in-depth analysis for the presented scheme. We measure the resiliency of the presented scheme by calculating fraction of links effected and fraction of nodes disconnected when adversary compromises some sensor nodes in the network. We find that the presented scheme has high resiliency than majority of existing schemes. Our presented scheme also has low storage overhead than existing schemes.

     

基于离散对数问题的两层分散式组密钥管理方案

该文基于多个解密密钥映射到同一加密密钥的公钥加密算法提出一个组密钥更新协议,结合LKH算法为特定源多播模型设计一个两层分散式组密钥管理方案。证明它具有后向保密性、高概率的前向保密性和抗串谋性。通过上层私钥的长寿性和密钥转换的方法来缓解子组管理者的性能瓶颈及共享组密钥方法中普遍存在的1影响n问题。分析表明,采用混合密码体制的新方案在一定程度上兼备了两类不同组密钥管理方法的优势。     

基于LKH混合树模型的新型组播密钥更新方案

安全组播是组播技术走向实用化必须解决的问题。在组成员动态变化时,设计一个高效的密钥管理方案是安全组播研究的主要问题。提出了一种基于新型混合树模型的组播密钥更新方案。该方案将GC的存储开销减小为4,同时,在成员加入或离开组时,由密钥更新引起的通信开销与nm保持对数关系(n为组成员数,m为每一族包含的成员数)。     

Optimizing error masking in BIST by output data modification

The error masking in conventional built-in self-test schemes is known to be around 2^–m when the output data is compacted in an m-bit multi-input linear feedback shift register. In the recent years, several schemes have been proposed which claim to reduce the error masking in a significant way while maintaining the need for a small overhead. In this paper, a completely new scheme for reducing error masking is proposed. Unlike the previous schemes in the literature, the new scheme is circuit-dependent and uses the concept of output data modification. This concept suggests modifying the original test output sequence before compaction, in order to obtain a new sequence with a reduced error masking probability. It is shown that the output data modification scheme provides a simple trade-off between the desired error masking which could run into (2^1thousands) and the area overhead needed (which would usually be equal to a 16 or 32 bit multi-input linear feedback shift register) for this masking. Finally, a formal proof is presented which establishes that despite circuit-dependency, the proposed scheme will on the average always lead to the desired error masking.     

Maximum lifetime broadcast communications in cooperative multihop wireless ad hoc networks: Centralized and distributed approaches

We investigate the problem of broadcast routing in energy constrained stationary wireless ad hoc networks with an aim to maximizing the network lifetime measured as the number of successive broadcast sessions that can be supported. We propose an energy-aware spanning tree construction scheme supporting a broadcast request, considering three different signal transmission schemes in the physical layer: (a) point-to-point, (b) point-to-multipoint, and (c) multipoint-to-point. First we present a centralized algorithm that requires global topology information. Next, we extend this to design an approximate distributed algorithm, assuming the availability of k-hop neighborhood information at each node, with k as a parameter. We prove that the centralized scheme has time complexity polynomial in the number of nodes and the distributed scheme has a message complexity that is linear in the number of nodes. Results of numerical experiments demonstrate significant improvement in network lifetime following our centralized scheme compared to existing prominent non-cooperative broadcasting schemes proposed to solve the same lifetime maximization problem in wireless ad hoc networks. Due to lack of global topology information, the distributed solution does not produce as much advantage as the centralized solution. However, we demonstrate that with increasing value of k, the performance of the distributed scheme also improves significantly.     

Differential data update scheme on network-coding-based cloud storage system

In order to solve the problem that the communication overhead of date update was too large on network-coding-based cloud storage system,a new differential data update scheme was proposed.By encoding and compressing the updated part of file,the communication overhead was reduced significantly.A network-coding-based storage prototype system was designed and implemented,and update scheme was deployed in the real network settings.Experimental results show that the proposed scheme has less communication overhead and better scalability than the existing schemes.     

Analytical evaluation of hybrid feedback scheme for OFDMA system

This paper first introduces the performance analysis of two classical channel quality indicator （CQI） feedback schemes which are best-n feedback and the threshold based feedback and derives the mathematical expressions of average capacity which is described by Theorem 1 and 2. Then, a reduced feedback scheme is designed for multiple traffics and multi-channel. The novel scheme combines the best-n feedback and the threshold based feedback together to reduce the feedback overhead. The proposed scheme can not only guarantee the quality of service （QoS） requirement of real time （RT） traffic but also reduce feedback overhead at the cost of a marginal increased downlink overhead. Simulation results demonstrated the good performance of the proposed feedback scheme.     

Hexagonal Clustered Trust Based Distributed Group Key Agreement Scheme in Mobile Ad Hoc Networks

Secure and efficient group communication among mobile nodes is one of the significant aspects in mobile ad hoc networks (MANETs). The group key management (GKM) is a well established cryptographic technique to authorise and to maintain group key in a multicast communication, through secured channels. In a secure group communication, a one-time session key is required to be shared between the participants by using distributed group key agreement (GKA) schemes. Due to the resource constraints of ad hoc networks, the security protocols should be communication efficient with less overhead as possible. The GKM solutions from various researches lacks in considering the mobility features of ad hoc networks. In this paper, we propose a hexagonal clustered one round distributed group key agreement scheme with trust (HT-DGKA) in a public key infrastructure based MANET environment. The proposed HT-DGKA scheme guarantees an access control with key authentication and secrecy. The performance of HT-DGKA is evaluated by simulation analysis in terms of key agreement time and overhead for different number of nodes. Simulation results reveal that the proposed scheme guarantees better performance to secure mobile ad hoc network. It is demonstrated that the proposed scheme possesses a maximum of 2250 ms of key agreement time for the higher node velocity of 25 m/s and lower key agreement overhead. Also, the HT-DGKA scheme outperforms the existing schemes in terms of successful message rate, packet delivery ratio, level of security, computation complexity, number of round, number of exponentiations and number of message sent and received that contribute to the network performance.

     

新的标准模型下基于身份的环签名方案

该文提出了一种新的基于身份的环签名方案,并在标准模型下证明其能抵抗签名伪造攻击,且具有无条件匿名性。与现有标准模型下基于身份的环签名方案相比,新方案具有更短的公开参数,对于n个成员的环,签名长度只有n+1个群元素,签名验证需要n+1个双线性对运算,因此能更好的满足应用要求。