[go: up one dir, main page]

CN114531663B - Wireless sensor network communication method and system based on hierarchical symmetric key pool - Google Patents

Wireless sensor network communication method and system based on hierarchical symmetric key pool Download PDF

Info

Publication number
CN114531663B
CN114531663B CN202011204484.3A CN202011204484A CN114531663B CN 114531663 B CN114531663 B CN 114531663B CN 202011204484 A CN202011204484 A CN 202011204484A CN 114531663 B CN114531663 B CN 114531663B
Authority
CN
China
Prior art keywords
layer
key
node
cluster head
head node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011204484.3A
Other languages
Chinese (zh)
Other versions
CN114531663A (en
Inventor
富尧
钟一民
余秋炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruban Quantum Technology Co Ltd
Nanjing Ruban Quantum Technology Co Ltd
Original Assignee
Ruban Quantum Technology Co Ltd
Nanjing Ruban Quantum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruban Quantum Technology Co Ltd, Nanjing Ruban Quantum Technology Co Ltd filed Critical Ruban Quantum Technology Co Ltd
Priority to CN202011204484.3A priority Critical patent/CN114531663B/en
Publication of CN114531663A publication Critical patent/CN114531663A/en
Application granted granted Critical
Publication of CN114531663B publication Critical patent/CN114531663B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/38Services specially adapted for particular environments, situations or purposes for collecting sensor information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/009Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W40/00Communication routing or communication path finding
    • H04W40/24Connectivity information management, e.g. connectivity discovery or connectivity update
    • H04W40/32Connectivity information management, e.g. connectivity discovery or connectivity update for defining a routing cluster membership
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了基于分层对称密钥池的无线传感器网络通信方法及系统,该方法包括以下步骤:S1、实现第0层通信基站与第1层簇头节点之间的上层群组通信;S2、实现正常情况下第1层簇头节点与第2层传感器节点之间的下层群组通信;S3、实现簇头节点失效情况下第1层簇头节点与第2层传感器节点之间的下层群组通信;S4、根据密钥池更新方法对第1层簇头节点对应的密钥池进行更新。有益效果:本发明结合对称密钥池和替换密钥,在群组通信的场景中,进一步增强了对称密钥池的使用安全性,使得在某个子群组对称密钥池被破解的极端情况下,基于对称密钥池的群组通信的安全性也仍然可以得到保证。

The present invention discloses a wireless sensor network communication method and system based on a hierarchical symmetric key pool, the method comprising the following steps: S1, realizing upper-layer group communication between a layer 0 communication base station and a layer 1 cluster head node; S2, realizing lower-layer group communication between a layer 1 cluster head node and a layer 2 sensor node under normal circumstances; S3, realizing lower-layer group communication between a layer 1 cluster head node and a layer 2 sensor node under a cluster head node failure situation; S4, updating the key pool corresponding to the layer 1 cluster head node according to a key pool update method. Beneficial effects: The present invention combines a symmetric key pool and a replacement key, and in the scenario of group communication, further enhances the security of the use of the symmetric key pool, so that in the extreme case that the symmetric key pool of a certain subgroup is cracked, the security of group communication based on the symmetric key pool can still be guaranteed.

