JP5234307B2 - Encryption key update method, encryption key update apparatus, and encryption key update program - Google Patents

Description

  The present invention relates to an encryption key management method necessary for implementing secure network communication in a network that uses an encryption key and performs communication using a plurality of communication devices, and particularly focuses on a key update method. The present invention relates to an encryption key update method, an encryption key update device, and an encryption key update program.

In network communication that uses an encryption key and performs communication using multiple communication devices, a network that uses a large number of sensor-equipped wireless communication devices (nodes) is generally called a sensor network and is located within the measurement target area. This is a system that collects information acquired by a node by wireless communication and uses the collected information in an application, and is attracting attention as a system that can be used for various purposes.
Hereinafter, in the present invention, in a network communication that uses an encryption key and performs communication using a plurality of communication devices, a network configured by a server and a node connected to the server as a configured communication device, In particular, a sensor network will be described as an example.

  In many aspects of sensor network use, it is considered that a group may be formed by a plurality of nodes, and information sharing and processing may be performed within the group. The group key is a key that is commonly owned only by the nodes belonging to the group, and it is possible to use various encryption technologies within the group by generating and using the encryption key and MAC key from the group key. Become. In that sense, safe and efficient management of group keys can be considered as an important basic technology in the construction of realistic sensor network applications. For example, consider a case where multicast distribution of secret data is performed for a certain group. In consideration of the presence of an unauthorized person who eavesdrops on the communication path and an out-of-group node that relays data, the data distributed by multicast needs to be encrypted. It is important to note that the ciphertext distributed by multicast must be the same for all nodes in the group. If it is necessary to construct different ciphertexts using different encryption keys for each node, there is no point in performing multicast distribution. The existence of a group key is indispensable in order to realize a mechanism in which the same ciphertext can be distributed to a network that can be accessed by an unspecified number and only members belonging to the group can decrypt it. I can say that.

  Group key management has a problem with difficulty different from one-to-one encryption key management. A major point that characterizes the management of group keys is that the group structure changes with time. For example, it should be noted that a new node may join a group or a node that has previously belonged to a group may leave the group for some reason. When there is a change in group membership, it is necessary to update the group key and distribute the updated key correctly. In particular, when a certain node is forcibly excluded from the group, it is necessary to appropriately control information so that the excluded node does not continue to have a valid group key.

  The most basic key update method with the sensor network in mind is, for example, as shown in Non-Patent Document 1, a key (link key) shared in a one-to-one relationship between any pair of nodes including a server. ) (Conventional method 1). For example, when one group key is shared by a group composed of a plurality of nodes, it is necessary to update the key when excluding a certain node. The representative node determines a new group key, encrypts the group key using the link key, and unicasts the encrypted group key to other nodes other than the excluded node.

  Further, in Patent Document 1, a plurality of keys are allocated to extended vertices of a tree structure rooted in a group key corresponding to a certain group, and then all nodes to be joined to the plurality of groups are arranged at each vertex of the tree structure. Corresponding to the key, each encryption key of the node is generated as a key string having a key from the root of the tree structure to the position associated with the node of the tree structure, and the generated encryption key is transferred to the corresponding node A distribution method is disclosed. (Conventional method 2). With this tree structure, when an excluded node comes out from a plurality of nodes, only the key related to the encryption key of the excluded node is changed, and only the node corresponding to the changed key is changed. The encrypted key can be encrypted and distributed with a key immediately below the key.

  In Patent Document 2, in a network system configured by grouping a plurality of nodes so that each node belongs to a plurality of groups, each node in the group is directly connected, and each node has its own node. A node connection means for broadcasting to all other nodes of the group to which the node belongs, and each node receives data received from another node of one group of the plurality of groups to which the node belongs; A system for relaying to other nodes of other groups among a plurality of groups by broadcast transmission is disclosed. (Conventional method 3). When using the conventional method 3, when transmitting common data to a certain set of nodes, data is transmitted to nodes (relay nodes) that straddle each group, and broadcast transmission is performed. Can be delivered efficiently.

Patent Document 3 discloses a communication system that includes a center and a plurality of terminals, in which each terminal forms a group and shares the same secret key in the group. A method of updating is disclosed (conventional method 4). The conventional method 4 aims to reduce the burden of encryption processing on the center side, and can update the secret key on the basis of the secret sharing method, making it necessary to perform remainder calculation on the terminal side.
JP-A-11-187013 Japanese Patent No. 2852586 JP 2004-343816 A Zigbee sensor network pp. 118-120, Shiro Sakata et al., Hidekazu System, 2005

  However, in network communication with limited computational resources, such as communication devices that make up a network, where miniaturization of chips and memories is desired, the key is not only to perform secure communication and encryption key update. There is a need to reduce the amount of communication in updating and the amount of calculation by updating keys.

  On the other hand, in the conventional method 1, when the communication amount transmitted from the server to the network is N, the communication amount is O (N). That is, there is a problem that the communication amount for key update increases in proportion to the number of nodes. On the other hand, in the conventional method 2, the communication amount is O (log N). That is, there is a problem that the communication amount for key update increases in proportion to the logarithm of the number of nodes. Although it is more efficient than the conventional method 1, there is a possibility that the same problem may arise in that the amount of communication from the server for key update becomes a problem when the number of nodes increases. In particular, in an environment where the number of nodes such as sensor networks is expected to increase by an order of magnitude compared to conventional systems, this problem is expected to become apparent even if the traffic is proportional to the logarithm of the number of nodes. Is done.

  On the other hand, it is conceivable to use the conventional method 3 as a communication means for distributing the encryption key, but there is a problem that it cannot cope with the case where the relay node is excluded. Considering the possibility that the relay node is an out-of-group node, there is a risk that the encryption key information is leaked to the relay node.

  The conventional method 4 is a key update method based on the secret sharing method, and requires a large amount of calculation using a remainder calculation under a large prime number p or a large number of remainder calculations. Such a method for updating the key of the group key using the remainder calculation generally has a very large amount of calculation as in the public key method. However, especially in computing resources used for node-side communication equipment such as sensor networks, the amount of computation on the node side is limited in environments where there are restrictions on the computational capacity and storage capacity that can be implemented. A method that requires a large number of remainder calculations such as 4 cannot be used.

  Therefore, the present invention solves the above-described problem and provides for a case where the configuration of a group in a communication device changes as time progresses in network communication in which an encryption key is used and communication is performed using a plurality of communication devices. An object of the present invention is to provide a mechanism for updating a group key, which is an encryption key, and securely distributing the updated key within the group, and an object thereof is to reduce the communication amount and the calculation amount in the key update.

According to a first aspect of the present invention, there is provided an encryption key updating method for updating an encryption key for encrypting a multicast for a group composed of nodes connected to a server by a network, including an arbitrary server Unicast encryption communication is possible between the two parties, and the attribute value of the kth attribute indicating that the node having the mth attribute value is the group head node is nth (n ≠ m) having a first step of excluding a node from a group of nodes that are those of the m), wherein the first step presents the encryption key that the server will newly use in the group Encrypted with the encryption key being used, and further encrypted with the encryption key held by the group consisting of the group head nodes. A key generation step, the server multicasting the double-encrypted new encryption key to the group head node, and a group head node holding the encryption key held in a group of group head nodes And a step of decrypting the double-encrypted new encryption key halfway, and a minimum group (that is, a plurality of groups obtained as a result of extracting one group having an arbitrary attribute value for each attribute one by one) The group head of a minimal group that is a product set and is a non-empty minimal set that does not include a node to be excluded includes a new encryption key that has been decrypted halfway. Transmitting to the node whose attribute value is the nth attribute, and the node receiving the new encryption key decrypted halfway The new encryption key decrypted to developing an encryption key currently being used in the group by decoding, encryption key update method comprising Rukoto to have a, obtaining a new encryption key Provided.

According to a second aspect of the present invention, there is provided an encryption key updating apparatus for updating an encryption key for encrypting multicast for a group composed of nodes connected to a server by a network, including an arbitrary server Unicast encryption communication is possible between the two parties, and the attribute value of the kth attribute indicating that the node having the mth attribute value is the group head node is nth (n ≠ m) having a first means for excluding a certain node from the group consisting of nodes that are those of m), wherein the first means is currently using an encryption key to be newly used in the group Means for generating a new double-encrypted encryption key by encrypting with an encryption key and further encrypting with an encryption key held in a group comprising group head nodes; Means for multicasting the double-encrypted new encryption key to the group head node, and the group head node is double-encrypted with an encryption key held in a group of group head nodes. Means for decrypting a new encryption key halfway and a minimal group (that is, a product set of a plurality of groups obtained as a result of extracting one group having an arbitrary attribute value for each attribute and a non-empty minimal The group head of the minimal group that does not include the node to be excluded, and the new encryption key decrypted halfway is the nth attribute value of the kth attribute included in the minimal group And a node that has received the new encryption key decrypted halfway, displays the new encryption key decrypted halfway in the group. An encryption key that is utilized by decoding, encryption key update apparatus is provided, characterized in that it comprises means for obtaining a new encryption key, a.

According to the third aspect of the present invention, there is provided an encryption for causing a computer to execute an encryption key update method for updating an encryption key for encrypting a multicast for a group composed of nodes connected to a server by a network. A key update program that enables secure unicast encryption communication between any two parties including a server. In the encryption key update method, a node having the mth attribute value is a group head node. A first step of excluding a node from a group of nodes whose attribute value of the kth attribute is nth (n ≠ m), indicating that the server The encryption key to be newly used in the group is encrypted with the encryption key currently used in the group, and is further composed of a group head node. A step of generating a new double-encrypted encryption key by encrypting with the encryption key held in the loop, and the server sends the double-encrypted new encryption key to the group head Multicasting to a node, a group head node decrypting the new double-encrypted encryption key halfway with an encryption key held in a group of group head nodes, and a minimal group (i.e. Minimal group that is a product set of a plurality of groups obtained as a result of extracting one group having an arbitrary attribute value for each attribute and is a non-empty minimal set) and does not include an excluded node The group head of the k-th attribute included in the minimal group is a new encryption key decrypted halfway, and the attribute value of the k-th attribute is n-th And a node that has received the new encryption key decrypted halfway, decrypts the new encryption key decrypted halfway with the encryption key currently used in the group. the encryption key update program characterized Rukoto that Yusuke obtaining a cryptographic key, is provided.

  According to the fourth aspect of the present invention, in a network composed of a server and a large number of nodes, when a node has d types of attributes, the node is considered to belong to d groups at the same time, and is defined in this way. There was a change in the group members regarding the method of associating the group key with each group and the server sharing the group key only with the nodes belonging to the group and performing cryptographic communication for each group. In this case, the server updates the group key and distributes the updated key correctly, especially when a certain node is forcibly excluded from the group, the excluded node has a valid group key. An encryption key update method for appropriately controlling group key distribution is provided so as not to continue.

  According to the present invention, in network communication in which an encryption key is used and communication is performed using a plurality of communication devices, a group key that is an encryption key is updated in preparation for a case where the network configuration changes with time. It is possible to provide a mechanism for securely distributing the updated key. Further, it is possible to reduce the communication amount and calculation amount in key update.

  The best mode for carrying out the present invention will be described below in detail with reference to the drawings.

  In general, one sensor node is considered to have a plurality of attributes. For example, the production lot number, firmware version, installation location, type of sensor to be equipped, etc. can all be attributes. A sensor node is considered to have some attribute value for each attribute.

  In the present invention, a group is composed of a set of nodes having the same attribute value for a certain attribute. A group key is associated with each group defined in this way, and the group key is assigned to the group key. This is an encryption key management method that is distributed only to nodes belonging to.

  Therefore, when there are d types of attributes, the node belongs to d groups at the same time. Assume that a group key is associated with each group defined in this way, and the group key is distributed only to nodes belonging to the group.

  The present invention is a method for updating a group key when a group member changes, and correctly distributing the updated key, particularly when a certain node is forcibly excluded from the group. This is an encryption key update method that appropriately controls group key distribution so that a given node does not continue to possess a valid group key.

