适合于无线传感器网络的混合式组密钥管理方案

针对无线传感器网络中经常出现节点加入或退出网络的情况,提出了一种安全有效的混合式组密钥管理方案.多播报文的加密和节点加入时的组密钥更新,采用了对称加密技术;而系统建立后,组密钥的分发和节点退出后的组密钥更新,采用了基于身份的公钥广播加密方法.方案可抗同谋、具有前向保密性、后向保密性等安全性质.与典型组密钥管理方案相比,方案在适当增加计算开销的情况下,有效降低了节点的存储开销和组密钥更新通信开销.由于节点的存储量、组密钥更新开销独立于群组大小,方案具有较好的扩展性,适合应用于无线传感器网络环境.     

用安全锁实现安全广播的方法

本文介绍一种利用安全锁在广播信道(例如卫星、无线电等)上进行安全广播的方法。这个锁是用中文余数定理实现的。使用安全锁有下述优点:首先,只需发送一份密文;第二,解密操作效率高;第三,每个用户持有的密钥个数少。文中还介绍了用于安全广播的协议,它们分别适用于公开密钥加密系统和非公开密钥加密系统。     

一种基于IBE的前向安全密钥管理协议

无线自组织网络是一种分布式无中心的多跳网络,具有网络拓扑结构不断变化、网络自治、易受攻击等特点,因而传统的密钥管理体制变得不再适合,而秘密共享体制则为自组织网络的密钥管理提供了一种有效途径。前向安全的密钥管理协议是在秘密共享基础上,结合前向安全的思想和基于标识加密公钥算法,支持共享密钥和密钥份额随时间周期更新的密钥管理方案。前向安全的密钥管理协议支持成员动态变化,适合无线自组织网络的密钥管理,相对于传统的密钥管理方式,其安全性有很大提高。     

一种基于ECDH的可认证密钥协商协议

针对Diffie-Hellman密钥交换协议和ECDH密钥协商协议的缺陷,给出了一种改进后的可认证密钥协商协议。该协议具有等献性、密钥不可控、密钥确认、完美前向安全以及抗已知密钥攻击等安全特性。跟以往的密钥协商协议相比,其管理简单、开销较低、安全性高、扩展性较好且实现了身份认证,以较低的计算成本和较高的运算效率实现了通信双方安全的会话密钥协商与密钥验证,能够较好地适用于大规模网络的端到端密钥管理。     

基于单向函数树的多播密钥安全性分析

文章对SMuG草案之一的基于单向函数树(OFT)的密钥管理方案的安全性进行了详细分析,指出OFT方案在实现前向安全和后向安全上的漏洞,提出了可以实现完整的前向安全和后向安全的OFT改进方案。     

基于半可信第三方的用户云数据安全存储协议

目前一些用户外包至云存储的数据面临着泄密风险,很多学者提出利用密钥管理员对数据加密后再外包,但相关协议并不能阻止密钥管理员截获并解密用户数据。针对该问题,将密钥管理员视为半可信第三方,构建了新的系统模型和安全模型,改进了利用密钥管理员加密数据的算法,提出基于半可信第三方的用户云数据安全存储协议(UKC),分别在单密钥管理员和多密钥管理员情形下设计了用户文件上传和下载的算法,有效地防止了来自密钥管理员的安全威胁,并节省运行时间开销。通过定理证明了本协议对密钥管理员攻击是IND-CCA安全的,性能仿真实验显示该协议的运行时间开销较低。     

主密钥在组播密钥管理中的应用

本文在改进的RSA体制基础上给出主密钥的生成算法,并在主密钥的基础上提出了主密钥管理方案,该方案将参与组播的成员分成若干子组,每个子组的密钥生成、分发和更新由一个主密钥控制器完成。当成员变化时,设计的密钥更新策略同时满足前向安全和后向安全,这就解决了组通信中的密钥管理问题,实现了安全的组播。同时该方案使得每个用户只需存储和管理一个密钥,就能与组内或组外的用户进行安全通信,降低了用户的负载。因此主密钥管理方案能适用于大规模的、在网络中广泛分布的和动态的组。     

智能电网中基于层次密钥的细粒度访问机制的研究

为了保证通信的安全,加密是基本的也是重要的解决办法,其中密钥的管理是关键问题。目前已有的方案大多采用公钥加密来实现通信过程的安全,开销花费较大。本文提出基于层次密钥管理的对称加密方案保证数据的完整可用性,防止数据被篡改。并给出了性能分析,方案可以实现基本的安全传输并能够降低开销,节约成本。     

