基于分布式密钥共享的UWSN安全分簇方案

针对无照料的无线传感网（UWSN, unattended wireless sensor network）收集效率和安全问题,提出一种安全的UWSN分簇方案,实现了一种三角形网格图的网络拓扑分簇算法,并可完成簇头对移动节点的认证。该方案利用三角形的性质提高了网络的连通度,折中数据收集效率与能耗;将分布式密钥共享方案与分簇算法无缝结合,在网络中高效地搜索移动节点公钥信息,从而在本地不存有对应公钥信息的情况下验证签名信息。实验结果表明,该算法在节点密度越大的情况下分簇越趋近于正三角形网格图,且分簇后的网络对于低于20%节点变节有95%以上概率抵御攻击。     

分簇无线传感器网络中基于横截设计的对密钥建立方案

由于节点能量有限、存贮空间小等特点,使传统的网络密钥管理方案受到挑战。该文基于横截设计、双变量多项式和门限机制,提出了适用于分簇结构传感器网络的对密钥建立方案和多路径密钥建立策略。该方案采用横截设计保证同簇内节点可以直接建立对密钥,而不同簇的节点可以基于门限机制构建多路径密钥。理论和实验分析表明,新方案在增强安全性、连通性和抗毁性的同时,有效地降低了通信量及密钥存储量等代价,并且具有良好的可扩展性。     

一种新的基于辛空间的密钥预分配方案

密钥预分配是无线传感器网络中最具挑战的安全问题之一。 该文基于有限域上辛空间中子空间之间的正交关系构造了一个新的组合设计,并基于该设计构造了一个密钥预分配方案。令V 是有限域上8维辛空间中的一个(4,2)型子空间,V 中每一个(1,0)型子空间看作密钥预分配方案中的一个节点,所有的(2,1)型子空间看作该方案的一个密钥池。将整个目标区域划分为若干个大小相同的小区,每个小区有普通节点和簇头两种类型的传感器节点。小区内的普通节点采用基于辛空间的密钥预分配方案分发密钥,不同小区内节点所用密钥池互不相同,因此不同小区内的节点需通过簇头建立间接通信,不同小区内簇头采用完全密钥预分配方式分发密钥。与其他方案相比,该方案的最大优势是网络中节点的抗捕获能力较强,且随着网络规模的不断扩大,网络的连通概率逐渐趋于1。     

基于按对平衡设计的异构无线传感器网络密钥预分配方案

利用异构无线传感器网络中普通节点和簇头节点间的差异性,基于中心可分解型按对平衡设计构造了异构的节点密钥环,设计了2种密钥预分配方案DCPBD和VDCPBD.其中,DCPBD利用了中心可分解类型PBD,将普通区组作为普通节点的密钥环,将特殊区组作为簇头节点的密钥环.VDCPBD基于DCPBD进行了扩展,将单一核密钥替换为基于另一密钥池进行SBIBD设计出的簇间密钥环,减小了DCPBD由于单个簇头节点被俘后对整个网络抗毁性的影响.由于在设计时考虑了节点的异构特性,使用确定性方法构造了异构密钥环,使得在保持密钥连通率不变的前提下获得了更低的空间复杂度.仿真实验表明,2个方案都支持大规模网络,且单跳密钥连通率随网络规模增大而趋近于1,2跳连通率恒为1.VDCPBD还具备了更强的抗节点捕获能力和更好的网络可扩展性.     

无线传感器网络的轻量级安全体系研究

结合无线传感器网络现有的安全方案存在密钥管理和安全认证效率低等问题的特点,提出了无线传感器网络的轻量级安全体系和安全算法。采用门限秘密共享机制的思想解决了无线传感器网络组网中遭遇恶意节点的问题;采用轻量化ECC算法改造传统ECC算法,优化基于ECC的CPK体制的思想,在无需第三方认证中心CA的参与下,可减少认证过程中的计算开销和通信开销,密钥管理适应无线传感器网络的资源受限和传输能耗相当于计算能耗千倍等特点,安全性依赖于椭圆离散对数的指数级分解计算复杂度;并采用双向认证的方式改造,保证普通节点与簇头节点间的通信安全,抵御中间人攻击。     