Description

Wireless sensor network communication method and system based on layered symmetric key pool
Technical Field
The invention relates to the field of group communication, in particular to a wireless sensor network communication method and system based on a layered symmetric key pool.
Background
The wireless sensor network (Wireless Sensor Networks, WSN) is a distributed sensor network whose tips are sensors that can sense and check the outside world. The sensor in the WSN is communicated in a wireless mode, so that the network is flexible to set, the position of the equipment can be changed at any time, and the WSN can be connected with the Internet in a wired or wireless mode. A multi-hop ad hoc network is formed by wireless communication.
The sensor network realizes three functions of data acquisition, processing and transmission. It forms three major columns of information technology together with communication technology and computer technology. A wireless sensor network (Wireless Sensor Network, WSN) is a wireless network consisting of a large number of stationary or moving sensors in an ad hoc and multi-hop manner to cooperatively sense, collect, process and transmit information of perceived objects within a geographic area covered by the network and ultimately transmit such information to the owner of the network.
With the continuous development of wireless communication technology, device to Device (D2D) has become one of the hot spots of 3GPP Rel-12 standardization technology. D2D allows two User Equipments (UEs) to directly transmit data over a specific channel (SIDELINK CHANNEL) without going through an evolved node b (Evolutional Node B, eNB). Of course, D2D is not limited to data transmission between two user equipments, but may also support point-to-multipoint group communication (Group Communication). The existing network authentication system is mostly based on a one-to-one authentication mode of a single object, but for point-to-multipoint data transmission, a group is formed according to a certain principle. Under these application scenarios, when a new terminal is accessed in the group, if an existing one-to-one authentication mode is adopted, network signaling is not only increased, resulting in network congestion, but also a large amount of network resources are occupied, so that the existing one-to-one network authentication system is not applicable any more. In this case, in order to reduce authentication resource consumption and reduce network congestion, a corresponding group authentication mechanism is required. The prior group communication system uses a group key pool, realizes group communication by using a symmetric key stored in the group symmetric key pool, and if a member is attacked, the secret communication of the whole group is threatened by security.
In the prior art, the update of the key pool often requires participation of an issuing center, and has a certain threat to security due to the large amount of data transmitted.
Based on the above analysis, the prior art has the following drawbacks:
1. In the prior art, the group symmetric key pool cannot be stored in a high-security chip due to larger capacity, and the possibility that the group symmetric key pool is disassembled after being captured and cracked exists. The group type symmetric key pool is shared by all members in the group, and once the group type symmetric key pool is broken, the security of group communication based on the group type symmetric key pool is threatened;
2. The existing key taking method based on the symmetric key pool is that a key position is selected first, and then the whole section of key is taken out from the position. Under the condition that the symmetric key pool is shared by group members, the key taking mode is easy to be known by the group members, and the privacy is not high;
3. the existing method for updating the key pool is that after one party generates a key, the key is sent to the other party, and a great amount of time is required for updating the key pool due to the huge amount of the key in the key pool;
4. in the existing group communication system based on the key pool, the status of all members with the group key pool is the same, and any member is trapped, so that the whole group communication system is invalid.
Disclosure of Invention
Aiming at the problems in the related art, the invention provides a wireless sensor network communication method and a wireless sensor network communication system based on a layered symmetric key pool, so as to overcome the technical problems in the prior art.
For this purpose, the invention adopts the following specific technical scheme:
according to one aspect of the present invention, there is provided a wireless sensor network communication method based on a hierarchical symmetric key pool, the method comprising the steps of:
S1, realizing upper layer group communication between the 0 th layer communication base station and the 1 st layer cluster head node by using a group communication method;
S2, realizing lower layer group communication between the layer 1 cluster head node and the layer 2 sensor node under normal conditions by using a group communication mode;
S3, realizing lower layer group communication between the 1 st layer cluster head node and the 2 nd layer sensor node under the condition that the cluster head node fails by a group communication method;
s4, updating the key pool corresponding to the layer 1 cluster head node according to a key pool updating method;
When the cluster head node issues a system public and private key for the sensor node, the current issuing time is acquired, a random number with a corresponding size is acquired from a key pool through the issuing time, the random number is used as a system private key corresponding to the sensor node, a system public key is calculated according to the system private key, meanwhile, the private key of the sensor node can be calculated according to the system private key, the public private key, the system public private key and algorithm parameters are stored in a memory of the sensor node, the public key of the cluster head node and the private key corresponding to the sensor node are obtained through calculation when power is lost.
Further, the step of S1 implementing upper layer group communication between the layer 0 communication base station and the layer 1 cluster head node by using a group communication method includes the following steps:
s11, the layer 0 communication base station initiates communication to the layer 1 cluster head node by using a group communication method;
s12, the layer 1 cluster head node initiates communication to the layer 0 communication base station by using a group communication method.
Further, the step of the layer 0 communication base station in S11 initiating communication to the layer 1 cluster head node by using a group communication method specifically includes the following steps:
s111, generating a first time stamp according to the message sent by the layer 0 communication base station, and calculating by the layer 0 communication base station to obtain a key pool of the layer 1 cluster head node;
S112, the layer 0 communication base station takes out a secret key from a secret key pool of the layer 1 cluster head node;
S113, after the layer 0 communication base station takes out a secret key, encrypting a message sent by the layer 0 communication base station by using the secret key to obtain a first encrypted message, calculating a first message authentication code for the identity number of the layer 0 communication base station, the first time stamp and the message sent by the layer 0 communication base station by using the secret key, and simultaneously sending the first encrypted message, the first message authentication code, the identity number of the layer 0 communication base station and the information of the first time stamp to the layer 1 cluster head node;
S114, after receiving the information, the layer 1 cluster head node takes out a secret key from a secret key pool of the node to decrypt, and meanwhile, the secret key is used for calculating a message authentication code of the identity number of the layer 0 communication base station, the first time stamp and the message sent by the layer 0 communication base station and comparing and verifying the message authentication code with the received first message authentication code.
Further, the step of extracting the key in S112 includes the following steps:
s1121, calculating to obtain an initial position pointer of the key, and sequentially calculating step sizes;
s1122, sequentially calculating pointers for extracting random codes, and obtaining a plurality of pointers for extracting random codes;
s1123, sequentially taking out a plurality of bits of key data at corresponding positions from a key pool according to a plurality of pointers for extracting random codes;
and S1124, if the key pool size is exceeded, returning to the key pool head by modulo the key pool length.
Further, the step of S2 implementing the lower layer group communication between the layer 1 cluster head node and the layer 2 sensor node in the normal case by using the group communication manner includes the following steps:
S21, the layer 1 cluster head node initiates private communication to the layer 2 sensor node by using a group communication method;
s22, the layer 2 sensor node initiates private communication to the layer 1 cluster head node by using a group communication method.
Further, the step of initiating, by the layer 1 cluster head node in S21, private communication to the layer 2 sensor node using the group communication method includes the steps of:
S211, calculating to obtain a first key by using the layer 1 cluster head node;
S212, the layer 1 cluster head node sends identity information to be authenticated to the layer 2 sensor node;
S213, the layer 2 sensor node receives the identity information to be authenticated and verifies, and after verification is passed, the layer 2 sensor node trusts the identity of the layer 1 cluster head node and the message sent by the layer 1 cluster head node.
Further, the step S3 of implementing the lower layer group communication between the layer 1 cluster head node and the layer 2 sensor node under the condition that the cluster head node fails by using a group communication method includes the following steps:
S31, the layer 0 communication base station announces that the father node of the layer 2 sensor node ID ij is modified to be ID I, and calculates to obtain a new layer 1 cluster head node replacement key and key pool, and also calculates to obtain the original layer 1 cluster head node replacement key and key pool;
S32, using the 0 th layer communication base station to take out a new system private key and a new system public key corresponding to the original 2 nd layer sensor node ID ij, and calculating to obtain a new private key corresponding to the 2 nd layer sensor node ID IJ, packing the information by the 0 th layer communication base station to obtain first packing information, and recovering to obtain a public private key of the original 1 st layer cluster head node ID i and the original 2 nd layer sensor node ID ij, and simultaneously, using the 0 th layer communication base station to calculate to obtain a second secret key;
S33, the layer 0 communication base station utilizes the second secret key to carry out symmetric encryption algorithm calculation on the message with the first packing information and the signature of the first packing information, and packs the message of the calculation result to obtain second packing information;