移动WiMAX的安全性分析与改进

结合移动网络技术的发展,IEEE802．16标准的修订,移动WiMAX网络技术的充分利用,文章对移动WiMAX网络存在的未认证消息、未加密管理通信、多“与”广播服务中的共享密钥等三个方面安全缺陷引发攻击者对网络有效攻击的分析,提出对部分敏感的未认证消息加密、通过对管理通信进行加密、多“与”广播服务密钥更新算法的改进方案,使移动WIMAX的安全性可以得到很大提升。     

一种构造前向安全公钥加密算法的一般方法

密钥的泄漏对密码体制来说是一个严重的威胁。前向安全是一种减小密钥泄漏带来的损失的有效的方法。构造前向安全的加密及签名算法是当前密码学的一个热门研究方向。文章给出了一种用普通公钥加密算法构造前向安全的公钥加密算法的方法。通过对其安全性以及效率的分析,得出用这种方法构造出来的前向安全加密算法具有很好的安全性以及效率。     

无线传感器网络中具有撤销功能的自愈组密钥管理方案

在有限域F_q上构造基于秘密共享的广播多项式,提出一种具有节点撤销功能的组密钥更新方案.同时,基于单向散列密钥链建立组密钥序列,采用组密钥预先更新机制,容忍密钥更新消息的丢失,实现自愈.分析表明,在节点俘获攻击高发的环境中,方案在计算开销和通信开销方面具有更好的性能.     

基于RSA的广播加密方案

提出一种基于RSA算法实现的广播加密方案,方案采用的是树形结构,密钥生成和分配过程简介,并且传输开销和存储开销与用户数量以及授权用户数量都没有关系,为常量级。与其它使用计算量较大的双线性映射构造的性能相同的方案相比较,本方案计算量较小。同时非授权用户不能通过共谋构造出一个不同的解密钥,即方案具有抗共谋性。方案能够实现对恶意共享解密钥的叛逆者的追踪。     

移动Ad Hoc网络分布式多跳认证授权方案

提出一个分布式的具有多跳认证授权支持的移动Ad Hoc网络方案。该方案利用门限密钥分享技术把认证授权功能完全分散化,每个节点持有一个密钥份额,只有达到门限值规定数量的节点联合起来才能提供认证服务,而认证服务将不仅仅局限于本地节点,多跳范围内的节点也可以参与这项工作。此外,本文还采用多播来取代广播以减少杂项开销。本文解决了多跳认证授权所遇到的技术难题,并通过仿真验证了方案的可行性和有效性。     

可证安全的基于证书广播加密方案

广播加密可使发送者选取任意用户集合进行广播加密,只有授权用户才能够解密密文.但是其安全性依赖广播中心产生和颁布群成员的解密密钥.针对这一问题,本文提出基于证书广播加密的概念,给出了基于证书广播加密的形式化定义和安全模型.结合基于证书公钥加密算法的思想,构造了一个高效的基于证书广播加密方案,并证明了方案的安全性.在方案中,用户私钥由用户自己选取,证书由认证中心产生,解密密钥由用户私钥和证书两部分组成,克服了密钥托管的问题.在方案中,广播加密算法中的双线性对运算可以进行预计算,仅在解密时做一次双线性对运算,提高了计算效率.     

One-way hash chain-based self-healing group key distribution scheme with collusion resistance capability in wireless sensor networks

In order to resolve the collusion resistance problem in the one-way hash chain-based self-healing group key distribution schemes and improve the performance of previous self-healing group key distribution schemes, we propose a self-healing group key distribution scheme based on the revocation polynomial and a special one-way hash key chain for wireless sensor networks (WSNs) in this paper. In our proposed scheme, by binding the time at which the user joins the group with the capability of recovering previous group session keys, a new method is addressed to provide the capability of resisting the collusion attack between revoked users and new joined users, and a special one-way hash chain utilization method and some new methods to construct the personal secret, the revocation polynomial and the key updating broadcast packet are presented. Compared with existing schemes under same conditions, our proposed scheme not only supports more revoked users and sessions, but also provides a stronger security. Moreover, our proposed scheme reduces the communication overhead, and is especially suited for a large scale WSN in bad environments where a strong collusion attack resistance capability is required and many users will be revoked.     