WSN的网络安全管理机制研究

本文提出一种基于多项式的WSN密钥管理方案.基站通过计算节点秘密信息构成的多项式来生成网络的全局密钥,节点通过全局密钥可以认证网络中的合法节点.节点用全局密钥经过对称多项式密钥交换来生成与簇头节点之间的会话密钥.该方案能够动态更新密钥,从而解决了由于节点被捕获所导致的信息泄露、密钥连通性下降和密钥更新通信开销大等问题.性能分析表明,该方案与现有的密钥预分配方案相比,具有更低的存储开销、通信开销、良好的扩展性和连通性.     

一种基于二次型的无线传感器网络密钥管理方案

针对现有的基于多项式的密钥预分配管理方案受限于节点间密钥共享率和网络连通率等问题,文中提出了一种基于二次型的无线传感器密钥管理方案.该方案突破现有二元t次对称多项式建立共享密钥的思路,引入多元非对称二次型多项式,利用二次型特征值与特征向量之间的关系,分析证明二次型正交对角化的特性,生成密钥信息,节点则通过交换密钥信息实现身份认证,生成与邻居节点之间独立唯一的会话密钥.性能分析表明,与现有的密钥管理方案相比,方案在抗俘获性、连通性、可扩展性、通信开销和存储开销上有较大的改进.     

MANET中高效的安全簇组密钥协商协议

针对移动自组网中组密钥管理面临的诸多挑战,提出一种高效的安全簇组密钥协商协议(ESGKAP,effi-cient and secure group key agreement protocol).ESGKAP基于提出的高性能层簇式CCQ_n网络模型,有效地减少了组密钥协商过程中的秘密贡献交互开销,增加了协议的灵活性、可扩展性和容错性.ESGKAP无需控制中心,由秘密分发中心构造门限秘密共享,所有成员通过协商生成簇组密钥,提高了方案的安全性,且基于ECC密码体制提高了簇组密钥生成的效率.同时,提出高效的签密及门限联合签名方案,确保簇组成员能够对接收的簇组密钥份额进行验证,进一步增加了方案的安全性.使用串空间模型对ESGKAP方案进行了形式化分析,证明了其正确性和安全性.最后,通过与BD、A-GDH和TGDH协议比较,表明ESGKAP能有效减少节点和网络资源消耗,很好地适用于特定的移动自组网环境,具有更为明显的安全和性能优势.     

无线传感器网络密钥管理

无线传感器网络密钥管理极具挑战性,不仅因为传感器节点拥有的资源有限,不宜采用非对称密码技术,同时也因为传感器节点暴露在恶劣甚至敌对环境中,易于被敌手俘获。虽然目前提出许多密钥分配协议,但没有一个协议能在扩展性、共享密钥概率、存储代价和抵御节点俘获攻击等方面同时具有良好性能。密钥管理协议采用的技术必须与具体网络需求和传感器节点拥有的资源一致。分析和评估了典型的密钥管理方案和协议,并指出了该方向存在的开放问题及今后的发展趋势。     

基于最小生成树的异构传感器网络抗共谋优化方案

基于EBS (Exclusion Basis Systems)的密钥管理协议,以安全性高、动态性和扩展性好,较适用于异构传感器网络,但却存在共谋问题。该文提出了一种基于MST (Minimum Spanning Tree)的密钥共谋问题优化方案。该方案利用Prim算法对由簇内感知节点所构成的无向连通图进行最小生成树求解,并对该树进行遍历,根据所得节点遍历顺序进行密钥的指派与分配,使得相邻节点间所含的密钥重叠程度增大,发生共谋的可能性得到降低。实验结果表明:同比于密钥随机分配方案与SHELL方案,所提方案有效提高了网络的抗捕获能力。     

