大规模移动自组网安全群组通信研究

移动自组网中的安全群组通信需要处理群组成员关系的动态性、成员位置的动态性、以及网络分区和合并等情况。如何高效地处理这些情况是移动自组网安全群组通信中要解决的重要问题。针对成员关系动态性、成员位置动态性和网络分区和合并带来的问题,提出研究与设计一种移动自组网中的“虚拟动态骨干网”模型。主要从组成员认证和组密钥管理两方面进行了研究,并基于虚拟动态骨干网提出了初步的解决方案。     

基于身份的可认证非对称群组密钥协商协议

非对称群组密钥协商协议(asymmetric group key agreement,AGKA)能使群组内部成员安全地传递信息.随着大规模分布式网络协同计算的发展,参加安全协同计算的成员可能来自于不同领域、不同时区、不同云端及不同类型的网络.现有的AGKA不能满足来自于跨域及异构网络之间群组成员的安全信息交换,且安全性仅局限于抗被动攻击.提出一种基于身份的可认证非对称群组密钥协商协议(identity-based authenticated asymmetric group key agreement,IB-AAGKA),该协议实现一轮非对称群组密钥协商,解决群组成员因时区差异而不能保持多轮在线密钥协商的问题;可实现匿名性与可认证性;支持节点的动态群组密钥更新,实现了群组密钥向前保密与向后保密安全性.在decisional bilinear Diffie-Hellman(DBDH)困难假设下,证明了协议的安全性,并分析了协议的性能.     

基于零知识的分布式群组密钥管理方案

在分析现有群组密钥交换协议的基础上,提出了一种基于零知识的分布式群组密钥管理方案。该方案实现了零知识性和分层结构的有机结合,对组控制器的密钥存储量、加密计算量、单播和广播次数等的分析结果表明,该方案提高了群组通信的效率,并具有良好的可扩展性,可应用于网络秘密会议等多种群组通信环境。     

基于椭圆曲线和三叉树的群组密钥协商方案

将椭圆曲线密码体制和三叉树引入到群组密钥协商中,提出了一种基于椭圆曲线和三叉树的群组密钥协商协议,由于无需向群组所有其它成员广播消息,其计算开销和通信开销均只有O（nlog3 n）。采用了用初始协商的密钥值加密随机数并产生杂凑值的方法使三叉树内部结点间也能进行安全的协商;当有群组成员变动时,通过发起者更新其随机数来提供协议的前向保密性和后向保密性,因此该方案适合于较大规模的动态群组。     

基于m叉树与DMDH假设的组密钥协商协议

针对动态对等通信环境下为提高群组密钥协商高效性与可扩展性,提出一种基于m又树与DMDH假设的组密钥协商协议.该协议将m叉树结构与DMDH假设有机集合,通过协商可变m确定密钥树,从多线性映射簇中选择与之对应的多线性映射,进行群组密钥协商计算.同时可变m叉树结构来平衡该协议的计算开销与通信开销,更好地同时适用局域网与广域网环境,与TGDH、GDH相比,其有更好的安全性,高效性与可扩展性.     

一种基于等级树模型的群组密钥管理方案

安全、高效的群组密钥管理方案是保证群组通信安全的关键。在综合考虑军队保密通信和群组密钥管理的特点及要求的基础上,提出一种基于等级树模型的群组密钥管理方案。根据军队隶属关系建立等级树模型,引入单向散列函数生成层间密钥以维护上下层访问权限,对底层小组的密钥管理采用一种逻辑密钥层次(LKH,Logical Key Hierarchy)的改进算法。对该方案的性能分析结果表明该方案在通信开销、密钥存储开销等方面优于其他同类方案。     

基于身份的移动网动态群组密钥协商方案

群组密钥协商是群组通信中非常重要的基本工具,如何得到一个安全有效的密钥协商协议是当前密码学研究中的一个重要问题。基于双线性对和随机预言模型,针对移动网络提出了一个动态群组密钥协商方案。此方案就计算复杂度和通信复杂度而言都是高效的,而且满足密钥协商所需要的安全要求。     

群组通信的通用可组合机制

在通用可组合框架下研究群组通信问题.首先,作者在UC框架下分别提出群组通信模型的理想函数FSAGCOM、基于身份签密模型的理想函数FIDSC和群密钥分发模型的理想函数FGKD.其次,构造了UC安全的基于身份签密协议πIDSC,同时,证明了基于身份的签密协议πIDSC安全实现理想函数FIDSC当且仅当相应的基于身份的签密协议IDSC是安全的.最后,利用基于身份的签密协议πIDSC,提出了一种群组通信机制πSAGCOM,该机制在(FIDSC,FGKD)-混合模型下能安全实现群组通信的理想函数FSAGCOM.     