S34, the layer 0 communication base station is utilized to take out a secret key from a secret key pool of a new layer 1 cluster head node ID I, and the secret key is utilized to calculate a message authentication code, and meanwhile, the layer 0 communication base station packages the message again to obtain third package information and sends the third package information to the new layer 1 cluster head node ID I;
S35, a new layer 1 cluster head node ID I receives the third package information and performs decryption authentication, and meanwhile, the new layer 1 cluster head node ID I sends the second package information to an original layer 2 sensor node ID ij;
S36, the original layer 2 sensor node ID ij receives the second package information and calculates to obtain a third key, meanwhile, the original layer 2 sensor node ID ij decrypts the second package information by using the third key and verifies the information, after verification, the original layer 2 sensor node ID ij updates its own identity number as ID IJ, the father node is ID I and updates public and private keys and a system public key, then the updated information is sent to a new layer 1 cluster head node ID I, the new layer 1 cluster head node ID I confirms that the new layer 2 sensor node ID IJ is a child node thereof after receiving the updated information, and sends the updated information to the layer 0 communication base station, and after the layer 0 communication base station confirms the information, the issuing time corresponding to the new layer 2 sensor node ID IJ is stored.
Further, the step of S4 updating the key pool corresponding to the layer 1 cluster head node according to the key pool updating method includes the following steps:
S41, original layer 1 cluster head node ID i generates request content for updating a key pool, acquires a corresponding time stamp, and sends a key pool update request to the layer 0 communication base station;
S42, after decrypting and authenticating the message, the 0-layer communication base station generates a new identity number ID I of the 1-layer cluster head node ID i and calculates a new replacement key, adds the new 1-layer cluster head node ID I and the new replacement key into the message content, encrypts and sends the message to the original 1-layer cluster head node ID i, and the original 1-layer cluster head node ID i decrypts and authenticates the message;
S43, obtaining a new ID I and a new replacement key by the original layer 1 cluster head node ID i, sectionally restoring a key pool in the node by utilizing the original replacement key in the security chip and a symmetric key science algorithm, encrypting by using the new replacement key, and outputting the re-encrypted key section to a corresponding position of a key pool storage area of the original layer 1 cluster head node ID i for covering and storing;
s44, the original layer 1 cluster head node ID i updates the replacement key and updates the ID I, and meanwhile, the child node of the cluster head node is updated with the identity and public and private key pairs.
Further, outputting the re-encrypted key segment in S43 to the corresponding location of the key pool storage area of the original layer 1 cluster head node ID i for overlay storage, where the steps include:
S431, the original layer 1 cluster head node ID i takes out a section of key of the key pool and inputs the section of key into the security chip;
s432, decrypting the key by using the original replaced key to obtain a key with the same position as the corresponding position of the key pool of the communication base station;
s433, encrypting a key with the same position as the corresponding position of the key pool of the communication base station by using the new replacement key;
S434, outputting the encrypted secret key to the security chip to form a section of secret key of the secret key pool.
According to another aspect of the present invention, there is provided a wireless sensor network communication system based on a hierarchical symmetric key pool, the system including a plurality of layers of nodes including a layer 0 node, a layer 1 node, and a layer 2 node, wherein the layer 0 node is a communication base station of the wireless sensor network, the layer 1 node is a cluster head node, and the layer 2 node is a sensor node;
The layer 0 node is provided with a layer 0 key pool and corresponding replacement keys, the layer 1 node is provided with a plurality of cluster head nodes, each cluster head node is provided with a unique key pool and corresponding replacement keys, each cluster head node key Chi Junyou is obtained by calculating the replacement keys owned by the nodes, the replacement keys of the cluster head nodes are obtained by calculating the identity numbers of the nodes by the replacement keys of the layer 0 node, the replacement keys of the layer 0 node and the layer 1 node are stored in a local secure storage chip, and the layer 2 node is provided with a plurality of sensor nodes.
The beneficial effects of the invention are as follows:
1) In the scene of group communication, the invention further enhances the use safety of the symmetric key pool by combining the symmetric key pool and the replacement key, so that the safety of the group communication based on the symmetric key pool can be ensured under the extreme condition that a certain subgroup symmetric key pool is cracked. Since a plurality of subgroups are divided in the group, when one subgroup key pool is broken, other subgroups are different from the other subgroup key pools, so that the security is not affected, and when one subgroup key pool is broken, the key pool of a group administrator cannot be deduced due to the protection of the replacement key, so that the security is not affected.
2) The key taking method based on the symmetric key pool comprises the steps of firstly generating a replaced key pool by using a replaced key, and then taking out a plurality of key bits from the key pool one by adopting different step sizes, wherein each step size is different. In the case that the symmetric key pool is shared by the group members, the key taking mode is not known by the group members, and the privacy is high.
3) The method for updating the key pool can update the key pool only by transmitting a small amount of keys, and the key transmission quantity of the key updating scheme is small and is easy to realize.
4) In the group communication system based on the key pool, the positions of all members with the group key pool are classified according to grades, and the protection measures and the key pools of different grades are different. The protection measures of the important class members are good and are not easy to capture, and the protection measures of the unimportant class members are relatively poor, but because the key pool is obtained by encrypting the key pool of the important class members, the key pool is not greatly influenced even being captured, and the invalidation of the whole group communication system is not caused.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow diagram of a wireless sensor network communication method based on a hierarchical symmetric key pool in accordance with an embodiment of the present invention;
FIG. 2 is a schematic diagram of a random number acquisition mode in a wireless sensor network communication method based on a layered symmetric key pool according to an embodiment of the present invention;
FIG. 3 is a block diagram of a wireless sensor network communication system based on a hierarchical symmetric key pool in accordance with an embodiment of the present invention;
Fig. 4 is a schematic diagram of a distribution of hierarchical symmetric key pools in a wireless sensor network communication system based on the hierarchical symmetric key pools according to an embodiment of the present invention.
Detailed Description
For the purpose of further illustrating the various embodiments, the present invention provides the accompanying drawings, which are a part of the disclosure of the present invention, and which are mainly used to illustrate the embodiments and, together with the description, serve to explain the principles of the embodiments, and with reference to these descriptions, one skilled in the art will recognize other possible implementations and advantages of the present invention, wherein elements are not drawn to scale, and like reference numerals are generally used to designate like elements.
According to the embodiment of the invention, a wireless sensor network communication method and a wireless sensor network communication system based on a hierarchical symmetric key pool are provided. In a communication group, the present invention assumes that all member IDs have the layer number of that ID. The smaller the layer number, the better the security protection, and the less likely it is to be trapped by an adversary.
The invention will now be further described with reference to the accompanying drawings and detailed description, wherein, according to one embodiment of the invention, as shown in fig. 1-2, there is provided a wireless sensor network communication method based on a hierarchical symmetric key pool, the method comprising the steps of:
s1, upper layer group communication (the upper layer group communication between the layer 0 communication base station and the layer 1 cluster head node is realized by using a group communication method);
In this embodiment, the communication base station of layer 0 is called a, the replacement key of a is KR 0, the identity number of a is ID 0, a certain cluster head node of layer 1 is called B, the replacement key of B is KR B, and the identity number of B is ID B.
Wherein, the step S1 comprises the following steps:
s11, communicating a layer 0A with a layer 1B (the layer 0 communication base station initiates communication to the layer 1 cluster head node by using a group communication method);
Assume that the content of the message to be sent by group member a is NTFA and a timestamp TNTFA is generated for the message. A calculates the key pool of B firstly, A calculates the replacement key KR B of B according to the self replacement key KR 0 and the ID B of B, and then comprehensively calculates the key pool of B by KR B and the key pool of A, and the length of the key pool is KPL.
A takes out a key KTA from a key pool of B, the key is totally N bits, the specific calculation for obtaining KTA can be described by referring to the system private key generation mode, and the specific description flow is as follows:
An initial position pointer pk=fpk (tnfa) mod KPL of the key KTA is calculated, where mod represents a modulo operation. Step :LK1=FLK(PK||TNTFA),LK2=FLK(LK1||TNTFA),LK3=FLK(LK2||TNTFA),…,LKN=FLK(LKN-1||TNTFA). functions FPK and FLK are calculated in sequence as arbitrary specified functions. The pointer PK1=PK+LK1mod KPL,PK2=PK1+LK2mod KPL,…,PKN=PKN-1+LKNmod KPL.PK1 for extracting the random code is then calculated in turn to point to the beginning of the key KTA, i.e. the first bit position, PK 2 to the second bit position of the key KTA, and so on. And sequentially taking out the key data of N bits in the corresponding position from the key pool according to the PK 1、PK2、…、PKN. If key Chi Daxiao KPL is exceeded, the key pool header is returned by modulo the KPL.