抵抗Sybil攻击的无线传感网中网络分布式密钥管理方案

Wireless sensor network nodes (WSN nodes) have limited computing power, storage capacity, communication capabilities and energy and WSN nodes are easy to be paralyzed by Sybil attack. In order to prevent Sybil attacks, a new key distribution scheme for wireless sensor networks is presented. In this scheme, the key information and node ID are associated, and then the attacker is difficult to forge identity ID and the key information corresponding to ID can not be forged. This scheme can use low-power to resist the Sybil attack and give full play to the resource advantages of the cluster head. The computing, storage and communication is mainly undertaken by the cluster head overhead to achieve the lowest energy consumption and resist against nodes capture attack. Theoretical analysis and experimental results show that compared with the traditional scheme presented in Ref. [14], the capture rate of general nodes of cluster reduces 40% , and the capture rate of cluster heads reduces 50% . So the scheme presented in this paper can improve resilience against nodes capture attack and reduce node power consumption.     

WSNs中基于密钥共享的安全路由

针对无线传感网络的安全路由,提出能效和安全多跳路由(ESMR)。ESMR路由通过密钥共享策略,提高路由防御恶意节点的性能。ESMR路由先依据节点的位置将网络划分不同区(Zone),在每个Zone内,依据邻居节点位置划分多个簇;然后,每个Zone的簇头向基站传输数据,并依据密钥共享策略对数据进行加密。仿真结果表明,相比于同类路由,提出的ESMR在网络寿命、吞吐量、能耗以及端到端时延方面的性能得到有效提高。     

A Secure Key Predistribution Scheme for WSN Using Elliptic Curve Cryptography

Security in wireless sensor networks (WSNs) is an upcoming research field which is quite different from traditional network security mechanisms. Many applications are dependent on the secure operation of a WSN, and have serious effects if the network is disrupted. Therefore, it is necessary to protect communication between sensor nodes. Key management plays an essential role in achieving security in WSNs. To achieve security, various key predistribution schemes have been proposed in the literature. A secure key management technique in WSN is a real challenging task. In this paper, a novel approach to the above problem by making use of elliptic curve cryptography (ECC) is presented. In the proposed scheme, a seed key, which is a distinct point in an elliptic curve, is assigned to each sensor node prior to its deployment. The private key ring for each sensor node is generated using the point doubling mathematical operation over the seed key. When two nodes share a common private key, then a link is established between these two nodes. By suitably choosing the value of the prime field and key ring size, the probability of two nodes sharing the same private key could be increased. The performance is evaluated in terms of connectivity and resilience against node capture. The results show that the performance is better for the proposed scheme with ECC compared to the other basic schemes.     

MUQAMI+: a scalable and locally distributed key management scheme for clustered sensor networks

Wireless sensor networks (WSN) are susceptible to node capture and many network levels attacks. In order to provide protection against such threats, WSNs require lightweight and scalable key management schemes because the nodes are resource-constrained and high in number. Also, the effect of node compromise should be minimized and node capture should not hamper the normal working of a network. In this paper, we present an exclusion basis system-based key management scheme called MUQAMI+ for large-scale clustered sensor networks. We have distributed the responsibility of key management to multiple nodes within clusters, avoiding single points of failure and getting rid of costly inter-cluster communication. Our scheme is scalable and highly efficient in terms of re-keying and compromised node revocation.     

Load Balance Strategy of Data Routing Algorithm Using Semantics for Deduplication Clusters

The backup requirement of data centres is tremendous as the size of data created by human is massive and is increasing exponentially. Single node deduplication cannot meet the increasing backup requirement of data centres. A feasible way is the deduplication cluster, which can meet it by adding storage nodes. The data routing strategy is the key of the deduplication cluster. DRSS (data routing strategy using semantics) improves the storage utilization of MCS (minimum chunk signature) data routing strategy a lot. However, for the large deduplication cluster, the load balance of DRSS is worse than MCS. To improve the load balance of DRSS, we propose a load balance strategy used for DRSS, namely DRSSLB. When a node is overloaded, DRSSLB iteratively migrates the current smallest container of the node to the smallest node in the deduplication cluster until this overloaded node becomes non-overloaded. A container is the minimum unit of data migration. Similar files sharing the same features or file names are stored in the same container. This ensures the similar data groups are still in the same node after rebalancing the nodes. We use the dataset from the real world to evaluate DRSSLB. Experimental results show that, for various numbers of nodes of the deduplication cluster, the data skews of DRSSLB are under predefined value while the storage utilizations of DRSSLB do not nearly increase compared with DRSS, with the low penalty (the data migration rate is only 6.5% when the number of nodes is 64).     