  FIG. 1 shows the overall configuration of an embodiment of the encryption key management method of the present invention. Referring to FIG. 1, in the present embodiment, in a network represented by a sensor network, it is composed of a set N consisting of all nodes and a server 101 that does not belong to N. The server 101 operates under program control and adds a node. The node includes a means 103, a main node exclusion means 105, and a key storage means 107, and the node includes a secondary node exclusion means 109 and a key storage means 111. As a node, only node 1 is representatively shown. The difference between the key storage unit 107 of the server and the key storage unit 111 of the node is the difference of the key (secret information) stored and managed in the key storage unit. The server mainly manages the group keys of all groups, whereas the node Manages only a group key that is valid only in the group to which it belongs, and a processing key (member key to be described later) that is required when the node joins and removes the node.

  The node also operates by program control in the operation related to the key.

  Hereinafter, a data encryption operation using symmetric key encryption is used, but it is assumed that the network participant understands the algorithm used for encryption, and the server and each node can execute encryption and decryption. In particular, it is assumed that information encrypted with a key owned by the server and each node can be decrypted with a suitable key to obtain a decryption result.

Also, assume that the attribute is a partition of the set N consisting of the entire node, and in particular,
Gi⊂N. . . (Condition 1)
If i ≠ j then Gi ∩ Gj is an empty set. . . (Condition 2)
G1 ∪G2 ∪. . . Gm = N. . . (Condition 3)
A set family {G1, G2,. . . , Gm} are called attributes.

Also, d attributes A1,. . . , Ad, and Ai = {Gi, 1,. . . , Gi, mi} (where mi is the number of elements of Ai), and Gi, j is a set of nodes having the jth attribute value for attribute i, k integers 1 ≦ i1,. . . , Ik ≤ d and k groups Gi1, j1,. . . , Gik, jk (where Gia, jaεAia for 1 ≦ a ≦ k) and G = Gi1, j1∩. . .ノ ー ド When the node set G, which is Gik, jk, is a group of order k, the d attributes constituting group C (minimum group) of order d, which is a minimal set in the inclusion relationship between structured groups In addition to
For any minimal group C, C ∩G0,1 contains exactly one node (group head) (condition 4),
For any group G0, j other than G0,1 in any minimal group C, A0, C∩G0, j includes at most one node (group member) (condition 5);
Special attributes A0 = {G0,1,. . . , G0, m0} (where m0> 0), d + 1 attribute sets A0, A1,. . . The group key is updated and managed in a d-dimensional group structure composed of Ad.

  Further, since a node belongs to exactly one minimal group and A0 is a division of all node sets N, d + 1 integer sets j0, j1,. . . , Jd and G0, j0 ∩G1, j1 ∩. . . ∩Gd, jd = {n}, and d + 1 character set (j0, j1,..., Jd) is treated as an identifier (ID) of node n.

  Also, A0, A1,. . . , Ad defines a d-dimensional group structure, and at this time, the server determines that the nodes belonging to the group Gi, j (0 ≦ i ≦ d, 1 ≦ j ≦ mi) and the group keys ki, j ( In particular, an element key) is shared in advance and a group of order k G = Gi1, j1 ∩. . . （Gik, jk (i1 <... <ik), h (ki1, j1 || ... kik, jk) (h is used to set the length of a concatenated key such as a hash function to a predetermined value. The information that can be calculated by the server and the node as || is a key concatenation) is a G group key k (G).

  Also, only the node belonging to G knows the group key k (G) of the group G of order k. At this time, the server or the node belonging to G encrypts the data to be transmitted to G using k (G). The obtained ciphertext is multicast-distributed to the G node.

  If the ID of the node n is (j0, j1,..., Jd), n is d + 1 element keys k0, j0,. . . , Kd, jd and using these d + 1 keys, n can calculate kn = h (k0, j0 || ... || d, jd), where the value kn is n Since only the server is a value that can be calculated, the server uses kn as a key shared between n and the server (referred to as a node key), and the server stores data with each node key for each node. Encrypt and send in unicast.

  In addition, in order to enable secure one-to-one message exchange between the group head and each group member of the minimal group to which the group head belongs, the server A unique key (member key) common to each node key is encrypted and transmitted in a unicast manner.

  Means for adding the node n to the group Gi, j of order 1 (node addition means) are as follows. For example, such a case may occur when it is desired to add a new node to an active sensor network or when an attribute value of an existing node is changed for some reason. In any case, the node n newly joining the group does not have the right to know the key used as the group key of Gi, j before joining itself. Conversely, in the process of adding n as a member of a group, n must not know the previous group key. This property is called backward security in the group key.

  Further, when the server wants to add the node n to the group Gi, j of order 1, if the ciphertext obtained by encrypting the data x with the key k is written as Ek (x), the node adding means provided in the server Computes c = Eh (ki, j) (k′i, j) for nodes that previously belong to Gi, j, multicasts c to nodes belonging to Gi, j, and sets n to On the other hand, a new key k′i, j is encrypted in a unicast manner using a node key that is shared only by the server and its node, and transmitted from the server, thereby ensuring backward security and ensuring a new key k′i, Share j with the new group Gi, j.

  Means (node exclusion means) for excluding nodes that belonged to the group Gi, j from Gi, j until that time are as follows. Cases where a node is excluded from the group include when the attribute value of the node changes, when a node stopped due to a failure, etc. is excluded from the network, and when a certain node may be hijacked by an unauthorized person. Conceivable. Especially in the last case, secret information may leak through the hijacked node, or the hijacked information may cause further attacks against other nodes and communication infrastructure, so eliminate the node as soon as possible. Is strongly demanded. At this time, it should be noted that a node excluded from the group may continue to hold the group key by unauthorized means. In the protocol for excluding a node, a new key k′i, j is surely distributed to nodes that continue to be in Gi, j, and k′i, j (and subsequently used for excluded users). Group key) must not be passed. This property is called forward security in the group key.

  Ensuring forward safety is more technically difficult than ensuring backward safety. In fact, there is no essential difference between the node remaining in Gi, j and the excluded node n regarding the knowledge about the key. For example, both the node remaining in Gi, j and n itself know the group key ki, j used so far in Gi, j. Therefore, it is difficult to secure forward security by a simple method of distributing a new key k′i, j using an old group key ki, j as in the case of adding a node in the previous section.

  Further, when the server excludes the node n from the group Gi, j of order 1, when a set obtained by removing n from Gi, j is written as G′i, j, G′i, j Is a set of nodes that remain in the group, and all nodes belonging to G′i, j must be able to obtain a new key k′i, j and are excluded in order to ensure forward security. Since n must not know k'i, j, the primary node exclusion means provided in the server cooperates with the secondary node exclusion means provided in the group head that is always present in the minimal group, thereby eliminating the node. Perform the process.

  When the server excludes the node n from the group Gi, j of order 1, the main node exclusion means provided in the server is for the group Gi, j of order 1 that excludes n when the excluded node n is not a group head. , When i ≠ 0, and when i = 0 (in the latter case, n is not a group head, so j ≠ 1 is automatically set), and the sub-node exclusion means included in the node that becomes the group head Branches the process.

  When the server excludes the node n from the group Gi, j of order 1, if the excluded node n is not the group head and i ≠ 0 for the group Gi, j of order 1 that excludes n, the order 1 Group Gi, j is divided into several minimum groups, and the excluded node n belongs to one of the minimum groups. Therefore, as a basic idea, Gi, j∩G0,1 A new key k′i, j is delivered to the node to which it belongs (group head belonging to Gi, j), and the key k′i, j is transferred from each group head to the group member.

  That is, when the server excludes the node n from the group Gi, j of order 1, if the excluded node n is not the group head and i ≠ 0 for the element group Gi, j that excludes n, the main node of the server The excluding means first calculates k = h (k0,1 || ki, j) where ki, j is the element key of Gi, j and k'i, j is the new element key of Gi, j. X = Ek (k′i, j) is obtained, and the four-letter set (i, j, IDn, x) is multicast-transmitted to the nodes (group heads) belonging to Gi, j１G0,1 (IDn is excluded) ID of the node n), and then the secondary node exclusion means of the node (group head) belonging to Gi, jｊG0,1 decrypts x to obtain a new key k′i, j of Gi, j Finally, Gi, j belongs to ∩G0,1 The node (group head) sub-node exclusion means uses k (C) (group key of the local minimum group C to which the node belongs) when the local node C to which the local node belongs does not include the excluded node n. , J are encrypted, and Ek (C) (k′i, j) is multicast-distributed to the group members of C, while the minimal group C to which the group head belongs includes the excluded node n, the sub-group head The node exclusion means encrypts k′i, j in a unicast manner and transmits to all group members of C other than n using the member key.

  When the server excludes the node n from the group Gi, j of order 1, if the excluded node n is not a group head and i = 0 and j ≠ 1 for the element group Gi, j that excludes n, Gi, j = G0, j, and the group Gi, j cannot be divided into minimal groups. Also, since the group head sets G0,1 and Gi, j are relatively prime (no common set), the new element key k'i, j must not be exposed to the group head.

  That is, when the server excludes the node n from the group Gi, j of order 1, when the excluded node n is not a group head and the element group Gi, j excluding n is i = 0 and j ≠ 1. The main node exclusion means of the server calculates x1 = Eh (k0, j) (k′0, j) and x2 = Eh (k0,1) (x1) and calculates the four character set (0, j, IDn, x2) is multicast-distributed to the set G0,1 of the group heads, and the sub-node exclusion means of each group head decodes x2 to obtain x1 (the group head does not know k0, j, so x1 is decoded) If a node n ′ is included in the product set of G0, j and the minimal group C to which it belongs, and n ≠ n ′, the sub-node exclusion means of the group head is a member of n ′ With key Nikyasuto to be sent encrypted to x1.

  When the server excludes the node n from the group Gi, j of order 1, when i = 0 and j = 1, that is, the excluded node n is a group head, the main node exclusion means provided in the server A process of exchanging the roles of the group head n of the group Gi, j to be excluded and the node n ′ in the minimal group to which the group head belongs is performed, and the node is excluded when the excluded node is not a group head after the role exchange process ends Enforce processing.

  Further, when the server excludes the node n from the group Gi, j of order 1, when i = 0 and j = 1, that is, the excluded node n is a group head, the node role exchange processing is performed by the group head n, And the node n′εG0, j (j ≠ 1) belong to the same minimal group, the main node exclusion means of the server first updates the element key of G0,1 to obtain a new element key k′0, 1 is distributed to the node set G′0,1 = G0,1 \ {n} obtained by subtracting n from G0,1 and then the element key of G0, j is updated, and the new element key k′0, j is Deliver to node set G′0, j = G0, j \ {n ′} excluding n ′ from G0, j, and finally send k′0,1, k′0, j to n ′ and n respectively It consists of three processes.

  When the server excludes the node n from the group Gi, j of order 1, when i = 0 and j = 1, that is, when the excluded node n is a group head, the main node exclusion means provided in the server first starts with G0. , 1 and G′0 to distribute the new element key k′0,1 to the node set G′0,1 = G0,1 \ {n} obtained by subtracting n from G0,1 , 1, the keys k ′ 0, 1 are cryptographically distributed from the server to each node belonging to 1.

  Here, G0,1 may be structured by a method like the conventional method 2, and k'0,1 may be distributed to each node belonging to G'0,1.

  Further, when the server excludes the node n from the group Gi, j of order 1, when i = 0 and j = 1, that is, the excluded node n is a group head, the main node exclusion means provided in the server includes G0, In order to update the element key of j and distribute the new element key k′0, j to the node set G′0, j = G0, j \ {n ′} obtained by subtracting n ′ from G0, j, x1 = Ek0, j (k′0, j) and x2 = Ek′0,1 (x1) are calculated, x2 is multicast-distributed to the nodes of G′0,1, and nodes belonging to G′0,1 ( The sub-node exclusion means of (group head) decodes x2 to obtain x1, and if there is a node of G'0, j in the minimal group to which the node (group head) belonging to G'0,1 belongs, The sub-node exclusion means of the head is G'0, j no Encrypting and transmitting x1 unicast manner member key of node elimination means.

  For the node n ′ that leaves G0, j with the role exchange, the element key of G0,1 is updated, and the node set G′0,1 is obtained by removing the new element key k′0,1 from G0,1 to n. Since there is no corresponding group head (holding the valid key k′0,1) at the time of distribution to G0,1 \ {n}, receiving a new key k′0, j Can not. As a result, the element key of G0, j is updated, and the new element key k′0, j is distributed to the node set G′0, j = G0, j \ {n ′} obtained by subtracting n ′ from G0, j. The process is realized correctly.

  When the server excludes the node n from the group Gi, j of order 1, when i = 0 and j = 1, that is, the excluded node n is a group head, the main node exclusion means provided in the server is k ′ In order to transmit 0, 1, k′0, j to n ′, n, respectively, k′0, 1, k′0, j is encrypted with the node key in a unicast manner. .

  Next, embodiments of the present invention will be described in detail with reference to the drawings. Assume that the nodes constitute a cluster tree topology network as shown in FIG. Here, the cluster tree topology refers to a tree in which a server is a root node and all internal nodes other than the root node have at most one internal node among its children. In the cluster tree, one cluster is constituted by a node set composed of one internal node and a leaf node among the children of the internal node. On the cluster tree topology, as an attribute of each node, it is possible to define information as to which trunk in the cluster tree belongs, depth from the root node, and order information as to which node in the cluster. Considering the order information in the cluster as a special attribute A0 = {G0,1, G0,2, G0,3, G0,4}, the trunk attribute A1 = {G1,1, G1,2, G1,3} , Depth attribute A2 = {G2,1, G2,2} can be defined as a two-dimensional group structure that can be specified. The cluster becomes a minimal group in the two-dimensional group structure.

  At this time, the flowchart for excluding the node n from the group Gi, j is as shown in FIG. When i ≠ 0 in S31 of FIG. 3, from the set of nodes having any attribute value of G1, 1, G1, 2, G1, 3, G2, 1, G2, 2 among the attributes of A1 and A2. A process of eliminating node n is performed. At this time, since the node to be excluded is not the group head, the new key k′i, j is delivered to the node belonging to Gi, j∩G0,1 (the group head of Gi, j), and each group head sends it to the group member. In contrast, k′i, j is transferred (S32). A specific processing flow is shown in FIG. First, the server calculates Eh (k0,1 || ki, j) (k'i, j) and multicasts the calculation result (S311). Thereafter, only the group head in Gi, j can decode the calculation result, and k′i, j is obtained by decoding (S312). Finally, k'i, j is encrypted with a member key shared with the group members and unicasted only to the node whose group head is G'i, j = Gi, j \ {n} (S313). ) Finish the process.

  Next, when i = 0 in S31 of FIG. 3, if j ≠ 1 in S33, a node from a set of nodes having attribute values of G0, 2 or G0, 3 or G0, 4 among the attributes of A0 A process of eliminating n is performed. At this time, Gi, j = G0, j, and the group head sets G0,1 and Gi, j have no prime (common set), so that each group is not exposed to k′i, j. K′i, j is transferred from the head to the group member (S34). A specific processing flow is shown in FIG. First, the server calculates x1 = Eh (k0, j) (k′0, j) (j ≠ 1), and multicasts x2 = Eh (k0,1) (x1) (S341). Only the group head in G0, j can decode x2, and obtains x1 by decoding (S342). The group head cannot decode x1. After that, the group head encrypts x1 with the member key only to nodes belonging to the node set G'0, j = G0, j \ {n}, in which n is removed from G0, j, and unicasts (S343). Finally, the node of G′0, j decodes x1 using k0, j (S344), and the process ends.

  Finally, when i = 0 in S31 of FIG. 3, if j = 1 in S33, a process of excluding node n from the set of nodes having attribute values of G0 and 1 among the attributes of A0 is performed. . At this time, n is a group head, and the process of exchanging the roles of the group head n and the group member n′εG0, j (j ≠ 1) in the minimal group to which the group head belongs is executed, and then the above-mentioned A key update (when the excluded node is not a group head) is executed (S35). A specific processing flow is shown in FIG. First, the server encrypts k′0,1 with the node key unique to the server and each node, and all of the nodes included in the node set G′0,1 = G0,1 \ {n} excluding n from G0,1 Are unicast to the node (S351). Then, the server calculates x1 = Eh (k0, j) (k′0, j) (j ≠ 1), and multicasts x2 = Eh (k′0,1) (x1) (S352). Then, the group head belonging to G′0,1 decrypts x2 to obtain x1 (S353), encrypts x1 to the node of G′0, j = G0, j \ {n ′}, and performs unicast. (S354). After that, the node of G′0, j decodes x1 using k0, j (S355). Finally, the server encrypts k′0,1, k′0, j to n ′, n with the node key and performs unicast (S356), and ends the role exchange processing. At this point, the group head n changes its role with the group member n 'and becomes a group member (the group head set G0,1 no longer owns the key). Thereafter, node exclusion processing is performed when the exclusion node shown in FIG. 5 is not a cluster head, n is excluded (S357), and the processing ends.

  FIG. 7 shows an example of the key update process 1 shown in FIG. 4, among all the nodes in the groups G2 and G2, a certain node other than the group head node (groups G2 and 2 and groups 0 and i (i ≠ 0) (example , I = 4) and groups 1, j (for example, nodes of j = 3) are excluded from groups G2, 2.

  Referring to FIG. 7, first, a new key k′2,2 is encrypted with a hash value of a key obtained by concatenating the keys k0,1 and keys 2,2, and this is multicast (see FIG. 4). Step 311). Information that the key of the node n (the nodes belonging to the groups 0 and 4 and the groups G1 and 3 and the groups 2 and 2) is not updated is added to the multicast key.

  Then, the group head nodes of the groups 2 and 2 that hold the keys k0 and 1 and the keys 2 and 2 receive it to obtain the keys k'2 and 2 (step 312 in FIG. 4). Next, the group head node transfers the keys k′2 and 2 to the nodes under its control, but does not transfer the keys k′2 and 2 to the node specified by the additional information described above as an exception. (Step S313 in FIG. 4).

  The processing for removing a node from groups 2 and 1 and the processing for removing a node from groups 1 and j (j = 1 to 3) are the same as the processing in FIG. 7 (nodes from groups 2 and 2). The processing is the same as the processing in the case of removing the key (the key updating processing 1), and the description thereof is omitted.

  FIG. 8 shows an example of the key update process 2 shown in FIG. 5 in which a certain node of groups G0, 3 (for example, a node belonging to group G0,3 and group G1,1 and group G2,1) is assigned to group G0, FIG.

  Referring to FIG. 8, first, new key k'0,3 is encrypted with the hash value of key k0,3 to obtain x1 (the first half of step S341 in FIG. 5). Next, x1 is encrypted with the hash value of the key k0,1 to obtain x2. Then, x2 is multicast (second half of step S341 in FIG. 5). Information indicating that the key of the node n (nodes belonging to the group G0,3 and the group G1,1 and the group G2,1) is not updated is added to x2 to be multicast.

  Then, the group head node holding the key k0,1 receives this and obtains x1 (step S342 in FIG. 5).

  Next, the group head multicasts x1 to a node under its control. However, multicasting is not performed to the node specified by the additional information (step S343).

  Then, the node of the group G0,3 holding the keys k0,3 receives x1 and acquires k'0,3 (step S344 in FIG. 5). However, the node specified by the additional information belongs to the groups G0 and G3, but is excluded from multicast targets, so k'0 and 3 cannot be acquired.

  The processing for removing a node from the group G0,2 and the processing for deleting a node from the group G0,4 are the same as the processing operation in FIG. 8 (key update processing 2). Description is omitted.

  FIG. 9 shows a group head node n of the group G1, 3 and the group G2, 2 as an example of the key update process 3 shown in FIG. 6 (an example of excluding the group head node (node belonging to the group G0, 1)). It is a figure which shows the example which excludes (the node which belongs to the group G1, 3 and the group G2, 2 and the group 0, 1).

  Referring to FIG. 9, first, the group head node n of the group G1, 3 and the group G2, 2 is exchanged with another node n 'of the group (for example, a node belonging to the group G0, 3). This exchange process includes steps S351, S352, S353, S355, and S356.

  First, new keys k'0, 1 are encrypted and unicasted to the group head nodes of five groups other than the groups G1, 3 and G2, 2, respectively (step S351 in FIG. 6).

  Next, x1 is generated by encrypting the new key k′0,3 with the hash value of the key k0,3 (the first half of S352 in FIG. 6), and x1 is the hash of k′0,1. By encrypting with the value, x2 is generated, and x2 is multicast (second half of S352 in FIG. 6).

  Then, since the group head nodes of the five groups other than the groups G1 and G3 and G2 and G2 have the keys k′0 and 1, x1 can be decrypted (step S353 in FIG. 6). ). On the other hand, since the group heads of the groups G1, 3 and G2, 2 do not have the keys k'0, 1, x1 cannot be decrypted.

  The group head nodes of the five groups other than the group G1, 3 and the group G2, 2 that were able to decrypt x1 transmit x1 to the subordinate nodes (step S354 in FIG. 6), but the key 0 , 3 (nodes belonging to G0, 3) can decode x1 to obtain k′0, 3 (step S355 in FIG. 6). On the other hand, in group G1,3 and group G2,2, the group head node cannot decode x1, so the nodes in this group cannot obtain k'0,3.

  Next, the keys k′0 and 1 are unicast to the node n ′ that has become the group head node d, and the keys k′0 and 3 are unicast to the node n that is no longer the group head node d (step in FIG. 6). S356).

  Thereafter, in order to exclude the node n, the method shown in FIG. 8 is performed (step S357 in FIG. 6).

  Therefore, according to the present invention, it is possible to greatly reduce the communication amount at the time of key update at the time of node exclusion as compared with the conventional method. For example, in the group key update process, the communication from the server is only one multicast distribution addressed to the group head, and the unicast communication is at most (number of nodes in the minimal group to which the group head belongs) -1 from the group head. The key can be renewed. Since the minimal group is minimal in the inclusive relation of the node set, the processing can be performed very efficiently.

  Further, according to the present invention, by using the role exchange process, it is possible to update the key by eliminating the node corresponding to the group head.

  Further, according to the present invention, it is possible to perform key update with a smaller amount of calculation than in the conventional method. Therefore, for example, even in an environment where computational resources are limited, such as a sensor network, it is possible to reduce the amount of calculation associated with key updating and perform key updating safely.

  As described above, the present invention relates to a network configured by a server and a node connected to the server as a communication device to be configured in network communication in which an encryption key is used and communication is performed using a plurality of communication devices. Although the sensor network has been described as an example, it is needless to say that the present invention is not limited to such a network and can be applied to various network communications.

It is a figure which shows the structure of one Embodiment for implementing this invention. It is a figure explaining the Example in this invention. It is a flowchart which shows the outline | summary operation | movement which excludes n from group Gi, j. It is a flowchart which shows the operation | movement which excludes n from the group Gi, j (i ≠ 0). It is a flowchart which shows the operation | movement which excludes n from the group Gi, j (i = 0 and j ≠ 1). It is a flowchart which shows the operation | movement which excludes n from the group Gi, j (i = 0 and j = 1). It is a figure which shows the example in the case of removing n from the group Gi, j (i ≠ 0). It is a figure which shows the example in the case of removing n from the group Gi, j (i = 0 and j ≠ 1). It is a figure which shows the example in the case of removing n from the group Gi, j (i = 0 and j = 1).

