Академический Документы
Профессиональный Документы
Культура Документы
ISBN: 978-1-60595-578-0
ABSTRACT
In order to solve the security problems in the existing self-healing group
key distribution strategies, this paper proposes a new mutual healing group
key distribution scheme. Based on the access polynomials, this scheme can
hide the keys by using hash function and enable the communication group
nodes to restore the lost session keys through the use of broadcasting
messages and private keys. Besides, this scheme can restore the key of the last
time with the help of neighbor nodes, which is impossible for the self-healing
key distribution scheme. Analytical results show that the proposed scheme can
guarantee the forward and backward security and resist the collusion attack,
which is suitable for WSN.
1. INTRODUCTION
Wireless sensor network (WSN) has been widely used in all areas of our
lives and its security becomes more and more important. Compared with
wired networks, WSN uses different communication protocols, thus has
different characteristics- decentralized nodes, limited resources, self-organized
network, variable network topology, limited transmission range, multiple-hop
routing, vulnerable security, large scale, weak controllability, etc. It is because
of these characteristics that WSN faces security threats. Packet loss is an
inevitable problem in wireless network communication, where key updated
messages may not reach a specified node[1]. Therefore, the node cannot
participate in group communication normally. The most straightforward
1
College of Information Technology, No. 20 Road East. 2nd Ring South, Shijiazhuang,
Hebei, China
2
Key Laboratory of Network and Information Security of Hebei Province, No.20 Road
East. 2nd Ring South, Shijiazhuang, Hebei, China
*
Corresponding author, wangcg@mail.hebtu.edu.cn
111
solution is to require the Group Manager (GM) to retransmit the unreached
message. But the consequent is that the network traffic becomes heavier, more
communication resources are occupied, and even network congestions will be
caused.
Staddon et al proposed a self-healing group key distribution scheme which
could partly solve the above problems caused by the unreliability of WSN. Itis
the first time that the method of self-healing group key distribution is
proposed. In this mechanism, the redundant information is added to the
broadcasted messages by GM, so the node that loses the session key can
recover it from the redundant information, while not requiring GM to
retransmit it. Accordingly, the network traffic is lowered and the risk of traffic
analysis is reduced.
Blundo et al proposed an SGKD (Self-healing Group Key Distribution)
scheme, in which less node memory cost is needed, self-healing mechanism is
improved, and the lost session key can be recovered from the broadcasting.
Based on access polynomials, Dutta[2] et al proposed a self-healing group key
distribution scheme, in which the storage overhead is reduced to a constant for
the secret polynomials being constant. However, it also brings about some
security issues[3]. Recently, several self-healing group key distribution
schemes based on single hash chains have been proposed one by one, but most
schemes cannot resist collusion attack[4-6].
Wang[7] et al proposed a self-healing group key distribution scheme based
on access polynomials. But the scheme has been shown that the revoked node
conspiracy can restore the session key, that is, does not meet the forward
security features[8].
Furthermore, if a node does not receive the last updating package of the
key, it cannot be repaired through the known self-healing group key
distribution scheme. The mutual-healing group key distribution scheme
proposed by Tian[9] et al solves this problem well. With the help of neighbor
nodes, the purpose of mutual aided repairing is achieved after the last key
update being lost. The node is responsible for self-healing the lost key before
the last session. This scheme, however, can only play a role in the fixed sensor
networks. It cannot complete the mutual repairing for WSN nodes.
Some other key distribution solutions[10] have been proposed, but each
has some certain security problems and limited efficiency.
This paper proposes a mutual-healing group key distribution scheme based
on the self-healing group key distribution scheme of access polynomials,
which is suitable for WSN.
112
2. BASIC MODEL
The basic network model, security model and symbol settings will be
introduced first. Symbols and notations are described as in tableI.
Network Model
TABLE I. Notations.
Parameters Denotations
GM Group manager
G Session set
113
m Maximum number of sessions supported
Security Model
114
nodes in and before session j,(|R|≤t). If each node belonging to R cannot get
the session key Kj, even by collusion, the scheme has t- forward secrecy.
