CN101635918A - Method for hierarchichal onion rings routing - Google Patents
Method for hierarchichal onion rings routing Download PDFInfo
- Publication number
- CN101635918A CN101635918A CN200910023640A CN200910023640A CN101635918A CN 101635918 A CN101635918 A CN 101635918A CN 200910023640 A CN200910023640 A CN 200910023640A CN 200910023640 A CN200910023640 A CN 200910023640A CN 101635918 A CN101635918 A CN 101635918A
- Authority
- CN
- China
- Prior art keywords
- node
- gateway
- onion
- ring
- route
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method for hierarchichal onion rings routing. The nodes in a wireless Mesh network are divided into a gateway G, trusted nodes OP (Onion Proxy) and normal nodes Fi, wherein, the trusted nodes OP and the gateway G are induction nodes; the trusted nodes OP serve the function of selecting a route during the initialization of the ring; and the assembly of all the trusted nodes OP and the gateway G constitutes an anonymous assembly. The onion routing of the network is divided into two loop layers, wherein, the first route layer is a loop route consisting of the non-adjacent trusted nodes OP and the gateway G of the anonymous assembly; and the second route layer is a loop route formed by filling normal nodes Fi among the trusted nodes OP, and the second route layer is randomly selected by the trusted nodes OP and the gateway during the initialization. Accordingly, the anonymous and secure communication in the Mesh network can be achieved by the layered loops of the onion rings route. By using the layered onion rings communication protocol and allowing the trusted nodes OP and the gateway of the anonymous assembly to select the route together, the invention can effectively mix up the paths and prevent the intersection attacks, thereby reducing the computation, alleviating the load of the gateway, accelerating the ring construction, preferably utilizing the network resources to reduce delay.
Description
Technical field
The invention belongs to the network security technology field, relate to the safety method of Routing Protocol in the network, specifically is method for hierarchichal onion rings routing, and redundancy scheme come the protecting network privacy not to be subjected to of overall importance and invasive attack by accessing to your password.
Background technology
In wireless Mesh netword, some live-vertexs are arranged, they can carry out some secret business activities.In order not allow the external world perceive, these live-vertexs must carry out anonymous communication, and anonymous communication requires: 1) do not allow the external world know the content of session; 2) do not allow the external world know who initiates current session.This protection is very important for secure communication of network.But, present anonymous communication present situation or can't stop the cunning attack of means; Be to be that cost exchanges other anonymity of certain level for to waste a large amount of bandwidth.
Document " reaches secret protection " (Achieving Privacy in Mesh Networks ", Proc.of theSASN ' 06, pp.13-22, Oct., 2006) in the Mesh network.A kind of annular safety communication pattern based on ONION ROUTER has been proposed.The main thought of this scheme is: in a simple ring structure, in order to resist attack of overall importance, the onion Routing Protocol of an annular of design making communication start from gateway, also gateway finally.All communication modes all will be undertaken by same direction, or clockwise, or counterclockwise.Even if external attacker communicates component analysis like this, also can't analyze which node is start node and destination node.Even if secondly malicious node is arranged in the route ring and knows topological structure, also can't track out start node and destination node.Because it can only follow the tracks of out the path of an annular, in circular path, whom the opponent can't analyze is start node, and who is a destination node.But this scheme has caused a kind of novel attack again, and being called occurs simultaneously attacks.For example session that the Mesh node is connected with Internet by circular path, after a period of time, this Mesh node is visited same Internet address again, but it encircles by another and carries out session.If at this moment opponent's motoring gateway finds that this is a very special address, based on observation, the opponent can draw a conclusion, session initiator is start node just, is likely the common factor in these two rings, and the anonymity of this communication will be subjected to prestige association so.In addition, the circular path of this scheme can only be set up by gateway, and all communication processs can bring very big calculated load to gateway so all from gateway.
Summary of the invention
The technical problem to be solved in the present invention is: overcome the common factor attack problem that existing Mesh network exists, simultaneously in order to guarantee to encircle the validity of communication, a kind of method for hierarchichal onion rings routing is provided, it can effectively be resisted to occur simultaneously and attack, improve Network Communicate Security, and effectively alleviate the burden of gateway, reduce the routing table record amount of gateway, more the good utilisation Internet resources reduce delay.
The present invention is divided into three parts to whole communication process in order to carry out safe anonymous communication at the Mesh network: the initialization of ring, interannular communication and sign off.In wireless Mesh netword, node is divided three classes: gateway, trusted node, ordinary node, OP node (Onion Proxy) and gateway G induce node, and they send an induction information carrier (dummy bag) near the OP node it at set intervals.The OP node has played the selection of ground floor route and second layer route in the initialization procedure of ring, in the communication process afterwards, and its effect and ordinary node F
iIdentical.For the ease of understanding, the notion of anonymity collection and layering route is done to introduce:
Anonymous collection: establish R and be the set that all OP nodes and gateway G are formed in the network, then claim to satisfy following condition:
A must comprise element G;
All elements in the b set is that the subclass that forms the R of hamiltonian circuit with topological structure in network is anonymous the collection.These anonymous collection are carried out label.In network, these numbered anonymous collection of gateway G and OP nodes sharing.
The layering route: the present invention is divided into route two-layer.Ground floor route: in the onion ring Routing Protocol, claim that the path of concentrating element to form by anonymity is the ground floor route, just the path of forming by trusted node and gateway.The ground floor route is mainly formed annular by non-conterminous trusted node.Second layer route:, be also referred to as down one deck route being called second layer route by the loop that constitutes after the ordinary node filling between the trusted node.Second layer route is selected at random by OP node and gateway in initialization procedure.It mainly is the filling of carrying out the path.
One, Huan initialization
The present invention is divided into following step to the initialization of ring:
The 1st step: encapsulation process
At first: OP node (promptly anonymous concentrated first element) is selected the ground floor route, and just labelled anonymous collection according to the order encapsulation Onion Loaf of anonymous centralized node, adds a dummy bag thereafter.
Packet format is as follows:
{build},E
kpop1[(RI,k
op1,OP2),E
kpop2[(RI,k
op2,G),E
kpg(RI,t))]],dummy;
Build}: packet header, ring information is built in expression, tells the initialization that node will encircle;
E
Kp: public key encryption is used to encapsulate Onion Loaf; The OP1 node PKI E of oneself
Kpop1Encrypt the outermost layer bag, i.e. ring RI, the session key k of oneself
Op1, next bar address OP2, and the anonymous second layer Onion Loaf of concentrating second node encapsulation.When the OP2 node is received this Onion Loaf, just can determine where next jumping mails to.By that analogy.
RI: ring number, in network, may there be a lot of rings to communicate simultaneously, in order to guarantee the not repeated of the number of ring, RI is by anonymity collection number and build the ring time and form.
k
i: session key, the session key of node i and gateway G; Be the session key of each node when this ring communication, session key is to set up according to the foundation of ring, and when the ring sign off, this time the mission of session key has just been finished, and next communication will rebulid session key.
T: express time stabs, and is used for the real-time of detect-message;
Dummy: induction information, can form by any non-important information.
Then: the OP node is chosen the second layer route that anonymity focuses on second element again, in strict accordance with the order of second layer route encapsulation Onion Loaf, and distributes in this communication process the disposable session key (random number k of up link in the ring
Op1, k
1, k
2..., k
Op2).
These disposable session keys of distributing will be told gateway G, and gateway has just been known the concrete path of up link like this, and the one time key of down link is distributed by gateway.
As follows from the packet format that concentrated first node of anonymity sends to second node:
{build},E
kp1[(RI,k
1,F
2),E
kp2[(RI,k
2,F
3),…,E
kpop2((RI,k
2,G),
E
kpg(RI,k
op1,k
1,k
2,…,k
op2,t))]],dummy
F
i: the ordinary node in the network.
k
i: disposable session key
When ring information was built in the transmission of OP1 node, with regard to packaged Onion Loaf, Onion Loaf was from level to level.Dummy represents induction information, uses node F
1Public key encryption ground floor bag, comprise ring RI in the bag, session key k
1With next-hop node F
2The IP address.By that analogy.The innermost layer bag is encapsulated the session key k of the node of all up links by the PKI of gateway
Op1, k
1, k
2..., k
Op2, timestamp t and ring RI form.
Simplify above-mentioned packet format as follows:
{ build}, E
Kpop1(E
Kp1(E
Kp2..., (E
Kpop2(E
Kpg(m
1)), dummy, wherein m
1={ RI, t, k
Op1, k
1, k
2..., k
Op2;
All OP nodes in the ring are not always the case and encapsulate Onion Loaf, for example OP2 and gateway G.
When second the node OP2 that concentrates when anonymity receives initialization information, it in like manner first element carry out Path selection and encapsulation Onion Loaf, wrap but directly transmit dummy.As follows:
{ build}, E
Kpn(... (E
Kpop3(E
Kpg(m
2), E
Kpg(m
1)))), E
Kpop2 -1(... E
Kp1 -1(dummy)), m wherein
2={ k
Op2, k
n, k
N+1, t}
E
Kp -1: the PKI deciphering.
The 2nd step: information repeating process
In the information repeating process, the common F that does not have data to send in the ring
iNode only is decrypted this Onion Loaf and dummy bag, then the message after the deciphering is issued next node; As follows:
{build},E
kp2(…(E
kpop2(E
kpg(m
1))),E
kp1 -1(dummy);
The 3rd step: session inserts request process
As ordinary node F
iWhen wanting to communicate, substitute the dummy bag of deciphering layer by layer with the access solicited message;
{build},E
kp(i+1)(E
kp(i+2)(…E
kpg(m))),E
kpi -1(request);
The 4th step: gateway processes process
When gateway G receives the bag that sends from the OP1 node, just determined session initiator.If gateway is agreed this request, it determines second half endless path according to ring number and anonymous collection.Onion Loaf of the strict encapsulation of gateway G sends to session initiator.This Onion Loaf has comprised from session initiator to all session keys apart from the up link of its nearest OP node or gateway.Agreement information so just can arrive session initiator from gateway and communicate.Packet format is as follows:
{build},E
kpm(…E
kpop(…(E
kpg(k
i,…,k
op,grant))));
Follow erase mechanism in session access request, if there are two nodes to think to carry out simultaneously session in ring, the solicited message of a so back node will be wiped the solicited message of previous node.And previous node can not obtain agreement information in this ring, in the time of can only waiting for the carrier arrival of next ring, resends request.
Two, interannular communication
After the ring initialization, gateway G has just determined session initiator, and the session key in part path has been sent to it.Receive the bag that gateway G is sended over if at this moment session initiator is correct, still communicate by letter with gateway G with the layering conversational mode.In the interannular communication process, OP node or gateway G session key Onion Loaf can significantly reduce amount of calculation like this, and encryption/decryption speed are fast.Each foundation when encircling all will be redistributed session key, so also can reduce the chance that the opponent distorts Onion Loaf.Because if the opponent has known the path of full annular, it just can encapsulate Onion Loaf with PKI and pretend to be node in the ring.Node F
iArrive apart from its nearest OP node or gateway G Onion Loaf with one of session key encapsulation, carry out session with it.When receiving bag, in like manner select second layer route to concentrate next element to communicate with anonymous apart from its nearest OP node.Except gateway G and session initiator, each node in the ring is all only transmitted the Onion Loaf after the deciphering.
Session initiator is as follows to the communication process of gateway G:
F
i→F
i+1:{RI},E
k(i+1)(E
k(i+2)(…(E
kop(E
kg(E
si(data,ack)))));
F
i+1→F
i+2:{RI},E
k(i+2)(…(E
kop(E
kg(E
si(data,ack)))));
……:……
F
OP-1→OP:{RI},E
kop(E
kg(E
si(data,ack)))));
OP→F
OP+1:{RI},E
k(op+1)(E
k(op2)(…(E
kg(E
si(data,ack)))));
……:……
F
G-1→G:{RI},E
kg(E
si(data,ack));
RI} is packet header, and it just represented the ring set up, begin to communicate.E
sThe expression encrypted private key.E
SiExpression node F
iEncrypted private key.Data sends the information content.Ack represents correctly to receive the message authentication code that the bag back sends, and is used for proving that communicating pair received bag really.
After gateway G received this carrier bag, it used oneself private key and node F
iPKI decipher this bag, determine this bag be issue oneself with this bag be node F
iSend over.G receives message when gateway, and its calculates ack value, if the value of both sides ack is the same, proves their correct bags of receiving, carries out later communication then; If different is exactly correctly not receive bag so.
Gateway G according to one of ring number and anonymous collection encapsulation to node F
iBag, packet format is as follows:
{RI},E
kg(E
kop1(E
ki(E
sg(data))))。
Gateway G is to node F
iCommunication process is as follows:
G?→F
m:{RI},E
km(E
k(m+1)(…(E
op1(E
ki(E
sg(data))))));
F
m→F
m+1:{RI},E
k(m+1)(…(E
ki(E
sg(data))));
……:……
OP1→F
1:{RI},E
k1(…(E
ki(E
sg(data))));
……:……
F
i-1→F
i:{RI},E
ki(E
sg(data));
Three, sign off
After communication a period of time, if when both sides do not have data to send, gateway G just encapsulates an Onion Loaf to the empty content of OP node so, has proved sign off.
But also having a kind of situation is exactly that gateway G does not have data to give session initiator, and session initiator also has data will send to gateway.The present invention has guaranteed that the information that gateway G sends in communication process necessarily arrives session initiator.So session initiator can send data to gateway by ring always.Because session starts from the OP node, end in the OP node.So when session initiator does not have information to send, at this moment session initiator just send an empty content bag to gateway G, at this moment gateway is just known that information sends and is over, and at this moment encapsulates an Onion Loaf to the empty content of OP node again, proves sign off.After that is to say initialization, when the OP node is received one during to own bag, or when netting G and receiving the bag of empty content, just prove sign off.
But also a kind of situation may take place, in a ring two session initiator be arranged exactly.If run into this situation, a back session initiator always can be encrypted the dummy information of having been encrypted by previous start node, comes to carry out session with gateway G.And the session initiator in front can only wait for that next ring converses.Though this can cause time delay, have other rings in the network simultaneously and communicate.
The present invention has following beneficial effect compared with prior art:
1. the present invention is by use layering onion ring communication protocol, and the OP node of anonymous collection and gateway fellowship can effectively be obscured the path and stop the attack of occuring simultaneously in routing procedure.
2. OP node or gateway session key Onion Loaf can significantly reduce amount of calculation like this, and encryption/decryption speed is fast.Each foundation when encircling all will be redistributed session key, so also can reduce the chance that the opponent distorts Onion Loaf.
3. adopt layering onion routing algorithm to realize the route pooling function, greatly reduce the record amount of gateway, effectively alleviate the burden of gateway, and can add run-up ring process, utilize Internet resources better, reduce delay routing table.
4. fail safe aspect reduce from onion number of routes directly perceived, but security intensity is based upon on the public key safety basis, with how much haveing nothing to do of node number.So security intensity does not reduce, hide the better effects if of route on the contrary.
Description of drawings
Fig. 1. layering onion ring topology of the present invention
Fig. 2. the simple network topological structure of the preferred embodiment of the present invention
Embodiment
Layering onion ring of the present invention as shown in Figure 1.When network built up, gateway G had just write down the trusted node in the network (the OP node in the network).Shown in Fig. 1 dotted line, gateway G and OP have just formed annular path.
As shown in Figure 1, the OP1 node is a start node, and it selects anonymous collection, and { G} is called the ground floor route for OP1, OP2.When Onion Loaf began to transmit, because the next node pointed out is the OP2 node in the bag, and OP2 node and OP1 node be not adjacent node, and then the OP1 node is just set up new connection, be assumed to be OP1, F1 ... OP2} claims that this route is a second layer route, promptly is equivalent to one deck route down.When Onion Loaf passed to the OP2 node, second layer route stopped, and turns back to the last layer route, promptly reenters the ground floor route.
Below in conjunction with the preferred embodiment of accompanying drawing 2 a complete layering onion ring communication process will be described.
As shown in Figure 2, suppose that the ground floor route that the OP3 node is selected is ring RI:{OP3, OP2, G}, second layer path be OP3, F4, F5, OP2}, the OP3 node just is packaged into Onion Loaf in strict accordance with the order of second layer route so.
The 1st step: encapsulation process
The OP3 node is selected the ground floor route earlier, and just labelled anonymous collection according to the packaged Onion Loaf of the order of anonymous centralized node, adds a dummy bag thereafter. and packet format is as follows:
{build},E
kpop3[(RI,k
op2),E
kpop2[(RI,kg),E
kpg(RI,t))]],dummy;
Then, the OP3 node is chosen anonymous second layer route { OP3, the F that concentrates second node
4, F
5, OP2} in strict accordance with the order of second layer route encapsulation Onion Loaf, and is distributed in this communication process the disposable session key (k of up link in the ring
Op1, k
4, k
5, k
Op2).
As follows from the packet format that concentrated first element of anonymity sends to second element:
{build},E
kpop3[(RI,k
op2),E
kp4[(RI,k
4,F
5),E
kp5[(RI,k
5,F
op2),…,;
E
kpop2((RI,k
g),E
kpg(RI,t,k
op1,k
4,k
5,k
op2))]]],dummy
It is as follows to simplify packet format:
{ build}, E
Kpop3(E
Kp4(E
Kp5(E
Kop2(E
Kg(m)))), dummy, wherein m
1={ RI, t, k
Op1, k
4, k
5, k
Op2.
The 2nd step: information repeating process
In transmission course, the node that does not have data to send in the ring only is decrypted this Onion Loaf and dummy bag, then the message after the deciphering is issued next node; As follows:
F
op3→F
4:{build},E
kp4(E
kp5(E
kop2(E
kg(m
1)))),dummy;
F
4→F
5:{build},E
kp5(E
kop2(E
kg(m
1))),E
kp4(dummy)。
The 3rd step: session inserts request process
As node F
5When wanting to communicate, with inserting the dummy bag that solicited message request substitutes deciphering layer by layer;
F
5→F
op2:{build},E
kop2(E
kg(m
1)),E
kp5(request);
F
op2→F
6:{build},E
k6(E
k7(E
kg(m
1))),E
kpop2(E
kp5(request));
F
6→F
7:{build},E
k7(E
kg(m
1)),E
k6(E
kpop2(E
kp5(request)));
F
7→F
G:{build},E
kg(m
1),E
kp7(E
kp6(E
kpop2(E
kp5(request))。
The 4th step: gateway processes process
When gateway G receives the bag that is sended over by the OP2 node, and know node F
5Want to converse.If agreed this request, it also in like manner is determined to second half endless path of OP3 node according to ring number and anonymous collection, suppose that selected path is { G, F
3, OP3}.Gateway is node F
5Session key (k to gateway node that up link is passed through
Op2, k
6, k
7) send to node F
5It gives node F with Onion Loaf of strictness encapsulation
5At this moment agree that information just can be from gateway by node F
3, OP3, F
4Arrive node F
5Communicate.The simplification form of gateway wrapper is as follows:
{ build}, E
Kg(E
Kop3(E
Kg4(E
Kp5(E
Sg(m
2))))), m wherein
2={ k
Op2, k
6, k
7, grant}.
F
G→F
3:{build},E
kp3(E
kop3(E
kp4(E
kp5(E
sg(m
2)))));
F
3→F
op3:{build},E
kop3(E
kp4(E
kp5(E
sg(m
2))));
F
op3→F
4:{build},E
kp4(E
kp5(E
sg(m
2)));
F
4→F
5:{build},E
kp5(E
sg(m
2))。
After the ring initialization, gateway has just determined that session initiator is node F
5, and the session key in part path has been sent to it.If F at this moment
5Correct receive the bag that gateway sends over, still carry out session and gateway communicates with layer mode.Node F
5With Onion Loaf of session key encapsulation, carry out session with it to the OP2 node.When the OP2 node is received from node F
5The bag that sends, it concentrates next node gateway G to communicate according to ring number affirmation second layer route and with anonymity.
Onion ring communication process following (using disposable session key):
F
5→F
op2:{RI},E
kop2(E
kg(E
s4(data,ack)));
F
op2→F
6:{RI},E
k6(E
k7(E
kg(E
s4(data,ack))));
F
6→F
7:{RI},E
k7(E
kg(E
s4(data,ack)));
F
7→F
G:{RI},E
kg(E
s4(data,ack));
After gateway was received this carrier bag, it used oneself private key and node F
5PKI decipher this bag, determine this bag be issue oneself with this bag be node F
5Send over.Receive when bag when gateway, its calculates ack value, if the value of both sides ack is the same, proves their correct bags of receiving, carries out later communication then; If different is exactly correctly not receive bag.
Node F is arrived in one of gateway encapsulation
5Bag, form is as follows: { RI}, E
Kp3(E
Kop3(E
Kp4(E
Kp5(E
Sg(data))))).
F
G→F
3:{RI},E
kp3(E
kop3(E
kp4(E
kp5(E
sg(data)))));
F
3→F
op3:{RI},E
kop3(E
kp4(E
kp5(E
sg(data))));
F
op3→F
4:{RI},E
kp4(E
kp5(E
sg(data)));
F
4→F
5:{RI},E
kp5(E
sg(data))。
Claims (6)
1, a kind of method for hierarchichal onion rings routing is characterized in that: the node in the wireless Mesh netword is divided three classes: gateway G, trusted node OP and ordinary node F
i, OP node and gateway G induce node, OP node to play a part to select route, the set of all OP nodes and gateway G to constitute anonymous collection in the initialization procedure of ring; The onion route of network is divided into two layer loops, the ground floor route: the circular path of forming by the non-conterminous trusted node OP and the gateway G of anonymity collection; Second layer route: between trusted node OP by ordinary node F
iFill the loop that constitutes, be also referred to as down one deck route; Second layer route is selected at random by OP node and gateway in initialization procedure, realizes the network anonymous secure communication of Mesh by the branch layer loop of onion ring route.
2, method for hierarchichal onion rings routing according to claim 1 is characterized in that: adopt layering onion ring route to carry out the initialization that anonymous communication at first encircles, the initialization procedure of described ring comprises the steps:
The 1st step: encapsulation process
At first: the OP node is selected the ground floor route, just labelled anonymous collection, and according to the order encapsulation Onion Loaf of anonymous centralized node, and at additional dummy bag thereafter, the Onion Loaf form of encapsulation is as follows:
{build},E
kpop1[(RI,k
op1,OP2),E
kpop2[(RI,k
op2,G),E
kpg(RI,t))]],dummy;
Build}: packet header, ring information is built in expression, tells the initialization that node will encircle;
E
Kp: public key encryption is used to encapsulate Onion Loaf; The OP1 node PKI E of oneself
Kpop1Encrypt the outermost layer bag, i.e. ring RI, the session key k of oneself
Op1, next bar address OP2, and the anonymous second layer Onion Loaf of concentrating second node encapsulation like this when the OP2 node is received this Onion Loaf, just can determine that next jumping mails to the address, by that analogy;
RI: ring number, by anonymity collection number with build the ring time and constitute;
k
i: the session key of node i and gateway;
T: express time stabs, and is used for the real-time of detect-message;
Dummy: induction information;
Then: the OP node is chosen the anonymous second layer route of concentrating second element again, according to the order encapsulation Onion Loaf of second layer route, and distributes in this communication process the disposable session key k of up link in the ring
Op1, k
1, k
2..., k
Op2
Tell gateway with the disposable session key of distributing, allow gateway know uplink path, and the one time key of down link is distributed by gateway;
As follows from the packet format that concentrated first node of anonymity sends to second node:
{build},E
kp1[(RI,k
1,F
2),E
kp2[(RI,k
2,F
3),…,E
kpop2((RI,k
2,G),
E
kpg(RI,k
op1,k
1,k
2,…,k
op2,t))]],dummy
F
i: the ordinary node in the network,
The simplification form of bag is as follows:
{ build}, E
Kpop1(E
Kp1(E
Kp2..., (E
Kpop2(E
Kpg(m1)), dummy, wherein m
1={ RI, t, k
Op1, k
1, k
2..., k
Op2;
All OP nodes in the ring are not always the case and encapsulate Onion Loaf, for example OP2 and gateway G.
When second the node OP2 that concentrates when anonymity receives initialization information, it in like manner first element carry out Path selection and encapsulation Onion Loaf, wrap as follows but directly transmit dummy:
{build},E
kpn(…(E
kpop3(E
kpg(m
2),E
kpg(m
1)))),E
kpop2 -1(…F
kp1 -1(dummy)),
M wherein
2={ k
Op2, k
n, k
N+1..., t}, E
Kp -1: the PKI deciphering;
The 2nd step: information repeating process
In the information repeating process, the common F that does not have data to send in the route ring
iNode is only deciphered Onion Loaf and the dummy bag of receiving, it is as follows then the message after the deciphering to be issued next node:
{build},E
kp2(…(E
kpop2(E
kpg(m
1))),E
kp1 -1(dummy);
The 3rd step: session inserts request process
As ordinary node F
iWhen wanting to communicate, as follows with the dummy bag that inserts the alternative deciphering layer by layer of solicited message:
{build},E
kp(i+1)(E
kp(i+2)(…E
kpg(m))),E
kpi -1(request);
The 4th step: gateway processes process
Receive the bag that sends from the OP1 node when gateway, just determined session initiator, if gateway is agreed this request, it determines second half endless path down link from gateway to the session promoter just according to ring number and anonymous collection, Onion Loaf of gateway encapsulation sends to session initiator, this Onion Loaf comprises from session initiator to all session keys apart from the up link of its nearest OP node or gateway, agree that like this solicited message just arrives session initiator from gateway and communicates, packet format is as follows:
{build},E
kpm(…E
kpop(…(E
kpg(k
i,…,k
op,grant))))。
3, method for hierarchichal onion rings routing according to claim 2, it is characterized in that: insert request process in session, if two nodes queued session is at the same time arranged in the route ring, the solicited message of the node in back will be wiped the solicited message of previous node, previous node can only be waited for when the carrier of next ring arrives, resend request.
4, method for hierarchichal onion rings routing according to claim 1 is characterized in that: adopt layering onion ring route to carry out interannular communication and comprise that session initiator arrives the communication process of gateway and gateway to node F
iCommunication process, OP node or gateway session key Onion Loaf, each foundation when encircling all will be redistributed session key, node F
iArrive apart from its nearest OP node or gateway Onion Loaf with one of session key encapsulation, carry out session with it.When receiving bag apart from its nearest OP node, in like manner select second layer route to concentrate next element to communicate with anonymous, except gateway and session initiator, each node in the ring is all only transmitted the Onion Loaf after the deciphering, and session initiator is as follows to the communication process of gateway:
F
i→F
i+1:{RI},E
k(i+1)(E
k(i+2)(…(E
kop(E
kg(E
si(data,ack)))));
F
i+1→F
i+2:{RI},E
k(i+2)(…(E
kop(E
kg(E
si(data,ack)))));
……:……
F
OP-1→OP:{RI},E
kop(E
kg(E
si(data,ack)))));
OP→F
OP+1:{RI},E
k(op+1)(E
k(op+2)(…(E
kg(E
si(data,ack)))));
……:……
F
G-1→G:{RI},E
kg(E
si(data,ack));
Wherein, { RI} is packet header, and its representative ring is set up, and begins to communicate E
SiExpression node F
iEncrypted private key, data sends the information content, ack represents the message authentication code of receiving that correctly the bag back sends, is used for proving that communicating pair received bag really;
After gateway is received this carrier bag, with private key and the node F of oneself
iPKI decipher this bag, determine this bag be issue oneself with this bag be node F
iSend over, and calculate the ack value,, prove that they correctly do not receive bag if the value of both sides ack is inequality; Otherwise if the value of both sides ack is identical, gateway just can communicate with session initiator, at this moment gateway according to one of ring number and anonymous collection encapsulation to node F
iBag { RI}, E
Kg(E
Kop1(E
Ki(E
Sg(data)))); Gateway is to node F
iCommunication process is as follows:
G?→F
m:{RI},E
km(E
k(m+1)(…(E
op1(E
ki(E
sg(data))))));
F
m→F
m+1:{RI},E
k(m+1)(…(E
ki(E
sg(data))));
……:……
OP1→F
1:{RI},E
k1(…(E
ki(E
sg(data))));
……:……
F
i-1→F
i:{RI},E
ki(E
sg(data))。
5, method for hierarchichal onion rings routing according to claim 4, it is characterized in that: when in the ring two session initiator being arranged, the session initiator in back can be encrypted the dummy information of having been encrypted by previous start node, come to carry out session with gateway, and the session initiator in front can only wait for that next ring converses, though this can cause time delay, have other rings in the network simultaneously and communicate.
6, method for hierarchichal onion rings routing according to claim 1, it is characterized in that: if both sides do not have data to send in communication process, session initiator just sends the Onion Loaf of an empty content to gateway, gateway just encapsulates an Onion Loaf to the empty content of OP node, finishes communication.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009100236403A CN101635918B (en) | 2009-08-19 | 2009-08-19 | Method for hierarchichal onion rings routing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009100236403A CN101635918B (en) | 2009-08-19 | 2009-08-19 | Method for hierarchichal onion rings routing |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101635918A true CN101635918A (en) | 2010-01-27 |
CN101635918B CN101635918B (en) | 2012-01-04 |
Family
ID=41594933
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2009100236403A Expired - Fee Related CN101635918B (en) | 2009-08-19 | 2009-08-19 | Method for hierarchichal onion rings routing |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101635918B (en) |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102238090A (en) * | 2011-07-08 | 2011-11-09 | 清华大学 | Grouping rerouting method for anonymous communication system |
CN104486810A (en) * | 2015-01-06 | 2015-04-01 | 无锡儒安科技有限公司 | Wireless sensor network routing loop prediction method based on multi-dimensional states |
CN105553827A (en) * | 2015-12-10 | 2016-05-04 | 北京理工大学 | Message forwarding method for giving consideration to both anonymity and communication delay in anonymous network |
CN106416184A (en) * | 2014-05-16 | 2017-02-15 | 高通股份有限公司 | Establishing reliable routes without expensive mesh peering |
CN109413089A (en) * | 2018-11-20 | 2019-03-01 | 中国电子科技集团公司电子科学研究院 | Distributed network anonymous communication method, device and storage medium |
CN109471834A (en) * | 2018-11-15 | 2019-03-15 | 上海联影医疗科技有限公司 | Synchronous ring structure, synchronous method, medical image system, equipment and storage medium |
CN109787896A (en) * | 2018-12-05 | 2019-05-21 | 北京邮电大学 | A kind of node selecting method and equipment for communication link building |
CN111314336A (en) * | 2020-02-11 | 2020-06-19 | 中国科学院信息工程研究所 | Dynamic transmission path construction method and system for anti-tracking network |
CN111970243A (en) * | 2020-07-20 | 2020-11-20 | 北京邮电大学 | Message forwarding method of multistage routing in anonymous communication network |
CN111970247A (en) * | 2020-07-20 | 2020-11-20 | 北京邮电大学 | Method for sending confusion messages of peer-to-peer ring in anonymous communication network |
CN111970245A (en) * | 2020-07-20 | 2020-11-20 | 北京邮电大学 | Heterogeneous layered anonymous communication network construction method and device |
CN112019502A (en) * | 2020-07-20 | 2020-12-01 | 北京邮电大学 | Anonymous protection method for user nodes of ring guard network and electronic equipment |
CN112019501A (en) * | 2020-07-20 | 2020-12-01 | 北京邮电大学 | Anonymous communication method and device for user nodes |
CN113572727A (en) * | 2021-06-08 | 2021-10-29 | 深圳市国电科技通信有限公司 | Data security concealed transmission method and system based on P2P network routing node |
CN117811834A (en) * | 2024-02-27 | 2024-04-02 | 苏州大学 | Obfs4 confusion flow detection method, system, equipment and medium |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105357113B (en) * | 2015-10-26 | 2018-08-21 | 南京邮电大学 | A kind of construction method based on heavy-route anonymous communication path |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FI108832B (en) * | 1999-03-09 | 2002-03-28 | Nokia Corp | IP routing optimization in an access network |
CN101132351A (en) * | 2006-08-21 | 2008-02-27 | 北京邮电大学 | Wireless sensor network path establishing method and device thereof |
-
2009
- 2009-08-19 CN CN2009100236403A patent/CN101635918B/en not_active Expired - Fee Related
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102238090A (en) * | 2011-07-08 | 2011-11-09 | 清华大学 | Grouping rerouting method for anonymous communication system |
CN102238090B (en) * | 2011-07-08 | 2014-02-19 | 清华大学 | Grouping rerouting method for anonymous communication system |
CN106416184A (en) * | 2014-05-16 | 2017-02-15 | 高通股份有限公司 | Establishing reliable routes without expensive mesh peering |
CN104486810A (en) * | 2015-01-06 | 2015-04-01 | 无锡儒安科技有限公司 | Wireless sensor network routing loop prediction method based on multi-dimensional states |
CN105553827A (en) * | 2015-12-10 | 2016-05-04 | 北京理工大学 | Message forwarding method for giving consideration to both anonymity and communication delay in anonymous network |
CN105553827B (en) * | 2015-12-10 | 2019-02-22 | 北京理工大学 | The message forwarding method of anonymity and communication delay is taken into account in a kind of Anonymizing networks |
CN109471834A (en) * | 2018-11-15 | 2019-03-15 | 上海联影医疗科技有限公司 | Synchronous ring structure, synchronous method, medical image system, equipment and storage medium |
CN109471834B (en) * | 2018-11-15 | 2022-04-15 | 上海联影医疗科技股份有限公司 | Sync ring structure, synchronization method, medical imaging system, apparatus, and storage medium |
CN109413089A (en) * | 2018-11-20 | 2019-03-01 | 中国电子科技集团公司电子科学研究院 | Distributed network anonymous communication method, device and storage medium |
CN109787896B (en) * | 2018-12-05 | 2020-08-14 | 北京邮电大学 | Node selection method and equipment for communication link construction |
CN109787896A (en) * | 2018-12-05 | 2019-05-21 | 北京邮电大学 | A kind of node selecting method and equipment for communication link building |
CN111314336A (en) * | 2020-02-11 | 2020-06-19 | 中国科学院信息工程研究所 | Dynamic transmission path construction method and system for anti-tracking network |
CN112019502B (en) * | 2020-07-20 | 2021-06-29 | 北京邮电大学 | Anonymous protection method for user nodes of ring guard network and electronic equipment |
CN111970245A (en) * | 2020-07-20 | 2020-11-20 | 北京邮电大学 | Heterogeneous layered anonymous communication network construction method and device |
CN112019502A (en) * | 2020-07-20 | 2020-12-01 | 北京邮电大学 | Anonymous protection method for user nodes of ring guard network and electronic equipment |
CN112019501A (en) * | 2020-07-20 | 2020-12-01 | 北京邮电大学 | Anonymous communication method and device for user nodes |
CN111970247A (en) * | 2020-07-20 | 2020-11-20 | 北京邮电大学 | Method for sending confusion messages of peer-to-peer ring in anonymous communication network |
CN112019501B (en) * | 2020-07-20 | 2021-06-29 | 北京邮电大学 | Anonymous communication method and device for user nodes |
CN111970245B (en) * | 2020-07-20 | 2021-07-20 | 北京邮电大学 | Heterogeneous layered anonymous communication network construction method and device |
CN111970243A (en) * | 2020-07-20 | 2020-11-20 | 北京邮电大学 | Message forwarding method of multistage routing in anonymous communication network |
CN111970247B (en) * | 2020-07-20 | 2022-06-03 | 北京邮电大学 | Method for sending confusion messages of peer-to-peer ring in anonymous communication network |
CN113572727A (en) * | 2021-06-08 | 2021-10-29 | 深圳市国电科技通信有限公司 | Data security concealed transmission method and system based on P2P network routing node |
CN117811834A (en) * | 2024-02-27 | 2024-04-02 | 苏州大学 | Obfs4 confusion flow detection method, system, equipment and medium |
Also Published As
Publication number | Publication date |
---|---|
CN101635918B (en) | 2012-01-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101635918B (en) | Method for hierarchichal onion rings routing | |
CN107071774B (en) | A kind of VANET access authentication methods of the short group ranking of identity-based | |
CN101610510B (en) | Node legitimacy multiple-authentication method in layer cluster type wireless self-organization network | |
CN103490891B (en) | Key updating and the method for use in a kind of electrical network SSL VPN | |
CN106936570A (en) | A kind of cipher key configuration method and KMC, network element | |
JP2019518397A (en) | Data conversion system and method | |
US8954727B2 (en) | Security control in a communication system | |
CN105577613B (en) | A kind of method of sending and receiving of key information, equipment and system | |
CN110087239A (en) | Based on the anonymous access authentication and cryptographic key negotiation method and device in 5G network | |
CN102144370A (en) | Transmitting device, receiving device, transmitting method and receiving method | |
CN100370724C (en) | Anonymous connection method of broadband radio IP network | |
CN103929299A (en) | Self-securing lightweight network message transmitting method with address as public key | |
CN102075931A (en) | Information theoretical security-based key agreement method in satellite network | |
CN114051236B (en) | Anonymous communication method, system, medium and electronic device based on rerouting mechanism | |
Ometov et al. | Securing network-assisted direct communication: The case of unreliable cellular connectivity | |
CN108768632B (en) | AKA identity authentication system and method based on symmetric key pool and relay communication | |
CN104811934B (en) | Wireless sensor network security method for routing based on IPv6 addressings | |
CN103888940B (en) | Multi-level encryption and authentication type WIA-PA network handheld device communication method | |
CN101715186B (en) | Secret sharing based safety communication method of wireless sensor network | |
CN101715187B (en) | Safety communication method based on dynamic gateway | |
Mäurer et al. | Advancing the Security of LDACS | |
CN105635076B (en) | A kind of media transmission method and equipment | |
Tata et al. | Secure multipath routing algorithm for device-to-device communications for public safety over LTE heterogeneous networks | |
CN101253747A (en) | Method and arrangement for the secure transmission of data in a multi-hop communication system | |
Mäurer et al. | Pmake: Physical unclonable function-based mutual authentication key exchange scheme for digital aeronautical communications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120104 Termination date: 20150819 |
|
EXPY | Termination of patent right or utility model |