基于动态累加器的异构传感网认证组密钥管理方案

利用动态累加器的证人能够证明特定累加项是否参与累加的特性,实现了组成员身份认证,提出了一种新的支持节点动态增加和撤销的组密钥管理方案DAAG。在需要建立组密钥时,所有成员节点提供自己持有的累加项,参与累加计算。DAAG方案在保证成员节点证人机密性的基础上, 通过绑定证人与组密钥更新计算,限制了非成员节点对新密钥的计算能力。安全性和性能分析表明,DAAG方案虽比FM方案消耗更多的通信代价,但能够抵抗伪造、重放和共谋等恶意攻击,提供前后向安全性。     

Modeling adaptive node capture attacks in multi-hop wireless networks

We investigate the problem of modeling node capture attacks in heterogeneous wireless ad hoc and mesh networks. Classical adversarial models such as the Dolev–Yao model are known to be unsuitable for describing node capture attacks. By defining the amortized initialization overhead cost as well as the cost of capturing a node, we show that finding the node capture attack yielding the minimum cost can be formulated as an integer-programming minimization problem. Hence, there is no polynomial solution to find the minimum cost node capture attack. We show that depending on the adversary’s knowledge of the constraint matrix in the integer-programming problem, different greedy heuristics can be developed for node capture attacks. We also show under what conditions privacy-preserving key establishment protocols can help to prevent minimum cost node capture attacks. Individual node storage randomization is investigated as a technique to mitigate the effect of attacks which are not prevented by the use of privacy-preserving protocols. It is shown that probabilistic heuristic attacks can be performed effectively even under storage randomization.     

HIKES: Hierarchical key establishment scheme for wireless sensor networks

This paper presents a hierarchical key establishment scheme called HIKES. The base station in this scheme, acting as the central trust authority, empowers randomly selected sensors to act as local trust authorities authenticating, on its behalf, the cluster members and issuing private keys. HIKES uses a partial key escrow scheme that enables any sensor node selected as a cluster head to generate all the cryptographic keys needed to authenticate other sensors within its cluster. This scheme localizes secret key issuance and reduces the communication cost with the base station. HIKES provides an efficient broadcast authentication in which source authentication is achieved in a single transmission and a good defense for the routing mechanism. HIKES defends the routing mechanism against most known attacks and is robust against node compromise. HIKES also provides high addressing flexibility and network connectivity to all sensors in the network, allowing sensor addition and deletion. Simulation results have shown that HIKES provides an energy‐efficient and scalable solution to the key management problem. Copyright © 2012 John Wiley & Sons, Ltd.     

SBK: A Self-Configuring Framework for Bootstrapping Keys in Sensor Networks

Key pre-distribution has been claimed to be the only viable approach for establishing shared keys between neighboring sensors after deployment for a typical sensor network. However, none of the proposed key pre-distribution schemes simultaneously achieves good performance in terms of scalability in network size, key-sharing probability between neighboring sensors, memory overhead for keying information storage, and resilience against node capture attacks. In this paper, we propose SBK, an in-situ self-configuring framework to bootstrap keys in large-scale sensor networks. SBK is fundamentally different compared to all key pre-distribution schemes. It requires no keying information pre-deployment. In SBK, sensors differentiate their roles as either service nodes or worker nodes after deployment. Service sensors construct key spaces, and distribute keying information in order for worker sensors to bootstrap pairwise keys. An improved scheme, iSBK, is also proposed to speed up the bootstrapping procedure. We conduct both theoretical analysis and simulation study to evaluate the performances of SBK and iSBK. To the best of our knowledge, SBK and iSBK are the only key establishment protocols that simultaneously achieve good performance in scalability, key-sharing probability, storage overhead, and resilience against node capture attacks.