A takes out the symmetric key KTA with group member B and encrypts NTFA with KTA to obtain { NTFA } KTA. KTA pair ID 0 TNTFA and NTFA calculate the message authentication code to get the MAC (ID 0 TNTFA NTFA, KTA). The encrypted information, the message authentication code, is sent to group member B along with IDs A, TNTF, which may be expressed as IDs 0||TNTFA||{NTFA}KTA||MAC(ID0 TNTFA NTFA, KTA.
B, after receiving, the symmetric key KTA is taken out from the own key pool by the same method, the KTA is used for decrypting { NTFA } KTA to obtain message content NTFA, the KTA is used for calculating message authentication codes of IDs 0, TNTFA and NTFA and comparing the message authentication codes with the received message authentication codes, if the two are consistent, the authentication is passed, the message content NTFA is trusted, and if the authentication is not passed, the message content NTFA is not trusted.
S12, the layer 1B communicates with the layer 0A (the layer 1 cluster head node initiates communication to the layer 0 communication base station by using a group communication method);
Assume that group member B has a NTFB message content to send out and generates a timestamp TNTFB for the message. B takes out a key KTB from the own key pool according to the method in S11, and the key is totally N bits. Then, { NTFB } KTB is obtained by encrypting NTFB using KTB. Calculating the message authentication code using KTB for IDs B, TNTFB, and NTFB yields the MAC (ID B TNTFB NTFB, KTB). The encrypted information, the message authentication code, is sent to group member a along with IDs B, TNTFB, which may be represented as IDs B||TNTFB||{NTFB}KTB||MAC(IDB TNTFB NTFB, KTB.
After receiving A, the method in S11 calculates the key pool of B and takes out KTB, uses KTB to decrypt { NTFB } KTB to obtain message content NTFB, uses KTB to calculate message authentication codes for IDs B, TNTFB and NTFB and compares the message authentication codes with the received message authentication codes, if the two codes are consistent, the two codes show that the verification is passed, the message NTFB is trusted after the verification is passed, and if the verification is not passed, the message NTFB is not trusted.
S2, lower layer group communication under normal conditions (the lower layer group communication between the 1 st layer cluster head node and the 2 nd layer sensor node under normal conditions is realized by using a group communication mode);
wherein, the step S2 comprises the following steps:
S21, carrying out private communication on the 1 st layer A and the 2 nd layer B;
The cluster head node a calculates a public key pkb=h of the node B according to the identity number ID B of the node B (ID B). A is obtained by calculation by utilizing own private key and public key of node B Node a obtains a timestamp T1, and performs a message authentication algorithm on the timestamp by using K AB to obtain k1=mac (T1, K AB), where MAC (m, K) is an expression calculated by using the key K to perform the message authentication algorithm on the message content m.
Let INFOA be the service information of the wireless sensor network of the node A, the node A calculates T1I INFOA based on ID cryptographic signature algorithm by using the private key SKA_B to obtain SIGA=SIG (T1I INFOA, SKA_B), wherein SIG (m, k) is the expression of the key k based on ID cryptographic signature algorithm calculation for the message content m. The node A encrypts the INFOA SIGA by using K1 to obtain { INFOA SIGA } K1, and calculates the ID B||IDA T1 SIGA } K1 by using a key K1 to obtain the MAC (ID B||IDA T1 SIGA K1, K1) by using a message authentication algorithm. Node a sends the encrypted information, the message authentication code, along with ID A、IDB, T1 to node B, the sent information may be expressed as IDA||IDB||T1||{INFOA||SIGA}K1||MAC(IDB||IDA||T1||{INFOA||SIGA}K1,K1).
After the node B receives the public key pka=h of the node a (ID A) calculated from the identity number ID A of the node a. B is obtained by calculating the private key of the B and the public key of the node AThe node B performs a message authentication algorithm on the timestamp T1 in the message using K BA to obtain K1' =mac (T1, K BA). Available according to ID cryptography: Thus, K1' =k1. The node B may decrypt { info a|siga } K1 with the key K1' to obtain the correct info a|siga and verify the message authentication code MAC (ID B||IDA |t1|{ info a|siga } K1, K1). And finally, the node B performs signature verification on the signature SIGA by using the calculated public key PKA of the node A. And B trusts the identity of A and the message sent by A after the verification is passed.
S22, the layer 2B is in private communication with the layer 1A.
The communication method in this case is basically the same as the method of S21.
The node B calculates the public key pka_b=h of the cluster head node a according to the identity number ID A of the cluster head node a (ID A). B is obtained by calculating the private key of the B and the public key of the node AThe node B obtains a timestamp T2, and performs a message authentication algorithm on the timestamp using K BA to obtain k2=mac (T2, K BA).
Let info be the service information of the wireless sensor network of the node B, the node B uses the private key SKB to calculate T2 i info based on the ID cryptographic signature algorithm to obtain sigb=sig (T2 i info B, SKB). The node B encrypts the InfoB SIGB by using K2 to obtain { InfoB SIGB } K2, and calculates the ID A||IDB T2 { InfoB SIGB } K2 by using a key K2 to obtain the MAC (ID A||IDB T2 { InfoB SIGB } K2, K2) by using a message authentication algorithm. Node B transmits the encrypted information, the message authentication code, along with the IDs B、IDA, T2 to node a, the transmitted information may be expressed as IDB||IDA||T2||{INFOB||SIGB}K2||MAC(IDA||IDB||T2||{INFOB||SIGB}K2,K2).
After node a receives, it calculates the public key pkb=h of node B from the identity number ID B of node B (ID B). A is obtained by calculation by utilizing own private key and public key of node BNode a performs a message authentication algorithm on the timestamp T2 in the message using K AB to obtain K2 '=mac (T2, K AB), K2' =k2. The node A decrypts the { INFOB SIGB } K2 by using the key K2' to obtain the correct INFOB SIGB, and verifies the message authentication code MAC (ID A||IDB T2 { INFOB SIGB } K2, K2). And finally, the node A performs signature verification on the signature SIGB by using the public key PKB of the node B obtained through calculation. And verifying the identity of the trust B and the message sent by the trust B after the verification is passed.
S3, lower layer group communication under the condition of failure of the cluster head node (the lower layer group communication between the 1 st layer cluster head node and the 2 nd layer sensor node under the condition of failure of the cluster head node is realized through a group communication method);
Wherein, the step S3 comprises the following steps:
The reason for the failure of the cluster head node may be that the cluster head node is knocked down, stolen, powered off, etc., and after the failure, the cluster head node is not trusted any more, and the base station sends out a new cluster head node ID I to replace the original cluster head node ID i. Let ID i be originally connected with a plurality of sensor nodes, and the jth node be ID ij. After the cluster head node is replaced, a plurality of sensor nodes to which the ID i is originally connected need to be connected to the ID I.
The communication base station announces that the message content of changing the parent node of ID ij to ID I and changing ID ij to ID IJ is NTF, time TNTF. The communication base station calculates a replacement key KR I=FKRID(IDI,KR0 for the new cluster head node). And calculating a key pool of the new cluster head node by using the replacement key. A replacement key KR i=FKRID(IDi,KR0 of the old cluster head node of ID i is also calculated, and a key pool of the old cluster head node is calculated by using the replacement key KR i.
The communication base station obtains a new system private key sIJ of the sensor node corresponding to the ID ij and a new system public key PIJ pub = sIJ ·p from a key pool of the new cluster head node by TNTF, and calculates to obtain a private key SK IJ=sIJ*H(IDIJ corresponding to the ID IJ. The communication base station packs the information to obtain NTF-I-J=NTF||ID i||IDI||IDIJ||SKIJ||PIJpub. The communication base station takes out the moment about the node ID ij from the moment backup of the node ID i, and obtains the public and private key PKH ij/SKHij of the node ID i for communication with the node ID ij through restoration of the node ID i key pool. The communication base station performs signature SIG-I-j=sig based on ID cryptography on NTF-I-J using SKH ij (NTF-I-J, SKH ij). The communication base station takes NTF-I-J I SIG-I-J as message content NTF sensor. The communication base station calculates a public key PK ij=H(IDij of the node ID ij according to the identity number ID ij of the node. Calculated using node ID i private key and node ID ij public keyThe communication base station obtains a time stamp T1 and performs a message authentication algorithm on the time stamp by using K HS to obtain k1=mac (T1, K HS).
The communication base station calculates the NTF sensor by using the key K1 to obtain { NTF sensor } K1. The communication base station packages the message to obtain NTF-i-j=IDij||IDi||T1||{NTFsensor}K1||MAC(IDij||IDi||T1||{NTFsensor}K1,K1).
The communication node extracts the key KBI from the key pool of the ID I node using the time stamp T1, and the specific generation procedure may refer to step S11 described above. The communication base station encrypts the NTF-i-j TNTF by using the key KBI to obtain { NTF-i-j TNTF } KBI and calculates the message authentication codes of the IDs 0, T1 and NTF-i-j TNTF to obtain the MAC (ID 0 T1 NTF-i-j TNTF, KBI). The communication base station packages the message to obtain ID 0||T1||{NTF-i-j||TNTF}KBI||MAC(ID0 T1 NTF-i-j TNTF, KBI. The communication base station sends a message to the new cluster head node ID I.
After the new cluster head node ID I is received, it is taken out KBI from the local key pool according to the timestamp T1 in the message in the same way, and the message is decrypted and authenticated by KBI to obtain NTF-i-j and TNTF, which refers to step S11 herein. The cluster head node ID I uses the time TNTF to calculate a system public private key and a communication public private key for the node ID IJ. While cluster head node ID I sends NTF-i-j to sensor node ID ij.
After the sensor node ID ij receives the NTF-i-j, the public key PKH ij=H(IDi of the node ID i is obtained by calculation according to the identity number of the old cluster head node ID i, and the private key SK ij is taken out and calculated to obtainK HS=KSH. Node ID ij calculates K1' =mac (T1, K SH) using K SH for timestamp T1. Node ID ij decrypts message NTF-i-j using key K1' and verifies the message, and reference is made to step S21 for a specific flow. Node ID ij updates its own identity number to ID IJ, parent node to ID I, public private key to PK IJ/SKIJ, and system public key to PIJ pub. And sends the updated message to the cluster head node ID I in the manner of step S22. The cluster head node ID I confirms that the sensor node ID IJ is a child node thereof after receiving the update message of the ID IJ is sent to the communication base station by the method in step S12. After the communication base station confirms the message, the issuing time corresponding to the ID IJ is stored.