A novel key management scheme for dynamic multicast communications

Secure multicasting allows the sender to deliver an identical secret to an arbitrary set of recipients through an insecure broadcasting channel, whereas the unintended recipients cannot obtain the secret. A practical approach for securing multicast communications is to apply a session key to encrypt the transmitted data. However, the challenges of secure multicast are to manage the session keys possessed by a dynamic group of recipients and to reduce the overhead of computation and transmission when the membership is changed. In this paper, we propose a new key management scheme for dynamic multicast communication, which is based on privacy homomorphism and Chinese remainder theorem. Our scheme can efficiently and securely deliver an identical message to multiple recipients. In particular, the complexity of the key update process in our scheme is O(1). Copyright © 2008 John Wiley & Sons, Ltd.     

Fast Response PKC-Based Broadcast Authentication in Wireless Sensor Networks

Public Key-based (PKC) approaches have gained popularity in Wireless Sensor Network (WSN) broadcast authentication due to their simpler protocol operations, e.g., no synchronization and higher tolerance to node capture attack compared to symmetric key-based approaches. With PKC??s security strength, a sensor node that authenticates messages before forwarding them can detect a bogus message within the first hop. While this prevents forged traffic from wasting the sensor nodes?? energy, performing PKC operations in the limited computing-power sensor nodes can result in undesirably long message propagation time. At the other extreme, the sensor node can forward messages to other nodes prior to authenticating them. This approach diminishes propagation time with the trade-off of allowing forged messages to propagate through the network. To achieve swift and energy efficient broadcast operation, sensor nodes need to decide wisely when to forward first and when to authenticate first. In this paper, we present two new broadcast authentication schemes, called the key pool scheme and the key chain scheme, to solve this dilemma without any synchronization or periodic key redistribution. Both schemes utilize a Bloom filter and the distribution of secret keys among sensor nodes to create fast and capture-resistant PKC-based broadcast authentication protocols. Our NS-2 simulation results for a 3,000-node WSN confirm that broadcast delays of our protocol are only 46.7% and 39.4% slower than the forwarding-first scheme for the key pool and the key chain scheme respectively. At the same time, both protocols are an order of magnitude faster than the authentication-first scheme. The key pool scheme is able to keep forged message propagation to the minimal even when the majority of the nodes have been captured by the attacker. The key chain scheme has smaller transmission overhead than the key pool scheme at the expense of less resistance to node capturing. Two generic improvements to these schemes are also described. One reduces the marking limit on the Bloom filter vector (BFV), which makes it more difficult for an attacker to forge a BFV for a bogus message. The other limits broadcast forwarding to a spanning tree, which reduces the number of nodes forwarding bogus messages by one to two orders of magnitude depending on the percentage of compromised nodes. The first improvement can be applied to any BFV scheme, while the second is even more generally applicable.     

Efficient identity-based security schemes for ad hoc network routing protocols

Wireless ad hoc networks consist of nodes with no central administration and rely on the participating nodes to share network responsibilities. Such networks are more vulnerable to security attacks than conventional wireless networks. We propose two efficient security schemes for these networks that use pairwise symmetric keys computed non-interactively by the nodes which reduces communication overhead. We allow nodes to generate their broadcast keys for different groups and propose a collision-free method for computing such keys. We use identity-based keys that do not require certificates which simplifies key management. Our key escrow free scheme also uses identity-based keys but eliminates inherent key escrow in identity-based keys. Our system requires a minimum number of keys to be generated by the third party as compared to conventional pairwise schemes. We also propose an authenticated broadcast scheme based on symmetric keys and a corresponding signature scheme.     

Ad hoc网中基于哈希的对偶密钥预分配方案

随机密钥预分配是无线Ad hoc网络中最有效的密钥管理机制。提出了一个适用于Ad hoc网络的基于哈希函数的对偶密钥预分配方案。方案利用哈希函数的单向性,由哈希链形成密钥池,节点仅需预分发数量较少的密钥,就能与邻近节点有效建立对偶密钥。方案具有较低的存储成本与计算开销,同时能达到完全连通性,并能动态管理节点与密钥。分析表明,方案具有较好的有效性和安全性,更适合Ad hoc网络。     

双向中继稀疏多径信道密钥生成与分发

本文利用时分系统无线多径信道的互易性,提取信道相位信息作为密钥,实现双向中继信道的密钥生成与分发。由于信道的稀疏多径特性,采用基于压缩感知的重构算法对信道状态信息进行估计。端节点采用正交导频设计,将双向中继信道分解为两个点对点的信道;而中继采用物理层网络编码的思想,广播导频和密钥比特的异或。这样,仅用2个时隙就实现了密钥生成与分发,还保证了密钥的安全,且无需预先进行密钥的分配。仿真结果表明,本文所提方案可以有效的实现双向中继信道的密钥生成与分发,保证了物理层的安全通信。