Definition 5 (t- backward secrecy) J represents the set of all new nodes
added after sessionj(|J|≤t). If each node belonging to J cannot get the session
keyKj1(1≤j1≤j), even by collusion, the scheme has t-backward secrecy.
Definition 6 (t-collusion resistance) Let Rj1represent the set of nodes
revoked in and before session j1, and Jj2represent the set of nodes added after
the session j2 (j1≤j≤j2). If the nodes in Rj1 and Jj2 cannot obtain the key Kj of
session j by collusion, the scheme has t-collusion resistance.
Workflow
Initialization
Session k1
Key update
Session k2
Session k3
……
kj
115
Scheme Description
INITIALIZATION
GM selects t-degree polynomial f(x)=a0+a1x+a2x2+…+atxt from the finite
field Fq (q is a large prime number) randomly. In order to ensure security, GM
choosesj( j[1,m])from the finite field randomly, and usesjf(si) to hide the
private key of the node. GM distributes the node's private key Si={si,jf(si)} to
the node Ui which is added in session j through a secure channel.
BROADCAST
Let G be the set of all legal nodes in the sessions, Gj represent the set of all
legal nodes in session j, Gj1 represent the set of nodes that join in session j1
and still exist in session j. Similarly, let R be the set of all revoked nodes in
and before session j, Rj represent the set of nodes revoked in session
j,𝑅𝑖𝑗 represent the node with ID si revoked in session j, and J represent the set
of all new joining nodes after session j. The seed 𝑆1𝐹𝐵 is randomly selected
from the finite field Fq, and GM uses the hash function H (.) to perform the
hash chain with a length of m:
S1FB H (S1FB ) S2FB H 2 (S1FB ) S3FB H 3 (S1FB ) SmFB H m (S1FB ) (1)
Select k1 (0<j≤m) randomly from the finite field Fq as the hidden key of
session j, and we do the secret calculation for k1:
k2 k1 H (S1FB ) k3 k2 S2FB k2 H 2 (S1FB ) ….
j 1
k j k j 1 S FB
j 1 k j 1 H (S1FB ) (2)
Aj1 ( x) ( x j1 ) i 1j1 ( x si ) ( | G j | t 1 )
|G |
1
(4)
Where δi and θj1 are randomly selected from a finite field and cannot be used
for node identity.
If node Ui joins in sessionj1 and is still a legal node in session j, the above
polynomial can be calculated as Aj1(si)=0. If Ui is not a legal node in Gj1, the
result of Aj1(si)would be a random value.
Next, GM will perform calculation as follows:
116
S j1 ( x) (1 Aj1 ( x)) k j1 1 H j 1 (S1FB ) j1 f ( x) (5)
(6)
{Ek1 ( K1 ), Ek H ( S FB ) ( K 2 )...Ek H j1 ( S FB ) ( Ek j )
1 1 j 1 1
If nodeUiis a legal node that joins in sessionj1 and still exists in session j,
then Aj1(si)=0.
k j1 k j1 1 H j 1 (S1FB ) S j1 (si ) j1 f (si ) (8)
If any node Ui loses the key update package of the last session m, it can
resort to the legal neighbor node Uj to fix it.
(1) Node Ui sends a request message to node Uj at time ti, indicating that it
needs to get the key update package of session m;
(2) After receiving the request message at time tj, the node Uj firstly judges
whether |tj-ti|≤Δt is true or false. If it is false, Uj will not reply to the request
message. If it is true, it will send its ID j and broadcast message Bm to node Ui;
(3) Node Ui will use the formula (6), (7) and (8) to calculate the last
session key after it obtains the message from node Uj.
NODE JOINING
117
NODE REVOCATION
SECURITY ANALYSIS
t-REVOCATION
Assume that UrR, where 0≤r≤t, for any Ur, asAj1(x) is a random value,
kj1cannot be recovered from the broadcast message. As a result, Kj cannot be
derived. Because f(x) which is chosen from a limited file dist-polynomial, if
the revoked nodes want to get Kj by collusion, at least t+1 nodes will be
needed.For0≤r≤t, it has t- revocation function.
SELF-HEALING FUNCTION
If the legal nodes in any session group lose session key, nodes can recover
the lost session key by performing Ek(·)with broadcast message and the node
private key, instead of requiring GM to retransmit, it has self-healing function.