S4, updating a key pool of the lower node (updating the key pool corresponding to the layer 1 cluster head node according to a key pool updating method);
Wherein S4 comprises the steps of:
in this embodiment, a process of updating a key pool is implemented for a cluster head node, so that the cluster head node actively updates its own identity and its corresponding key pool to improve security. The cluster head node identity number updated by the key pool in this embodiment is set as ID i, and ID ij is set as the identity number of a child node of the cluster head node.
The cluster head node ID i generates the request content NTFH for updating the key pool, and the acquisition time stamp is THTFH. A key pool update request is sent to the communication base station in the method in step S12.
After decrypting and authenticating the message, the communication base station generates a new first layer ID I and calculates a new replacement key KR I by using ID I. The new identity number ID I and the new replacement key KR I are added to the message content and sent encrypted to the cluster head node ID i in the manner of step S11. The cluster head node ID i decrypts the message and authenticates the message.
The cluster head node ID i gets a new identity number ID I and a new replacement key KR I. The cluster head node ID i uses the original replacement key KR i and the symmetric cryptography algorithm in the security chip to restore the key pool segment in the node and uses the new replacement key KR I for encryption. And outputting the re-encrypted key segment to the corresponding position of the key pool storage area of the cluster head node ID i for overlay storage. The specific flow is as follows:
1) ID i takes out a section of key K-i of the key pool and inputs the section of key K-i into the security chip;
2) Decrypting the K-i by using the KR i to obtain a key KA with the same position as the corresponding position of the key pool of the communication base station;
3) Encrypting KA by using KR I to obtain K-I;
4) The K-I output security chip is used as a section of key of the key pool.
The cluster head node ID i updates the replacement key to KR I and updates the identity number to ID I. The cluster head node needs to update the identity and public and private key pairs of its child nodes in the same way as in step S3.
According to another aspect of the present invention, as shown in fig. 3-4, a wireless sensor network communication system based on a hierarchical symmetric key pool is provided, the system including a plurality of layers of nodes, such as a layer 0 node, a layer 1 node, a layer 2 node, and the like. The layer 0 is a communication base station of the wireless sensor network, the layer 1 node is a cluster head node, and the layer 2 node is a sensor node.
In the invention, a layer 0 node is provided with a layer 0 key pool and a replacement key KR 0 based on a symmetrical key pool of a layered structure. The implementation scene of the invention is wireless sensor network communication under a communication base station. The layer 0 node, i.e. the communication base station, has only 1 and also serves as a group manager of the wireless sensor network. The base station is provided with an original key pool and a replacement key, wherein the original key pool is generated by a true random number, the layer 1 is provided with a plurality of cluster head nodes, each cluster head node is provided with a unique key pool and the replacement key, the key pool of each node is obtained by calculating the original key pool through the replacement key owned by each node, and the layer 2 is provided with a plurality of sensor nodes. The replacement key of the layer 1 node, i.e. the cluster head node, is obtained by calculating the identity numbers of all nodes by the replacement key of the layer 0 communication base station. Let the layer 1 i node identity number, i.e. ID, be ID i and the replacement key of the communication base station be KR 0. The node replacement key KR i=FKRID(IDi,KR0) is obtained by calculating IDi using the replacement key KR 0, wherein FKRID is an irreversible function, preferably a message authentication code, MAC function, or hash function. The replacement keys of the layer 0 and layer 1 nodes are stored in a local secure memory chip, such as a TPM/TCM, and have an anti-disassembly function, cannot be obtained, and because FKRID functions are located in the secure chip and have no output interface, the calculation result, namely, the lower-level replacement keys obtained by the replacement keys, cannot be obtained (except the layer 0 node, because an administrator of the layer 0 node grasps PIN codes of all the secure memory chips and can execute key import and export operations), and the layer 2 sensor node is limited by power consumption, memory capacity and cost and does not have a secure chip.
The key substitution formula is krs=fkr (K, KR). Wherein FKR is a reversible function, preferably a symmetric encryption function, and KRS has a length equal to K.
The procedure for replacing the key pool for a layer 1 node is as follows. Averagely split the layer 0 key pool into multiple segments of keys, let n-th segment be K n, calculate KRS ni=FKR(Kn,KRi for layer 1 node ID i using the key replacement formula), and replace K n with KRS ni. After the replacement is completed, a key pool of the 1 st layer node ID i which is equal to the length of the 0 th layer key pool is obtained. In summary, it can be seen that the key pool of a certain node in layer 1 is obtained by performing comprehensive operation on the replaced key of the node and the parent node, namely the layer 0 key pool. And by analogy, the key pool of each node of the layer 1 can be obtained by calculating the replacement key of each node of the layer 1.
The invention adopts an algorithm system based on ID cryptography. The algorithm parameters are as followsWherein q is a large prime number, G 1 and G 2 are respectively q-order addition cyclic group and multiplication cyclic group, and mapping is performedG 1×G1→G2 becomes bilinear map, P is a generator randomly selected in G 1, H is a hash function defined as {0,1} *→G1 *, and ad_ paras is other system parameters in the algorithm. The communication base station distributes algorithm parameters to the respective cluster head nodes and sensor nodes.
The cluster head node generates a pair of system public and private keys for each child node that it is subordinate to. When a cluster head node issues a public and private key for a certain sensor node, the cluster head node can acquire the current issuing time T. And acquiring random numbers with corresponding sizes from the key pool through the time T. Let the obtained random number be s, the size s epsilon Z q *. The random number s is calculated as follows:
An initial position pointer ps=fpk (T) mod KPL of the random number s is calculated, where mod represents a modulo operation. Step :Ls1=FLK(Ps||T),Ls2=FLK(Ls1||T),Ls3=FLK(Ls2||T),…,LsN=FLK(LsN-1||T). functions FPK and FLK are calculated in sequence as arbitrary specified functions. The pointer Ps1=Ps+Ls1mod KPL,Ps2=Ps1+Ls2mod KPL,…,PsN=PsN-1+LsNmod KPL.Ps1 for extracting the random code is then calculated in turn to point to the beginning of the random number s, i.e. the first bit, ps 2 to the second bit of the random number s, and so on. And sequentially taking out the random number data of N bits in the corresponding position from the key pool according to Ps 1、Ps2、…、PsN. If key Chi Daxiao KPL is exceeded, the key pool header is returned by modulo the KPL.
The random number s is used as a system private key of the corresponding sensor node, namely a system master key, and the system public key is calculated through the system master key to obtain P pub =s.P. The public and private keys of the system can be calculated to obtain the public and private key PK sensor=H(IDsensor)/SKsensor=s*PKsensor of the sensor node, wherein PK sensor is the public key of the sensor node, and SK sensor is the private key of the sensor node. The sensor node stores the public and private key pair, the system public key and the algorithm parameter in a memory of the sensor node, and the power failure is lost. And the cluster head node would also calculate the public key PK head=H(IDhead) and the private key SK head=s*PKhead corresponding to the sensor node.
In the wireless sensor network communication system based on the layered symmetric key pool, if a plurality of sub-nodes, namely a plurality of sensor nodes, exist under one cluster head node, the cluster head node can execute the key issuing flow for a plurality of times. Meanwhile, the cluster head node can store the issuing time and algorithm parameters for generating the public and private keys of the system in the security chip and backup the issuing time and algorithm parameters to the communication base station. After the cluster head node or the sensor node is captured, an adversary can acquire a key pool of the node, but cannot acquire related issuing time, algorithm parameters and public and private keys. Because the system master keys corresponding to each sensor node are different, the security of the algorithm system, the cluster head node and the child nodes thereof is not affected even if one of the system master keys is cracked.
In summary, by means of the above technical solution of the present invention, the present invention combines the symmetric key pool and the replacement key, in the scenario of group communication, the use security of the symmetric key pool is further enhanced, so that in the extreme case that a certain subgroup symmetric key pool is cracked, the security of group communication based on the symmetric key pool can still be ensured. Since a plurality of subgroups are divided in the group, when one subgroup key pool is broken, other subgroups are different from the other subgroup key pools, so that the security is not affected, and when one subgroup key pool is broken, the key pool of a group administrator cannot be deduced due to the protection of the replacement key, so that the security is not affected. In addition, the key taking method based on the symmetric key pool comprises the steps of firstly generating a replaced key pool by using a replaced key, then taking out a plurality of key bits from the key pool one by adopting different step sizes, wherein each step size is different. In the case that the symmetric key pool is shared by the group members, the key taking mode is not known by the group members, and the privacy is high. In addition, the method for updating the key pool can update the key pool only by transmitting a small amount of keys, and the key transmission quantity of the key updating scheme is small and is easy to realize. In addition, in the group communication system based on the key pool, the positions of all members with the group key pool are classified according to grades, and different grades of protection measures and key pools are different. The protection measures of the important class members are good and are not easy to capture, and the protection measures of the unimportant class members are relatively poor, but because the key pool is obtained by encrypting the key pool of the important class members, the key pool is not greatly influenced even being captured, and the invalidation of the whole group communication system is not caused.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples illustrate only a few embodiments of the invention, which are described in detail and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.

