无线传感器网络的轻量级安全体系研究

结合无线传感器网络现有的安全方案存在密钥管理和安全认证效率低等问题的特点,提出了无线传感器网络的轻量级安全体系和安全算法。采用门限秘密共享机制的思想解决了无线传感器网络组网中遭遇恶意节点的问题;采用轻量化ECC算法改造传统ECC算法,优化基于ECC的CPK体制的思想,在无需第三方认证中心CA的参与下,可减少认证过程中的计算开销和通信开销,密钥管理适应无线传感器网络的资源受限和传输能耗相当于计算能耗千倍等特点,安全性依赖于椭圆离散对数的指数级分解计算复杂度;并采用双向认证的方式改造,保证普通节点与簇头节点间的通信安全,抵御中间人攻击。     

基于公钥的可证明安全的异构无线网络认证方案

该文针对3G-WLAN异构网络的接入安全,对异构网络的实体进行抽象,建立了一种通用的认证模型。在该模型的基础上,利用Canetti-Krawczyk (CK)模型设计了一种新的接入认证与密钥协商方案。该方案利用公钥基础设施分配公钥,简化接入端服务器和归属端服务器间的认证过程和认证信息;利用椭圆曲线密码机制,减少了移动终端的认证计算量;最后利用CK模型对提出的协议进行了形式化分析和证明。分析表明该方案是安全有效的。     

An independent three‐factor mutual authentication and key agreement scheme with privacy preserving for multiserver environment and a survey

In the past decades, the demand for remote mutual authentication and key agreement (MAKA) scheme with privacy preserving grows rapidly with the rise of the right to privacy and the development of wireless networks and Internet of Things (IoT). Numerous remote MAKA schemes are proposed for various purposes, and they have different properties. In this paper, we survey 49 three‐factor–based remote MAKA schemes with privacy preserving from 2013 to 2019. None of them can simultaneously achieve security, suitability for multiserver environments, user anonymity, user untraceability, table free, public key management free, and independent authentication. Therefore, we propose an efficient three‐factor MAKA scheme, which achieves all the properties. We propose a security model of a three‐factor–based MAKA scheme with user anonymity for multiserver environments and formally prove that our scheme is secure under the elliptic curve computational Diffie‐Hellman problem assumption, decisional bilinear Diffie‐Hellman problem assumption, and hash function assumption. We compare the proposed scheme to relevant schemes to show our contribution and also show that our scheme is sufficiently efficient for low‐power portable mobile devices.     

基于身份的移动IP注册协议研究

针对移动IP注册协议中家乡和移动节点过多且复杂的计算问题,提出了一个新的基于身份的密钥分发方案,并在此基础上设计了一种高效的移动IP注册协议。该协议实现了移动IP各个节点间相互认证,其中移动节点与家乡代理之间具有双重认证的特点。双线性对和秘密随机数的选取保证了消息的安全性,消息认证码Mac和数字签名Sig保障了消息的完整性。该协议从整体上减少了计算量,降低了注册延迟率,同时也有效地保证了安全性。安全性分析表明,该方案满足移动IP的安全要求。     

Host mobility key management in dynamic secure group communication

The key management has a fundamental role in securing group communications taking place over vast and unprotected networks. It is concerned with the distribution and update of the keying materials whenever any changes occur in the group membership. Wireless mobile environments enable members to move freely within the networks, which causes more difficulty to design efficient and scalable key management protocols. This is partly because both member location dynamic and group membership dynamic must be managed concurrently, which may lead to significant rekeying overhead. This paper presents a hierarchical group key management scheme taking the mobility of members into consideration intended for wireless mobile environments. The proposed scheme supports the mobility of members across wireless mobile environments while remaining in the group session with minimum rekeying transmission overhead. Furthermore, the proposed scheme alleviates 1-affect-n phenomenon, single point of failure, and signaling load caused by moving members at the core network. Simulation results shows that the scheme surpasses other existing efforts in terms of communication overhead and affected members. The security requirements studies also show the backward and forward secrecy is preserved in the proposed scheme even though the members move between areas.     

An efficient identity-based secret key management scheme for MANETs

This paper put forward an identity-based key management scheme for mobile ad hoc networks (MANETs), it provids an efficient secret key management mechanism for security schemes, which be implemented over any cyclic group in that the strong Diffie-Hellman problem is supposed to be hard. By employing identity-based and threshold cryptography, the proposed scheme eliminates the burden of certificates management and can be high level tolerance to node compromise. The scheme is based on threshold Schnorr signature (TSch), for higher efficiency, we transform TSch to a simpler form, donated by SimpleTSch, and prove that SimpleTSch is unforgeable under passive attacks in the random oracle model. However, to cope with active attacks, we enforce the security by introducing Fiore et al's key agreement. We can say that the proposed key management scheme gives lots of help for design of security protocols in MANETs.     