基于树结构和门限思想的组密钥协商协议

动态对等通信(dynamic peer communication)是目前最复杂的群组通信方式之一.简要分析了近几年提出的适合这种通信方式的5种组密钥协商协议,即CKD(centralized key distribution)协议、BD(burmester-desmedt)协议、STR(steer,et a1.)协议.GDH(group diffie-hellman)协议和TGDH(tree-based group diffie-hellman)协议,进而提出了一种基于树结构和门限思想的组密钥协商协议TTS(tree and threshold scheme).与现有的协议比较,TTS协议在计算量方面具有较大优势,适用于现有的网络环境.     

基于m叉树与DH协议的组密钥协商协议

为在动态对等通信环境下提高群组密钥协商的高效性与可扩展性,提出一种将m叉树结构与DH协议有机结合的组密钥协商协议。该协议与TGDH协议相比,通过采用m叉树结构,降低树的高度,减少计算量,与GDH协议相比,通过采用逐层式协商,降低通信开销。采用可变m叉树平衡该协议的计算开销与通信开销,使之同时适用广域网与局域网环境。     

A combined group/tree approach for scalable many-to-many reliable multicast

In this paper, we present the design, implementation, and performance analysis of Group-Aided Multicast (GAM), a scalable many-to-many reliable multicast transport protocol. It achieves high quality ACK trees while keeping the tree maintenance overhead reasonably low in the presence of dynamic group membership and route change. The proposed scheme is supported by a group configuration mechanism that organizes the members in a multicast session into multiple small groups and a tree configuration mechanism that maintains the logical trees according to the underlying multicast routing trees. With the two mechanisms, it builds a two-layer hierarchy of multi-level logical trees from which high-quality per-source ACK trees are generated. Simulation results show that the proposed protocol is more scalable than an existing protocol in terms of processing time for request/repair messages and recovery latency.     

VANET中一种基于概率转发的AODV路由协议

泛洪被作为实现广播通信的最简单的技术,广泛应用于车联网VANET(vehicular Ad Hoc network)路由.然而,由于VANET中节点的快速移动以及网络拓扑动态变化,简单的泛洪容易导致大量的冗余数据包,并引发广播风暴.为此,以典型的按需式距离矢量路由协议AODV (Ad Hoc on-demand distance vector)为基础,提出基于概率转发的AODV路由协议,记为AODV_P.AODV_P协议利用概率转发机制替代AODV中的泛洪.节点利用距离、密度信息计算转发概率,并依据转发概率设置计时器.计时器时间越短,成为下一跳转发节点的可能性越大.仿真结果表明,提出的AODV_P能够有效降低冗余数据包,缓解广播风暴问题.与AODV协议相比,AODV_P在传输时延、数据包传输率方面得到了有效提高.     

批量密钥更新中密钥树的概率组织方法研究

可缩放组密钥更新是大型动态组通信需要面对的一个重要问题。当前,最有效的组管理技术是基于LKH机制的,且LKH树通常被组织成平衡二叉树。在对批量密钥更新和成员行为进行分析的基础上,结合星型结构和树型结构,给出了一种密钥树的概率组织方法。该方法基于成员的变动概率将其分类,每类关联一棵最优子树,从而进一步减小了密钥更新开销,较好地解决了多播组中异构成员变化带来的组密钥更新问题。实验结果表明,密钥树的概率组织方法显著优于平衡二叉树,且更具有一般意义。     

Cored-Based Tree with Forwarding Regions (CBT-FR); A Protocol for Reliable Multicasting in Mobile Ad Hoc Networks

In this paper we propose a new protocol for reliable multicast in a multihop mobile radio network. The protocol is reliable, i.e., it guarantees message delivery to all multicast nodes even when the topology of the network changes during multicasting. The proposed protocol uses a core-based shared tree. The multicast tree may get fragmented due to node movements. The notion of a forwarding region is introduced which is used to glue together fragments of multicast trees. The gluing process involves flooding the forwarding region of only those nodes that witness topology change due to node mobility. Delivery of multicast messages to mobile nodes is expedited through (i) pushing the message by witness nodes in their forwarding regions and (ii) pulling messages by a mobile node during (re)joining process. Hence, the protocol conserves network bandwidth by using a combination of the push–pull approach and by restricting flooding only to the essential parts of the network that are affected by topology change.  We develop a theoretical model to compute the probability of packet loss (as a function of the mobility rate) for our proposed scheme compared to the the core-based tree protocol (CBT); we also evaluate the effectiveness of forwarding regions as compared to traditional flooding. Our analysis shows that the proposed scheme significantly outperforms CBT.     