Claims (8)

1.基于分层对称密钥池的无线传感器网络通信方法,其特征在于,该方法包括以下步骤:1. A wireless sensor network communication method based on a hierarchical symmetric key pool, characterized in that the method comprises the following steps: S1、使用群组通信方法实现第0层通信基站与第1层簇头节点之间的上层群组通信;S1, using a group communication method to implement upper layer group communication between a layer 0 communication base station and a layer 1 cluster head node; S2、利用群组通信方式实现正常情况下第1层簇头节点与第2层传感器节点之间的下层群组通信;S2, using group communication to achieve lower-level group communication between the first-layer cluster head nodes and the second-layer sensor nodes under normal circumstances; S3、通过群组通信方法实现簇头节点失效情况下第1层簇头节点与第2层传感器节点之间的下层群组通信;S3, realizing lower-layer group communication between the first-layer cluster head node and the second-layer sensor nodes in the case of cluster head node failure through a group communication method; 所述S3通过群组通信方法实现簇头节点失效情况下第1层簇头节点与第2层传感器节点之间的下层群组通信包括以下步骤:The S3 implements the lower layer group communication between the first layer cluster head node and the second layer sensor node in the case of cluster head node failure by the group communication method, and includes the following steps: S31、第0层通信基站宣布将第2层传感器节点IDij的父节点修改为IDI,并计算得到新的第1层簇头节点的替换密钥及密钥池,同样计算得到原本第1层簇头节点的替换密钥及密钥池;S31, the 0th layer communication base station announces that the parent node of the 2nd layer sensor node ID ij is changed to ID I , and calculates the replacement key and key pool of the new 1st layer cluster head node, and also calculates the replacement key and key pool of the original 1st layer cluster head node; S32、利用第0层通信基站取出对应原本第2层传感器节点IDij的新的系统私钥及新的系统公钥,并计算得到新的第2层传感器节点IDIJ对应的私钥,第0层通信基站对信息进打包得到第一打包信息,并还原得到原本第1层簇头节点IDi与原本第2层传感器节点IDij通信的公私钥,同时,利用第0层通信基站计算得到第二密钥;S32, using the 0th layer communication base station to take out the new system private key and the new system public key corresponding to the original 2nd layer sensor node ID ij , and calculate the private key corresponding to the new 2nd layer sensor node ID IJ , the 0th layer communication base station packages the information to obtain the first packaged information, and restores the original 1st layer cluster head node ID i and the original 2nd layer sensor node ID ij to communicate with the public and private keys, and at the same time, the 0th layer communication base station is used to calculate the second key; S33、第0层通信基站利用所述第二密钥对带有所述第一打包信息及所述第一打包信息的签名的消息进行对称加密算法计算,并对该计算结果的消息进行打包得到第二打包信息;S33, the layer 0 communication base station uses the second key to perform a symmetric encryption algorithm calculation on a message with the first packaged information and a signature of the first packaged information, and packages the message of the calculation result to obtain second packaged information; S34、利用第0层通信基站从新的第1层簇头节点IDI的密钥池中取出密钥,并利用该密钥进行消息认证码的计算,同时,所述0层通信基站再次对消息进行打包得到第三打包信息并发送给新的第1层簇头节点IDIS34, using the layer 0 communication base station to take out a key from the key pool of the new layer 1 cluster head node ID 1 , and use the key to calculate the message authentication code, and at the same time, the layer 0 communication base station packages the message again to obtain third packaged information and sends it to the new layer 1 cluster head node ID 1 ; S35、新的第1层簇头节点IDI接收所述第三打包信息并进行解密认证,同时,新的第1层簇头节点IDI将所述第二打包信息发送给原本第2层传感器节点IDijS35, the new first-layer cluster head node ID 1 receives the third package information and performs decryption authentication, and at the same time, the new first-layer cluster head node ID 1 sends the second package information to the original second-layer sensor node ID ij ; S36、原本第2层传感器节点IDij接收所述第二打包信息,并计算得到第三密钥,同时,原本第2层传感器节点IDij利用第三密钥对所述第二打包消息进行解密并消息验证,验证通过后,原本第2层传感器节点IDij更新自身身份编号为IDIJ,父节点为IDI,并更新公私钥及系统公钥,随后将更新成功后的消息发送给新的第1层簇头节点IDI,新的第1层簇头节点IDI收到后确认新的第2层传感器节点IDIJ为其子节点,并将更新成功后的消息发送给所述0层通信基站,所述0层通信基站确认消息后,存储新的第2层传感器节点IDIJ所对应的颁发时间;S36, the original second-layer sensor node ID ij receives the second package information, and calculates the third key. At the same time, the original second-layer sensor node ID ij uses the third key to decrypt the second package message and verify the message. After the verification is passed, the original second-layer sensor node ID ij updates its own identity number to ID IJ , the parent node is ID I , and the public and private keys and the system public key are updated. Then, the message after the successful update is sent to the new first-layer cluster head node ID I. After receiving the message, the new first-layer cluster head node ID I confirms that the new second-layer sensor node ID IJ is its child node, and sends the message after the successful update to the 0-layer communication base station. After the 0-layer communication base station confirms the message, it stores the issuance time corresponding to the new second-layer sensor node ID IJ . S4、根据密钥池更新方法对第1层簇头节点对应的密钥池进行更新;S4, updating the key pool corresponding to the first layer cluster head node according to the key pool updating method; 所述S4根据密钥池更新方法对第1层簇头节点对应的密钥池进行更新包括以下步骤:The step S4 of updating the key pool corresponding to the cluster head node of the first layer according to the key pool updating method comprises the following steps: S41、原本第1层簇头节点IDi生成更新密钥池的请求内容,获取对应的时间戳,并向所述0层通信基站发送密钥池更新请求;S41, the original layer 1 cluster head node ID i generates a request content for updating the key pool, obtains a corresponding timestamp, and sends a key pool update request to the layer 0 communication base station; S42、所述0层通信基站解密及认证消息后,生成第1层簇头节点IDi新的身份编号IDI并计算得到新的替换密钥,将新的第1层簇头节点IDI和新的替换密钥加入到消息内容中,并加密发送给原本第1层簇头节点IDi,原本第1层簇头节点IDi对该消息进解密及认证;S42, after the layer 0 communication base station decrypts and authenticates the message, it generates a new identity number ID I of the layer 1 cluster head node ID i and calculates a new replacement key, adds the new layer 1 cluster head node ID I and the new replacement key to the message content, and encrypts and sends it to the original layer 1 cluster head node ID i , and the original layer 1 cluster head node ID i decrypts and authenticates the message; S43、原本第1层簇头节点IDi得到新的身份编号为IDI和新的替换密钥,并利用安全芯片内原本的替换密钥和对称密钥学算法将节点内的密钥池分段还原并使用新替换密钥进行加密,且重新加密后的密钥段输出至原本第1层簇头节点IDi的密钥池存储区相应位置进行覆盖存储;S43, the original first-layer cluster head node ID i obtains a new identity number ID i and a new replacement key, and uses the original replacement key and symmetric key algorithm in the security chip to restore the key pool in the node in segments and encrypt it using the new replacement key, and the re-encrypted key segment is output to the corresponding position of the key pool storage area of the original first-layer cluster head node ID i for overwriting storage; S44、原本第1层簇头节点IDi更新替换密钥并更新身份编号为IDI,同时对其子节点进行身份及公私钥对的更新;S44, the original first-layer cluster head node ID i updates the replacement key and updates the identity number to ID i , and at the same time updates the identity and public-private key pair of its child nodes; 其中,所述簇头节点为所述传感器节点颁发系统公私钥时,获取当前颁发时刻,并通过该颁发时刻从第1层簇头节点的密钥池中获取相应大小的随机数,再将该随机数作为对应所述传感器节点的系统私钥,并根据该系统私钥计算得到系统公钥,同时,还可以根据该系统私钥计算得到所述传感器节点的私钥,且该公私钥、系统公私钥及算法参数均存储于所述传感器节点的内存中,掉电即丢失,同样计算得到所述簇头节点的公钥及与所述传感器节点对应的私钥。When the cluster head node issues the system public and private keys to the sensor node, the current issuance time is obtained, and a random number of corresponding size is obtained from the key pool of the first-layer cluster head node through the issuance time, and the random number is used as the system private key corresponding to the sensor node, and the system public key is calculated based on the system private key. At the same time, the private key of the sensor node can also be calculated based on the system private key, and the public and private keys, system public and private keys and algorithm parameters are all stored in the memory of the sensor node, which will be lost when the power is off. The public key of the cluster head node and the private key corresponding to the sensor node are also calculated. 2.根据权利要求1所述的基于分层对称密钥池的无线传感器网络通信方法,其特征在于,所述S1使用群组通信方法实现第0层通信基站与第1层簇头节点之间的上层群组通信包括以下步骤:2. The wireless sensor network communication method based on hierarchical symmetric key pool according to claim 1 is characterized in that the S1 uses a group communication method to implement upper layer group communication between the layer 0 communication base station and the layer 1 cluster head node, comprising the following steps: S11、第0层通信基站利用群组通信方法向第1层簇头节点发起通信;S11, the communication base station at layer 0 initiates communication to the cluster head node at layer 1 using a group communication method; S12、第1层簇头节点利用群组通信方法向第0层通信基站发起通信。