Efficient three‐party password‐based key exchange scheme

In three‐party password‐based key exchange protocol, a client is allowed to share a human‐memorable password with a trusted server such that two clients can negotiate a session key to communicate with each other secretly. Recently, many three‐party password‐based key exchange protocols have been developed. However, these proposed schemes cannot simultaneously achieve security and efficiency. Based on elliptic curve cryptography (ECC), this paper will propose a new simple three‐party password‐based authenticated key exchange scheme. The proposed method not only reduces computation cost for remote users and a trusted server but also is more efficient than previously proposed schemes. It is better suited for resource constrained devices, such as smart cards or mobile units. Copyright © 2010 John Wiley & Sons, Ltd.     

基于椭圆曲线密码组合公钥的ad hoc密钥管理方案

Ad Hoc网络是一种独具特色的网络,作为一种新型的无线,多跳、无中心分布式控制网络,它无需网络基础设施,具有很强的自组织性,鲁棒性.抗毁性和容易构建的特点,其安全问题一直是研究的热点和难点.文中提出了一种改进的基于椭圆曲线密码组合公嘲的ad hoc密钥管理方案.与原方案相比,除了保持快捷地计算出节点的公私钥对、扩展性好、无需证书等特性外,新方案进一步提高了ad hoc网络的安全性,避免了单点失败.     

Novel Trusted Hierarchy Construction for RFID Sensor–Based MANETs Using ECCs

In resource‐constrained, low‐cost, radio‐frequency identification (RFID) sensor–based mobile ad hoc networks (MANETs), ensuring security without performance degradation is a major challenge. This paper introduces a novel combination of steps in lightweight protocol integration to provide a secure network for RFID sensor–based MANETs using error‐correcting codes (ECCs). The proposed scheme chooses a quasi‐cyclic ECC. Key pairs are generated using the ECC for establishing a secure message communication. Probability analysis shows that code‐based identification; key generation; and authentication and trust management schemes protect the network from Sybil, eclipse, and de‐synchronization attacks. A lightweight model for the proposed sequence of steps is designed and analyzed using an Alloy analyzer. Results show that selection processes with ten nodes and five subgroup controllers identify attacks in only a few milliseconds. Margrave policy analysis shows that there is no conflict among the roles of network members.     

An efficient and attack‐resistant key agreement scheme for secure group communications in mobile ad‐hoc networks

As a result of the growing popularity of wireless networks, in particular mobile ad hoc networks (MANET), security over such networks has become very important. Trust establishment, key management, authentication, and authorization are important areas that need to be thoroughly researched before security in MANETs becomes a reality. This work studies the problem of secure group communications (SGCs) and key management over MANETs. It identifies the key features of any SGC scheme over such networks. AUTH‐CRTDH, an efficient key agreement scheme with authentication capability for SGC over MANETs, is proposed. Compared to the existing schemes, the proposed scheme has many desirable features such as contributory and efficient computation of group key, uniform work load for all members, few rounds of rekeying, efficient support for user dynamics, key agreement without member serialization and defense against the Man‐in‐the‐Middle attack, and the Least Common Multiple (LCM) attack. These properties make the proposed scheme well suited for MANETs. The implementation results show that the proposed scheme is computationally efficient and scales well to a large number of mobile users. Copyright © 2007 John Wiley & Sons, Ltd.     

Anonymous and expeditious mobile user authentication scheme for GLOMONET environments

The Global Mobility Network (GLOMONET) is rapidly becoming important as well as a popular feature in today's high‐performance network. The legal mobile users enjoy life using the ubiquitous services via GLOMONET. However, because of the broadcast nature of the wireless channel, providing user authentication along with the privacy and anonymity of the users in GLOMONET is indeed a challenging task. In this article, we come up with a secure and expeditious mobile communication environment using symmetric key cryptosystem to ensure mobile users' anonymity and privacy against eavesdroppers and backward/forward secrecy of the session key. Our scheme can also protect numerous security threats, like man‐in‐the‐middle attack, known session key attack, lost smartcard attack, and forgery attack. Furthermore, we put forward a new technique named as “friendly foreign agent policy,” where many foreign agents can make different groups among themselves and perform important responsibilities to authenticate a legitimate mobile user without interfering his or her home agent even though the mobile user moves to a new location, covered by a new foreign agent (belongs to the same group). Security and performance analyses show that the proposed scheme is secure and more efficient as compared with other competitive schemes for GLOMONET environments.     

Improving WTLS Security for WAP Based Mobile e-Commerce

In recent years, WAP has been gaining increasing popularity as a platform for mobile e-commerce; its security has thus become an important issue. In this paper, we focus primarily on improving WTLS, a sub-protocol of WAP, to achieve enhanced WAP security. We propose using an Anonymous Client Authentication (ACA) scheme, which can be applied in general to most Public Key Infrastructure based mobile e-commerce applications, to be incorporated into WTLS to provide client anonymity in WAP. Further, in order to support the desired security feature forward secrecy, and to resist various attacks which could hardly be coped with by the original WTLS, we exploit Elliptic Curve Cryptography (ECC) for session key establishment. The proposed protocol has been shown able to outperform not only the original WTLS protocol, but also the published improved WTLS protocols in terms of computation cost and communication bandwidth. Besides, the proposed ACA scheme can also be exploited in other internet and wireless network based platforms.     

高效的无证书多接收者匿名签密方案

针对已有的基于身份的多接收者签密方案存在的密钥托管问题,研究了无证书多接收者签密安全模型,进而基于椭圆曲线密码体制,提出一个无证书多接收者签密方案,并在随机预言机模型下证明方案的安全性建立在计算Diffie-Hellman问题及椭圆曲线离散对数问题的困难性之上。该方案无需证书管理中心,在签密阶段和解签密阶段均不含双线性对运算,且可确保发送者和接收者的身份信息不被泄露,可以方便地应用于网络广播签密服务。     

Defense against collusion scheme based on elliptic curve cryptography for wireless sensor networks

Wireless Sensor Networks (WSNs) are being deployed for a wide variety of applications and the security problems of them have received considerable attention. Considering the limitations of power, com-putation capability and storage resources, this paper proposed an efficient defense against collusion scheme based on elliptic curve cryptography for wireless sensor networks in order to solve the problems that sensor node-key leaking and adversaries make compromised nodes as their collusions to launch new attack. In the proposed scheme, the group-key distribution strategy is employed to compute the private key of each sensor node, and the encryption and decryption algorithms are constructed based on Elliptic Curve Cryptography (ECC). The command center (node) only needs to broadcast a controlling header with three group elements, and the authorized sensor node can correctly recover the session key and use it to decrypt the broadcasting message. Analysis and proof of the proposed scheme’s efficiency and security show that the proposed scheme can resist the k-collusion attack efficiently.     

Secure user authentication scheme with novel server mutual verification for multiserver environments

The fast growth of mobile services and devices has made the conventional single‐server architecture ineffective from the point of its functional requirements. To extend the scalability and availability of mobile services to various applications, it is required to deploy multiserver architecture. In 2016, Moon et al insisted that Lu et al's scheme is weak to insiders and impersonation attack, then they proposed a biometric‐based scheme for authentication and key agreement of users in multiserver environments. Unfortunately, we analyze Moon et al's scheme and demonstrate that their scheme does not withstand various attacks from a malicious registered server. We propose a user authentication scheme with server mutual verification to overcome these security drawbacks. The proposed scheme withstands an attack from malicious insiders in multiserver environments. We use a threshold cryptography to strengthen the process of server authorization and to provide better security functionalities. We then prove the authentication and session key of the proposed scheme using Burrows‐Abadi‐Needham (BAN) logic and show that our proposed scheme is secure against various attacks.     

Hexagonal Clustered Trust Based Distributed Group Key Agreement Scheme in Mobile Ad Hoc Networks

Secure and efficient group communication among mobile nodes is one of the significant aspects in mobile ad hoc networks (MANETs). The group key management (GKM) is a well established cryptographic technique to authorise and to maintain group key in a multicast communication, through secured channels. In a secure group communication, a one-time session key is required to be shared between the participants by using distributed group key agreement (GKA) schemes. Due to the resource constraints of ad hoc networks, the security protocols should be communication efficient with less overhead as possible. The GKM solutions from various researches lacks in considering the mobility features of ad hoc networks. In this paper, we propose a hexagonal clustered one round distributed group key agreement scheme with trust (HT-DGKA) in a public key infrastructure based MANET environment. The proposed HT-DGKA scheme guarantees an access control with key authentication and secrecy. The performance of HT-DGKA is evaluated by simulation analysis in terms of key agreement time and overhead for different number of nodes. Simulation results reveal that the proposed scheme guarantees better performance to secure mobile ad hoc network. It is demonstrated that the proposed scheme possesses a maximum of 2250 ms of key agreement time for the higher node velocity of 25 m/s and lower key agreement overhead. Also, the HT-DGKA scheme outperforms the existing schemes in terms of successful message rate, packet delivery ratio, level of security, computation complexity, number of round, number of exponentiations and number of message sent and received that contribute to the network performance.