For any node Ui that has lost the key update packet of the last session m, it
can repair the last session key by the message which is sent by its neighbor
node. Therefore, this scheme has a mutual healing function.
118
t-FORWARD SECRECY
Forward secrecy requires that the nodes revoked in and before session j
cannot recover key alone or by collusion. For the set of revoked nodes, if any
node UrR and 0≤r≤t, there existsAj1(x)of a random value. Thus, Ur cannot
get the related information to the key recovery. And as shown in Section 4.1,
the collusion of revoked nodes needs at least t+1 nodes to recoverjf(x), so
the scheme has forward secrecy.
t-BACKWARD SECRECY
Backward secrecy requires that all new nodes joining after the session j
cannot recover the previous session key Kj1 even by collusion. For all nodes in
J(JU), recoveringj1f(x) first is needed to recover Kj1.For f(x)is t-polynomial,
there should be at least t+1 nodes. Because |J|≤t, namely,j1f(x)cannot be
recovered through collusion, the scheme is proved to ensure the backward
secrecy.
t-COLLUSION RESISTANCE
Let Rj1 indicate the set of nodes revoked before session j1, Jj2betheset of
nodes added after session j2. There existsj1<j2,| Rj1 Jj2|≤t and Rj1 Jj2=, so
the nodes in Rj1 and Jj2 cannot get Kj(j1<j<j2) even by collusion. Let Ui denote
the nodes joining in session j’, Ur denote the nodes revoked in session j’’. For
j2< j’ and j’’< j1,Ui can getj’f(si), also Ur can get j’’f(si). As Ui and Ur are two
different sessions, namely, it can neither obtain any information about f(x)nor
the key Kj by conspiracy. So this scheme has t-collusion resistance.
Storage overhead
119
TABLE II. COMPARISON OF THE STORAGE OVERHEAD OF EACH SCHEME.
Communication overhead
CONCLUSION
120
ACKNOWLEDGEMENTS
REFERENCES
[1]S. Agrawal, M. Das. Node revocation and key update protocol in wireless sensor
networks[C]// Proceedings of IEEE International Conference on Advanced Networks and
Telecommunications Systems. ANTS,2016.
[2]R. Dutta. Access Polynomial Based Self-healing Key Distribution with Improved
Security and Performance[C]// International Conference on Security Aspects in
Information Technology. Springer-Verlag, 2011.
[3]H. Guo, Y. Zheng, X. Zhang, et al. Exponential Arithmetic Based Self-Healing Group
Key Distribution Scheme with Backward Secrecy under the Resource-Constrained
Wireless Networks [J]. Sensors, 2016, 16(5):609.
[4]Q. Wang, H. Chen, L. Xie. One-way hash chain-based self-healing group key
distribution scheme with collusion resistance capability in wireless sensor networks [J].
Ad Hoc Networks, 2013, 11(8): 2500-2511.
[5]X. Sun, X. Wu, C. Huang, et al. Modified access polynomial based self-healing key
management schemes with broadcast authentication and enhanced collusion resistance in
wireless sensor networks[J]. Ad Hoc Networks, 2016, 37 (2):324-336.
[6]O. Cheikhrouhou. Secure Group Communication in Wireless Sensor Networks: A
Survey[J]. Journal of Network & Computer Applications, 2016.61:115-132.
[7]Wang, Qiuhua, Chen H, Xie L, et al. Access-polynomial-based self-healing group key
distribution scheme for resource-constrained wireless networks[J]. Security &
Communication Networks, 2012, 5(12):1363-1374.
[8] H. Guo, Y. Zheng. On the Security of a Self-healing Group Key Distribution Scheme
[J]. Wireless Personal Communications, 2016, 91(3):1109-1121.
[9]Tian B, Han S, Hu J et al. A mutual-healing key distribution scheme in wireless sensor
networks[j]. Journal of Network and Computer Applications, 2011, 34(1): 80-88.
[10]Sarita Agrawal, Manik Lal Das. Mutual healing enabled group-key distribution
protocol in Wireless Sensor Networks[J]. Computer Communications, 2017, 112:
131-140.
121