Explanation of symbols

101 Server 103 Node addition means 105 Primary node exclusion means 107 Key storage means 109 Secondary node exclusion means 111 Key storage means

Claims (9)

An encryption key update method for updating an encryption key for encrypting a multicast for a group composed of nodes connected to a server via a network, which is securely unicast between any two parties including the server Encrypted communication is possible,
A node that excludes a node from a group of nodes having an attribute value of the kth attribute that is the nth (n ≠ m) indicating that the node having the mth attribute value is a group head node. 1 step, the first step is
The server encrypts the encryption key to be newly used in the group with the encryption key currently used in the group, and further encrypts it with the encryption key held in the group consisting of the group head node. Generating a new double-encrypted encryption key;
The server multicasts the double-encrypted new encryption key to a group head node;
A group head node decrypting the new double-encrypted encryption key halfway with an encryption key held in a group of group head nodes;
Node that is a minimal group (that is, a group that is a product set of a plurality of groups obtained as a result of extracting one group having an arbitrary attribute value for each attribute and is a minimal set that is not empty) and is excluded A group head of a minimal group that does not include a step of transmitting a new encryption key decrypted halfway to a node whose attribute value of the kth attribute included in the minimal group is the nth one;
A node that receives a new encryption key decrypted halfway, obtains a new encryption key by decrypting the new encryption key decrypted halfway with the encryption key currently used in the group; and ,
The encryption key update method comprising Rukoto to have a. The encryption key update method according to claim 1,
a second step of excluding from a certain group a certain node of a group consisting of nodes whose value of the i th attribute is the j th value,
The server currently holds an encryption key held in a group consisting of nodes whose i-th attribute value is the j-th value, and an encryption key held in a group consisting of group head nodes, one for each minimum group Is encrypted by encrypting the encryption key that is newly held in the group consisting of nodes whose i-th attribute value is the j-th value. Generating a new encryption key,
The server multicasts a new encrypted encryption key to one or more group head nodes present in a group of nodes whose i-th attribute value is the j-th value;
Each group head node of the group whose value of the i-th attribute is the j-th value decrypts the encrypted new encryption key;
Among the group head nodes of the group whose i-th attribute is the j-th group, a group head node of a minimal group that does not include the node to be excluded has a decrypted new encryption key assigned to each node belonging to the minimal group. Encrypting and sending; and
The group head node of the minimal group including the excluded node among the group head nodes of the group having the i-th attribute is decoded to each node other than the excluded node among the nodes belonging to the minimal group. Encrypting the transmitted new encryption key and transmitting it,
A node that receives a new encryption key encrypted from the group head node, decrypts the encryption and obtains a new encryption key;
The encryption key update method according to claim Rukoto to have a. A cipher key update method according to claim 1 or 2,
a third step of the attribute value of the k-th attribute to exclude a node from the group of the group head nodes is of m-th, the third step,
An exchange step of exchanging the role of a node to be excluded and a node in the same minimal group as the node to be excluded;
A step of eliminating the by first step, the node should exhaust dividing that is no longer in the group head nodes to exchange a node and role in the node and the same minimum group should exhaust removal,
Have
The exchange step includes
The server individually unicasts a new encryption key of the group head node to a group head node of a minimal group other than the minimal group having a node to be excluded;
The server generating a new encryption key for a node having the same group attribute and the same group attribute value as the node exchanged with the node to be excluded at the position of the group head node;
The server encrypts the new encryption key with the current encryption key of the node having the same group attribute and the same group attribute value as the node exchanged with the node to be excluded at the position of the group head node; A step of generating a new double-encrypted encryption key by encrypting with a new encryption key unicast to the group head node;
The server multicasts the double-encrypted new encryption key to a group head node of a minimal group other than a minimal group exchanging nodes; and
A group head node of a minimal group that has received the multicast decrypts the double-encrypted new encryption key halfway;
The same group attribute and the same group attribute value as the node exchanged with the node to be excluded at the position of the group head node for the new encryption key decrypted halfway by the group head node of the minimal group that received the multicast Transmitting to nodes in a group having:
The node receiving the transmission decrypts the new encryption key;
The server unicasts a new encryption key of the group head node to a node that comes to the position of the group head node by the exchange;
The server unicasts a new encryption key of a group having the same group attribute and the same group attribute value as a node exchanged with a node to be excluded by a node coming to a group head node position by the exchange When,
The encryption key update method comprising Rukoto to have a. An encryption key updating apparatus for updating an encryption key for encrypting a multicast for a group composed of nodes connected to a server via a network, and securely unicast between any two parties including the server Encrypted communication is possible,
A node that excludes a node from a group of nodes having an attribute value of the kth attribute that is the nth (n ≠ m) indicating that the node having the mth attribute value is a group head node. Comprising one means, the first means comprising:
The encryption key to be newly used in the group is encrypted with the encryption key currently used in the group, and further encrypted by the encryption key held in the group consisting of the group head node. Means for generating a new encryption key encrypted in
Means for multicasting the double encrypted new encryption key to the group head node;
Means for decrypting the double-encrypted new encryption key halfway with an encryption key held by a group consisting of group head nodes;
Node that is a minimal group (that is, a group that is a product set of a plurality of groups obtained as a result of extracting one group having an arbitrary attribute value for each attribute and is a minimal set that is not empty) and is excluded Means for transmitting a new encryption key decrypted halfway to a node whose attribute value of the kth attribute included in the minimum group is nth,
Means for obtaining a new encryption key by a node receiving a new encryption key decrypted halfway with the encryption key currently used in the group by decrypting the new encryption key decrypted halfway; ,
An encryption key updating apparatus comprising: A cryptographic key update apparatus of claim 4,
a second means for excluding, from the certain group, a certain node of a group consisting of nodes whose i-th attribute value is the j-th value;
An encryption key currently held in a group consisting of nodes whose i-th attribute value is the j-th value, and an encryption key held in a group consisting of group head nodes, one for each minimal group A new encrypted key is obtained by encrypting an encryption key that is newly held in a group consisting of nodes whose i-th attribute value is the j-th value with the encryption key obtained by concatenation. A means for generating a secure encryption key;
Means for multicasting a new encrypted encryption key to one or more group head nodes present in a group consisting of nodes whose value of the i-th attribute is the j-th value;
Means for each group head node of the group whose value of the i-th attribute is the j-th value to decrypt a new encrypted key;
Among the group head nodes of the group whose i-th attribute is the j-th group, a group head node of a minimal group that does not include the node to be excluded has a decrypted new encryption key assigned to each node belonging to the minimal group. Means for sending encrypted data;