     

A new solution for assigning cryptographic keys to control access in mobile agent environments

A mobile agent is a technological promising product. It is an executive program that can migrate from host to host, performing tasks autonomously. However, in an open environment, the mobile agent has many potential threats. Security becomes a critical issue for the mobile agent. Recently, Volker and Mehradad have constructed a mobile agent structure and designed a key assignment strategy to prevent the sensitive data to from being accessed by an unauthorized host. However, their scheme requires a larger agent size and a higher computational cost. In this paper, we shall propose an efficient key assignment scheme to enhance the performance of Volker and Mehradad's scheme. Only few computations and a fixed and small storage are required in our proposed scheme. Furthermore, our scheme can achieve the dynamic key management efficiently. It can also be implemented simply and practically. Copyright © 2006 John Wiley & Sons, Ltd.     

MANET中高效的安全簇组密钥协商协议

针对移动自组网中组密钥管理面临的诸多挑战,提出一种高效的安全簇组密钥协商协议(ESGKAP,effi-cient and secure group key agreement protocol).ESGKAP基于提出的高性能层簇式CCQ_n网络模型,有效地减少了组密钥协商过程中的秘密贡献交互开销,增加了协议的灵活性、可扩展性和容错性.ESGKAP无需控制中心,由秘密分发中心构造门限秘密共享,所有成员通过协商生成簇组密钥,提高了方案的安全性,且基于ECC密码体制提高了簇组密钥生成的效率.同时,提出高效的签密及门限联合签名方案,确保簇组成员能够对接收的簇组密钥份额进行验证,进一步增加了方案的安全性.使用串空间模型对ESGKAP方案进行了形式化分析,证明了其正确性和安全性.最后,通过与BD、A-GDH和TGDH协议比较,表明ESGKAP能有效减少节点和网络资源消耗,很好地适用于特定的移动自组网环境,具有更为明显的安全和性能优势.     

ECC-CoAP: Elliptic Curve Cryptography Based Constraint Application Protocol for Internet of Things

Constraint Application Protocol (CoAP), an application layer based protocol, is a compressed version of HTTP protocol that is used for communication between lightweight resource constraint devices in Internet of Things (IoT) network. The CoAP protocol is generally associated with connectionless User Datagram Protocol (UDP) and works based on Representational State Transfer architecture. The CoAP is associated with Datagram Transport Layer Security (DTLS) protocol for establishing a secure session using the existing algorithms like Lightweight Establishment of Secure Session for communication between various IoT devices and remote server. However, several limitations regarding the key management, session establishment and multi-cast message communication within the DTLS layer are present in CoAP. Hence, development of an efficient protocol for secure session establishment of CoAP is required for IoT communication. Thus, to overcome the existing limitations related to key management and multicast security in CoAP, we have proposed an efficient and secure communication scheme to establish secure session key between IoT devices and remote server using lightweight elliptic curve cryptography (ECC). The proposed ECC-based CoAP is referred to as ECC-CoAP that provides a CoAP implementation for authentication in IoT network. A number of well-known cryptographic attacks are analyzed for validating the security strength of the ECC-CoAP and found that all these attacks are well defended. The performance analysis of the ECC-CoAP shows that our scheme is lightweight and secure.

     

A Secure Key Predistribution Scheme for WSN Using Elliptic Curve Cryptography

Security in wireless sensor networks (WSNs) is an upcoming research field which is quite different from traditional network security mechanisms. Many applications are dependent on the secure operation of a WSN, and have serious effects if the network is disrupted. Therefore, it is necessary to protect communication between sensor nodes. Key management plays an essential role in achieving security in WSNs. To achieve security, various key predistribution schemes have been proposed in the literature. A secure key management technique in WSN is a real challenging task. In this paper, a novel approach to the above problem by making use of elliptic curve cryptography (ECC) is presented. In the proposed scheme, a seed key, which is a distinct point in an elliptic curve, is assigned to each sensor node prior to its deployment. The private key ring for each sensor node is generated using the point doubling mathematical operation over the seed key. When two nodes share a common private key, then a link is established between these two nodes. By suitably choosing the value of the prime field and key ring size, the probability of two nodes sharing the same private key could be increased. The performance is evaluated in terms of connectivity and resilience against node capture. The results show that the performance is better for the proposed scheme with ECC compared to the other basic schemes.