S12. The first-layer cluster head node initiates communication to the layer-0 communication base station using a group communication method. 3.根据权利要求2所述的基于分层对称密钥池的无线传感器网络通信方法,其特征在于,所述S11中第0层通信基站利用群组通信方法向第1层簇头节点发起通信具体包括以下步骤:3. The wireless sensor network communication method based on hierarchical symmetric key pool according to claim 2 is characterized in that the layer 0 communication base station initiating communication to the layer 1 cluster head node using the group communication method in S11 specifically includes the following steps: S111、根据第0层通信基站发出的消息生成第一时间戳,并通过第0层通信基站计算得到第1层簇头节点的密钥池;S111, generating a first timestamp according to a message sent by a layer 0 communication base station, and obtaining a key pool of a layer 1 cluster head node by calculation through the layer 0 communication base station; S112、第0层通信基站在第1层簇头节点的密钥池中取出密钥;S112, the communication base station at layer 0 takes out a key from the key pool of the cluster head node at layer 1; S113、第0层通信基站取出密钥后,使用该密钥加密第0层通信基站发出的消息得到第一加密消息,并使用该密钥对第0层通信基站的身份编号、所述第一时间戳和第0层通信基站发出的消息进行第一消息认证码的计算,同时将所述第一加密消息、所述第一消息认证码、第0层通信基站的身份编号和所述第一时间戳的信息一起发送给第1层簇头节点;S113, after the 0th layer communication base station takes out the key, it uses the key to encrypt the message sent by the 0th layer communication base station to obtain a first encrypted message, and uses the key to calculate the first message authentication code for the identity number of the 0th layer communication base station, the first timestamp and the message sent by the 0th layer communication base station, and at the same time sends the first encrypted message, the first message authentication code, the identity number of the 0th layer communication base station and the first timestamp information to the 1st layer cluster head node; S114、第1层簇头节点接收信息后从自身的密钥池中取出密钥进行解密,同时使用该密钥对第0层通信基站的身份编号、所述第一时间戳和第0层通信基站发出的消息进行消息认证码的计算并与收到的所述第一消息认证码进行对比验证。S114, after receiving the information, the first layer cluster head node takes out the key from its own key pool for decryption, and uses the key to calculate the message authentication code of the identity number of the 0 layer communication base station, the first timestamp and the message sent by the 0 layer communication base station, and compares and verifies it with the received first message authentication code. 4.根据权利要求3所述的基于分层对称密钥池的无线传感器网络通信方法,其特征在于,所述S112中取出密钥包括以下步骤:4. The wireless sensor network communication method based on a hierarchical symmetric key pool according to claim 3, characterized in that the extracting of the key in S112 comprises the following steps: S1121、计算得到所述密钥的初始位置指针,并依次计算步长;S1121, calculating and obtaining the initial position pointer of the key, and calculating the step lengths in sequence; S1122、再依次计算用于提取随机码的指针,并得到若干用于提取随机码的指针;S1122, calculating pointers for extracting random codes in sequence, and obtaining a plurality of pointers for extracting random codes; S1123、根据若干所述用于提取随机码的指针从密钥池中依次取出对应位置的若干个比特的密钥数据;S1123, sequentially taking out a number of bits of key data at corresponding positions from the key pool according to the pointers for extracting random codes; S1124、若超出所述密钥池大小,则利用对密钥池长度取模的方式回到所述密钥池头部。S1124: If the size of the key pool is exceeded, returning to the key pool head by taking the modulus of the key pool length. 5.根据权利要求1所述的基于分层对称密钥池的无线传感器网络通信方法,其特征在于,所述S2利用群组通信方式实现正常情况下第1层簇头节点与第2层传感器节点之间的下层群组通信包括以下步骤:5. The wireless sensor network communication method based on hierarchical symmetric key pool according to claim 1 is characterized in that the S2 uses a group communication method to realize the lower group communication between the first layer cluster head node and the second layer sensor node under normal circumstances, including the following steps: S21、第1层簇头节点使用群组通信方法向第2层传感器节点发起私密通信;S21, the first layer cluster head node initiates private communication to the second layer sensor node using the group communication method; S22、第2层传感器节点使用群组通信方法向第1层簇头节点发起私密通信。S22, the second-layer sensor nodes initiate private communication to the first-layer cluster head nodes using the group communication method. 6.根据权利要求5所述的基于分层对称密钥池的无线传感器网络通信方法,其特征在于,所述S21中第1层簇头节点使用群组通信方法向第2层传感器节点发起私密通信包括以下步骤:6. The wireless sensor network communication method based on hierarchical symmetric key pool according to claim 5, characterized in that the first layer cluster head node initiating private communication to the second layer sensor node using the group communication method in S21 comprises the following steps: S211、利用第1层簇头节点计算得到第一密钥;S211, using the first layer cluster head node to calculate and obtain a first key; S212、第1层簇头节点将待认证的身份信息发送给第2层传感器节点;S212, the first layer cluster head node sends the identity information to be authenticated to the second layer sensor node; S213、第2层传感器节点接收所述待认证的身份信息并进行验证,验证通过后第2层传感器节点信任第1层簇头节点的身份及第1层簇头节点发送的消息。S213, the second-layer sensor node receives the identity information to be authenticated and verifies it. After the verification, the second-layer sensor node trusts the identity of the first-layer cluster head node and the message sent by the first-layer cluster head node. 7.根据权利要求1所述的基于分层对称密钥池的无线传感器网络通信方法,其特征在于,所述S43中重新加密后的密钥段输出至原本第1层簇头节点IDi的密钥池存储区相应位置进行覆盖存储包括以下步骤:7. The wireless sensor network communication method based on hierarchical symmetric key pool according to claim 1 is characterized in that the re-encrypted key segment in S43 is output to the corresponding position of the key pool storage area of the original first-layer cluster head node ID i for overwriting storage, comprising the following steps: S431、原本第1层簇头节点IDi取出密钥池的一段密钥输入到安全芯片;S431, the original first layer cluster head node ID i takes out a key from the key pool and inputs it into the security chip; S432、使用原替换密钥解密该密钥得到与通信基站密钥池对应位置相等的密钥;S432, decrypting the key using the original replacement key to obtain a key equal to the corresponding position in the communication base station key pool; S433、使用新的替换密钥加密与通信基站密钥池对应位置相等的密钥;S433, using the new replacement key to encrypt the key that is equal to the corresponding position in the communication base station key pool; S434、将加密后的密钥输出至安全芯片成为密钥池的一段密钥。S434: Output the encrypted key to the security chip to become a key of the key pool. 8.基于分层对称密钥池的无线传感器网络通信系统,用于实现权利要求1-7中任一所述的基于分层对称密钥池的无线传感器网络通信方法的步骤,其特征在于,该系统包括第0层节点、第1层节点及第2层节点的多层节点,其中,第0层节点为无线传感器网络的通信基站,第1层节点为簇头节点,第2层节点为传感器节点;8. A wireless sensor network communication system based on a hierarchical symmetric key pool, used to implement the steps of the wireless sensor network communication method based on a hierarchical symmetric key pool described in any one of claims 1 to 7, characterized in that the system comprises a multi-layer node of a layer 0 node, a layer 1 node and a layer 2 node, wherein the layer 0 node is a communication base station of the wireless sensor network, the layer 1 node is a cluster head node, and the layer 2 node is a sensor node; 其中,第0层节点拥有第0层密钥池及相应的替换密钥,第1层节点设置有多个簇头节点,每个所述簇头节点均拥有各自特有的密钥池及相应的替换密钥,且每个所述簇头节点的密钥池均由第0层密钥池通过个节点所拥有的替换密钥计算得到,所述簇头节点的替换密钥由第0层节点的替换密钥对各自节点的身份编号计算得到,第0层节点和第1层节点的替换密钥存储于本地安全储存芯片中,第2层节点设置有多个传感器节点。Among them, the 0th layer node has a 0th layer key pool and a corresponding replacement key, the 1st layer node is provided with multiple cluster head nodes, each of the cluster head nodes has its own unique key pool and corresponding replacement key, and the key pool of each cluster head node is calculated from the 0th layer key pool through the replacement key owned by each node, the replacement key of the cluster head node is calculated from the replacement key of the 0th layer node to the identity number of each node, the replacement keys of the 0th layer node and the 1st layer node are stored in a local secure storage chip, and the 2nd layer node is provided with multiple sensor nodes.
CN202011204484.3A 2020-11-02 2020-11-02 Wireless sensor network communication method and system based on hierarchical symmetric key pool Active CN114531663B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011204484.3A CN114531663B (en) 2020-11-02 2020-11-02 Wireless sensor network communication method and system based on hierarchical symmetric key pool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011204484.3A CN114531663B (en) 2020-11-02 2020-11-02 Wireless sensor network communication method and system based on hierarchical symmetric key pool