Mobility label based network: Mobility support in label switched networks with multi-protocol BGP

To support mobility the network control plane is required to detect changes in the mobile node’s location and distribute the new location information throughout the network thus enabling the forwarding plane to deliver traffic in an optimal manner. The network responsiveness to the mobile node movements can be generally thought of as the time elapsed between the moment the node’s location in the network has changed and the moment the reception of packets in the new location has resumed. This paper outlines an approach to handling the user mobility at the network layer in the context of multi-protocol label switched networks (MPLS). This new approach does not rely on the existing IP mobility management protocols such as Mobile IP and is instead based on the combination of multi-protocol BGP (MP-BGP) and MPLS. This paper proposes to introduce new protocol elements to MP-BGP to achieve mobility label distribution at the network control plane and the optimal packet delivery to the mobile node by the network forwarding plane using MPLS regardless of the IP protocol addressing and the associated logical network topology.     

移动自组网中一种面向群组移动性的位置服务协议

基于位置信息的路由协议被广泛认为是一种可扩展的移动自组网路由解决方案.大多数此类协议假定可通过位置服务协议获取结点的位置信息.研究人员现已提出多种位置服务协议.但是,它们在大规模网络环境中的可扩展性不好,或者在高动态网络环境中可靠性不高.本文提出了一种适用于大规模移动自组网的面向群组移动性的可扩展及可靠的位置服务协议.模拟结果表明此协议比SLURP协议更适合于具有群组移动性的大规模移动自组网.     

一种可扩展动态混合移动自组网路由协议

现有的主动式路由协议和反应式路由协议在节点数目多、节点密度高的场景下性能不够理想,可扩展性较差,而混合路由协议可扩展性相对较好.提出了一种可扩展动态混合移动自组网路由协议--SDHRP(Scalable Dynamic Hybrid Routing Protocol),该协议基于一个分布式动态最大独立集算法.与ZRP的对比实验结果表明,在保证网络吞吐量的前提下,SDHRP的路由控制开销减小了30%左右,具有较好的可扩展性.     

TCP Issues in Mobile Ad Hoc Networks: Challenges and Solutions

Mobile ad hoc networks （MANETs） are a kind of very complex distributed communication systems with wireless mobile nodes that can be freely and dynamically self-organized into arbitrary and temporary network topologies. MANETs inherit several limitations of wireless networks, meanwhile make new challenges arising from the specificity of MANETs, such as route failures, hidden terminals and exposed terminals. When TCP is applied in a MANET environment, a number of tough problems have to be dealt with. In this paper, a comprehensive survey on this dynamic field is given. Specifically, for the first time all factors impairing TCP performance are identified based on network protocol hierarchy, i.e., lossy wireless channel at the physical layer; excessive contention and unfair access at the MAC layer; frail routing protocol at the network layer, the MAC layer and the network layer related mobile node; unfit congestion window size at the transport layer and the transport layer related asymmetric path. How these factors degrade TCP performance is clearly explained. Then, based on how to alleviate the impact of each of these factors listed above, the existing solutions are collected as comprehensively as possible and classified into a number of categories, and their advantages and limitations are discussed. Based on the limitations of these solutions, a set of open problems for designing more robust solutions is suggested.     

Efficient group key management for multi-privileged groups

Multi-privileged group communications containing multiple data streams have been studied in the traditional wired network environment and the Internet. With the rapid development of mobile and wireless networks and in particular mobile ad-hoc networks (MANETs), the traditional Internet has been integrated with mobile and wireless networks to form the mobile Internet. The multi-privileged group communications can be applied to the mobile Internet. Group users can subscribe to different data streams according to their interest and have multiple access privileges with the support of multi-privileged group communications. Security is relatively easy to be guaranteed in traditional groups where all group members have the same privilege. On the other hand, security has been a challenging issue and is very difficult to handle in multi-privileged groups. In this paper, we first introduce some existing rekeying schemes for secure multi-privileged group communications and analyze their advantages and disadvantages. Then, we propose an efficient group key management scheme called ID-based Hierarchical Key Graph Scheme (IDHKGS) for secure multi-privileged group communications. The proposed scheme employs a key graph, on which each node is assigned a unique ID according to access relations between nodes. When a user joins/leaves the group or changes its access privileges, other users in the group can deduce the new keys using one-way function by themselves according to the ID of joining/leaving/changing node on the graph, and thus the proposed scheme can greatly reduce the rekeying overhead.