The group head node of the minimal group including the excluded node among the group head nodes of the group having the i-th attribute is decoded to each node other than the excluded node among the nodes belonging to the minimal group. Means for encrypting and transmitting the new encryption key,
A node that receives a new encryption key encrypted from the group head node, and decrypts the encryption to obtain a new encryption key;
An encryption key updating apparatus comprising: A cryptographic key update apparatus according to claim 4 or 5,
a third means for excluding a node from the group of group head nodes whose attribute value of the kth attribute is the mth attribute, the third means comprising:
An exchange means for exchanging the role of a node in the same minimal group as the node to be excluded, and the node to be excluded;
By the first means, and means for eliminating the nodes should exhaust dividing that is no longer in the group head nodes to exchange a node and role in the node and the same minimum group should exhaust removal,
With
The exchange means is
Means for individually unicasting the new encryption key of the group head node to a group head node of a minimal group other than the minimal group having the node to be excluded;
Means for generating a new encryption key for a node having the same group attribute and the same group attribute value as the node exchanged with the node to be excluded at the position of the group head node;
Encrypting the new encryption key with the current encryption key of the node having the same group attribute and the same group attribute value as the node exchanged with the node to be excluded at the position of the group head node; Means for generating a new double-encrypted encryption key by encrypting with a new encryption key unicast to the node;
Means for multicasting the double-encrypted new encryption key to a group head node of a minimal group other than a minimal group for exchanging nodes;
Means for the group head node of the minimal group receiving the multicast to decrypt the double encrypted new encryption key halfway;
The same group attribute and the same group attribute value as the node exchanged with the node to be excluded at the position of the group head node for the new encryption key decrypted halfway by the group head node of the minimal group that received the multicast Means for transmitting to a node in the group having;
Means for the node receiving the transmission to decrypt the new encryption key;
Means for unicasting the new encryption key of the group head node to the node coming to the position of the group head node by the exchange
Means for unicasting a new encryption key of a group having the same group attribute and the same group attribute value as the node to be exchanged with the node to be excluded by the node at the position of the group head node by the exchange;
An encryption key updating apparatus comprising: An encryption key update program for causing a computer to execute an encryption key update method for updating an encryption key for encrypting a multicast for a group composed of nodes connected to a server via a network,
Unicast encryption communication is possible safely between any two parties including the server,
The encryption key update method includes:
A node that excludes a node from a group of nodes having an attribute value of the kth attribute that is the nth (n ≠ m) indicating that the node having the mth attribute value is a group head node. 1 step, the first step is
The server encrypts the encryption key to be newly used in the group with the encryption key currently used in the group, and further encrypts it with the encryption key held in the group consisting of the group head node. Generating a new double-encrypted encryption key;
The server multicasts the double-encrypted new encryption key to a group head node;
A group head node decrypting the new double-encrypted encryption key halfway with an encryption key held in a group of group head nodes;
Node that is a minimal group (that is, a group that is a product set of a plurality of groups obtained as a result of extracting one group having an arbitrary attribute value for each attribute and is a minimal set that is not empty) and is excluded A group head of a minimal group that does not include a step of transmitting a new encryption key decrypted halfway to a node whose attribute value of the kth attribute included in the minimal group is the nth one;
A node that receives a new encryption key decrypted halfway, obtains a new encryption key by decrypting the new encryption key decrypted halfway with the encryption key currently used in the group; and ,
The encryption key update program characterized Rukoto to have a. In the encryption key update program according to claim 7,
The encryption key update method includes:
a second step of excluding from a certain group a certain node of a group consisting of nodes whose value of the i th attribute is the j th value,
The server currently holds an encryption key held in a group consisting of nodes whose i-th attribute value is the j-th value, and an encryption key held in a group consisting of group head nodes, one for each minimum group Is encrypted by encrypting the encryption key that is newly held in the group consisting of nodes whose i-th attribute value is the j-th value. Generating a new encryption key,
The server multicasts a new encrypted encryption key to one or more group head nodes present in a group of nodes whose i-th attribute value is the j-th value;
Each group head node of the group whose value of the i-th attribute is the j-th value decrypts the encrypted new encryption key;
Among the group head nodes of the group whose i-th attribute is the j-th group, a group head node of a minimal group that does not include the node to be excluded has a decrypted new encryption key assigned to each node belonging to the minimal group. Encrypting and sending; and
The group head node of the minimal group including the excluded node among the group head nodes of the group having the i-th attribute is decoded to each node other than the excluded node among the nodes belonging to the minimal group. Encrypting the transmitted new encryption key and transmitting it,
A node that receives a new encryption key encrypted from the group head node, decrypts the encryption and obtains a new encryption key;
The encryption key update program characterized Rukoto to have a. In the encryption key update program according to claim 7 or 8,
The encryption key update method includes:
a third step of the attribute value of the k-th attribute to exclude a node from the group of the group head nodes is of m-th, the third step,
An exchange step of exchanging the role of a node to be excluded and a node in the same minimal group as the node to be excluded;
A step of eliminating the by first step, the node should exhaust dividing that is no longer in the group head nodes to exchange a node and role in the node and the same minimum group should exhaust removal,
Have
The exchange step includes
The server individually unicasts a new encryption key of the group head node to a group head node of a minimal group other than the minimal group having a node to be excluded;
The server generating a new encryption key for a node having the same group attribute and the same group attribute value as the node exchanged with the node to be excluded at the position of the group head node;
The server encrypts the new encryption key with the current encryption key of the node having the same group attribute and the same group attribute value as the node exchanged with the node to be excluded at the position of the group head node; A step of generating a new double-encrypted encryption key by encrypting with a new encryption key unicast to the group head node;
The server multicasts the double-encrypted new encryption key to a group head node of a minimal group other than a minimal group exchanging nodes; and
A group head node of a minimal group that has received the multicast decrypts the double-encrypted new encryption key halfway;
The same group attribute and the same group attribute value as the node exchanged with the node to be excluded at the position of the group head node for the new encryption key decrypted halfway by the group head node of the minimal group that received the multicast Transmitting to nodes in a group having:
The node receiving the transmission decrypts the new encryption key;
The server unicasts a new encryption key of the group head node to a node that comes to the position of the group head node by the exchange;
The server unicasts a new encryption key of a group having the same group attribute and the same group attribute value as a node exchanged with a node to be excluded by a node coming to a group head node position by the exchange When,
The encryption key update that characterized the Rukoto to have a.

Images