Publications (2)

Publication Number Publication Date
CN114531663A CN114531663A (en) 2022-05-24
CN114531663B true CN114531663B (en) 2025-07-01

Family

ID=81619362

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011204484.3A Active CN114531663B (en) 2020-11-02 2020-11-02 Wireless sensor network communication method and system based on hierarchical symmetric key pool

Country Status (1)

Country Link
CN (1) CN114531663B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102013975A (en) * 2010-06-29 2011-04-13 北京飞天诚信科技有限公司 Secret key management method and system
CN108880814A (en) * 2018-06-28 2018-11-23 西安理工大学 A kind of dynamic cluster wireless sensor network key management method

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9137012B2 (en) * 2006-02-03 2015-09-15 Emc Corporation Wireless authentication methods and apparatus
CN101652956B (en) * 2007-04-05 2013-08-21 皇家飞利浦电子股份有限公司 Wireless sensor network key distribution
WO2009145733A1 (en) * 2008-05-28 2009-12-03 Agency For Science, Technology And Research Authentication and key establishment in wireless sensor networks
CN104038936B (en) * 2014-06-04 2017-04-05 东南大学 A kind of key management method in layering wireless sensor network
CN106131829B (en) * 2016-07-18 2019-03-05 黑龙江大学 Modified method for distributing key in a kind of large size layer-stepping wireless sensor network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102013975A (en) * 2010-06-29 2011-04-13 北京飞天诚信科技有限公司 Secret key management method and system
CN108880814A (en) * 2018-06-28 2018-11-23 西安理工大学 A kind of dynamic cluster wireless sensor network key management method

Also Published As

Publication number Publication date
CN114531663A (en) 2022-05-24

Similar Documents

Publication Publication Date Title
US8600063B2 (en) Key distribution system
CN105406967B (en) A kind of hierarchical attribute encipherment scheme
CN103457722B (en) Bidirectional identity authentication and data safety transmission providing body area network safety method based on Shamir threshold
JP6473876B2 (en) Secure network communication method
Nakkar et al. Lightweight broadcast authentication protocol for edge-based applications
CN103795529A (en) Wireless sensor network data safety infusion method based secret key vectors
CN105530238A (en) A computer implemented system and method for secure session establishment and encrypted exchange of data
CN111918285B (en) Anti-quantum computing group communication method and system based on ID cryptography
CN106953725B (en) Method and system for asymmetric key derivation
CN105163309A (en) Method for secure communication of wireless sensor network based on combined password
CN118573408B (en) End-to-end data encryption processing method
Büsching et al. The rebirth of one-time pads—Secure data transmission from ban to sink
CN114978518B (en) Quantum-resistant computing digital signature method and system based on quantum communication service station
CN111526131B (en) Anti-quantum-computation electronic official document transmission method and system based on secret sharing and quantum communication service station
CN113079177B (en) A Remote Sensing Data Sharing Method Based on Time and Decryption Times Limitation
CN114531663B (en) Wireless sensor network communication method and system based on hierarchical symmetric key pool
CN112907247A (en) Block chain authorization calculation control method
CN114244499B (en) Group communication method and system based on tree structure symmetric key pool
CN113783898B (en) Renewable hybrid encryption method
CN115085908B (en) Key distribution method and system based on quantum communication satellite and DH algorithm
CN112069487B (en) Intelligent equipment network communication safety implementation method based on Internet of things
CN110572788B (en) Wireless sensor communication method and system based on asymmetric key pool and implicit certificate
JP2023157174A (en) Encrypted communication system, encrypted communication device, and encrypted communication method
CN115037448A (en) Hierarchical wireless sensor network communication method and system based on asymmetric key pool
Chaudhari et al. Security analysis of centralized group key management schemes for wireless sensor networks under strong active outsider adversary model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant