Summary of the invention
The invention provides a kind of safety method of radio sensing network, select to have high credible node and carry out secure communication, improve the communication security of radio sensing network.
Radio sensing network (WSN, wireless sensor network) communication on is the communication between the node after all, select any two nodes on the radio sensing network, these two nodes are denoted as source node and destination node respectively, these two internodal distances are greater than the communication radius of arbitrary node, but, there is overlapping region with the communication range that guarantees two nodes less than two node communication radius sums.
The encryption method of a kind of radio sensing network of the present invention comprises:
(1) calculates first PKI and first private key at source node;
The production method of PKI and private key adopts the unsymmetrical key negotiation mechanism, as RSA Algorithm, elliptic curve encryption algorithm (ECC), Diffie-Hellman algorithm, El Gamal algorithm, DSA algorithm etc.;
(2) source node is searched first intermediate node, and first PKI is sent to first intermediate node;
(3) first intermediate nodes send to destination node with first PKI;
(4) destination node uses first PKI that first clear data is encrypted, and generates first encrypt data;
(5) calculate second PKI and second private key at destination node, and search second intermediate node, first encrypt data and second PKI are sent to second intermediate node;
(6) second intermediate nodes send to source node with first encrypt data and second PKI;
(7) source node uses first private key that first encrypt data is deciphered, and restores first clear data, to the second plaintext data encryption, generates second encrypt data with second PKI, and calculates the 3rd PKI and the 3rd private key;
(8) source node is searched the 3rd intermediate node, and second encrypt data and the 3rd PKI are sent to the 3rd intermediate node;
(9) the 3rd intermediate nodes send to destination node with second encrypt data and the 3rd PKI;
(10) destination node uses second private key that second encrypt data is deciphered, and restores the second plaintext data, to the 3rd expressly data encryption, generates the 3rd encrypt data with the 3rd PKI, and calculates the public private key pair that makes new advances;
(11) source node and destination node repeat the above process of calculating public private key pair, encryption, deciphering, search intermediate node, pass on PKI and encrypt data by intermediate node, realize communicating by letter between source node and destination node.
By above method, finish once communication between source node and the destination node, first clear data is sent to source node from destination node, and the second plaintext data are sent to destination node from source node.Afterwards, according to the selection intermediate node of above method circulation great-jump-forward, corresponding public key and ciphertext transmit between source node and destination node by intermediate node between source node and the destination node.But PKI and ciphertext that each intermediate node receives or transmits can not cooperate, for example, second intermediate node has received first encrypt data and second PKI that sends from destination node in above method, but first encrypt data is to be generated by first public key encryption.Like this, even the data on the second intermediate node P2 are intercepted and captured, can not influence the transmission safety of data yet.
In the above method, all intermediate nodes are the interior trusted node of communication range overlapping region of source node and destination node, decision node is that the method for trusted node or malicious node has two kinds, a kind of method is judged as trusted node with its relative stability RS less than the node of default relative stability threshold value RS ', otherwise is malicious node.The relative stability RS of node is a node each time after the change in location, and with respect to the mean value of the rate of change of a preceding change in location, its mathematics tabular form is:
Wherein, t
0The initial time of expression record, t
nThe moment of representing the n time record, pos
0The initial position of expression node, pos
nThe position of node when representing the n time record.
Another kind method is judged as trusted node with its absolute AS less than the node of default absolute threshold value A S ', otherwise is malicious node.The absolute AS of node is a node after change in location each time, and with respect to the mean value of rate of change of the change in location first time, its mathematics tabular form is:
Wherein, t
0The initial time of expression record, t
nThe moment of representing the n time record, pos
0The initial position of expression node, pos
nThe position of node when representing the n time record.
The safety communicating method of a kind of radio sensing network of the present invention, this method is judged effective filtering fallacious node with key agreement logical AND data communication logical separation by the feasibility of node, selection has high credible node and carries out secure communication, improves the communication security of radio sensing network.
Embodiment
Describe the safety communicating method of a kind of radio sensing network of the present invention in detail below in conjunction with accompanying drawing
Concrete implementation step.
As Fig. 1, node A, B are two nodes on the radio sensing network, are labeled as source node A and target node b respectively, and its communication range is for being the center of circle with the node, with communication radius R separately
A, R
BBe the circle of radius, these two internodal distances are L
AB, two euclidean distance between node pair L
ABSatisfy max (R
A, R
B)<L
AB<R
A+ R
B, max (R
A, R
B) two node communication radiuses of expression are bigger one.Distance L between the two
ABSatisfy this condition so that the communication range of two nodes has common factor S
AB, this common factor is called the ND zone (NeighborDiscovery) of source node A and target node b.If L
AB≤ max (R
A, R
B), promptly one of them node can be covered by the communication range of another node, then can direct communication between these two nodes.
Communication between source node A and the target node b shows as mutual data transmission between two nodes.In radio sensing network, data with the form of packet in transmission over networks.The data M A that source node A will need to transmit is cut apart and is packaged into l packet MA
1, MA
2... MA
l, the data M B that target node b will need to transmit is cut apart and is packaged into m packet MB
1, MB
2... MB
mL and m can equate, also can not wait, and depending on needs data quantity transmitted, but the amount of capacity of each packet equates.
As shown in Figure 2, realize that according to these two nodes of the present invention the method for secure communication is:
(1) source node A calculates a pair of PKI PKA
1With private key PSA
1
The production method of PKI and private key adopts the unsymmetrical key negotiation mechanism, as RSA Algorithm, elliptic curve encryption algorithm (ECC), Diffie-Hellman algorithm, El Gamal algorithm, DSA algorithm etc.
(2) source node A is in the ND region S
ABIn find out an intermediate node P
1, with PKI PKA
1Send to intermediate node P
1
Can't direct communication because the distance between source node A and target node b is far away, then need to come transfer of data by intermediate node.In the ND region S
ABIn the intermediate node that finds out must guarantee that the communication radius of the intermediate node that source node A and target node b are all found out covers, and makes source node A can both communicate by letter with the intermediate node that finds out with target node b.
Exist malicious node on the radio sensing network, if selected the intermediate node of malicious node as transfer of data, then communication security will be on the hazard.Therefore need distinguish malicious node and trusted node.On radio sensing network, the physical location of node generally can change.But the amplitude of malicious node change in location and frequency are all greater than trusted node.Based on this, can judge whether a certain node is malicious node.
The invention provides two kinds of methods of judging malicious node.A kind of is relative stability determination methods (Relative Stability Choose is called for short RSC), and another kind is absolute determination methods (Absolute Stability Choose is called for short ASC).
As shown in Figure 3, the relative stability determination methods of malicious node is:
At initial time t
0Write down the position pos of this node
0, at t
1Constantly write down the position pos of this node
1, at t
2Constantly write down the position pos of this node
2... the time interval of twice record can be set to equate or do not wait that the time interval is data rule of thumb, and sample with one minute to five minutes interval, because subsequent calculations is rate of change, therefore the size of choosing blanking time can not influence accuracy.The number of times of record can be regulated, and the many more judgements to node of the number of times of record are accurate more, generally get 5~10 times.
The relative stability RS of computing node then.The relative stability RS of node is defined as node each time after the change in location, and with respect to the mean value of the rate of change of a preceding change in location, its mathematics tabular form is:
With the relative stability RS and default relative stability threshold value RS ' of this node, this threshold value is a ND region S within the some cycles
ABIn the mean value that changes of all modal displacements.Relatively, if RS 〉=RS ' judges that then this node is a malicious node; If RS<RS ' judges that then this node is a trusted node.
The absolute determination methods and the relative stability determination methods of malicious node are similar, as shown in Figure 4, at first also must write down each t constantly
0, t
1... the position pos of this node
0, pos
1..., the absolute AS of computing node then.The absolute AS of node is defined as node after change in location each time, and with respect to the mean value of rate of change of the change in location first time, its mathematics tabular form is:
With the absolute AS and default absolute threshold value A S ' comparison of this node, if AS 〉=AS ' judges that then this node is a malicious node; If AS<AS ' judges that then this node is a trusted node.
Source node A is by relative stability determination methods or absolute determination methods (selection of determination methods was finished through negotiation before communication according to communication node), in the ND of source node A and target node b region S
ABIn find out a trusted node P
1As intermediate node, and with the PKI PKA that calculates
1Send to intermediate node P
1
(3) intermediate node P
1With PKI PKA
1Send to target node b.
(4) target node b receives PKI PKA
1After, PKA uses public-key
1To packet MB
1Encrypt, generate corresponding ciphertext data SB
1
(5) target node b calculates a pair of PKI PKB
1With private key PSB
1, the production method of PKI and private key adopts the unsymmetrical key negotiation mechanism equally.
(6) target node b is in the ND region S
ABIn find out intermediate node P
2, with PKI PKB
1With encrypt data SB
1Send to intermediate node P
2
The lookup method of intermediate node judges at first according to the determination methods of above-described malicious node whether certain node is malicious node, and malicious node is filtered, and selects a trusted node to transmit data as intermediate node.
Below the lookup method of all intermediate nodes all identical, all be in the ND region S
ABIn find out trusted node as intermediate node.
(7) intermediate node P
2With PKI PKB
1With encrypt data SB
1Send to source node A.
(8) source node A uses private key PSA
1With encrypt data SB
1Deciphering restores packet MB
1
(9) source node A PKI PKB
1To packet MA
1Encrypt, generate corresponding ciphertext data SA
1
(10) source node A adopts the unsymmetrical key negotiation mechanism to calculate a pair of PKI PKA
2With private key PSA
2
(11) source node A is in the ND region S
ABIn search intermediate node P
3, with encrypt data SA
1With PKI PKA
2Send to intermediate node P
3
(12) intermediate node P
3With encrypt data SA
1With PKI PKA
2Send to target node b.
(13) target node b uses private key PSB
1With encrypt data SA
1Deciphering restores packet MA
1
(14) target node b PKI PKA
2To packet MB
2Encrypt, generate corresponding ciphertext data SB
2
(15) target node b adopts the unsymmetrical key negotiation mechanism to calculate a pair of PKI PKB
2With private key PSB
2
Then, target node b is searched intermediate node P
4, with encrypt data SB
2With PKI PKB
2Send to intermediate node P
4, by P
4With encrypt data SB
2With PKI PKB
2Transfer to source node A.Repeat said process, constantly search intermediate node, pass on PKI and encrypt data by intermediate node.But each intermediate node reception or the PKI and the encrypt data that pass on can not cooperatively interact.For example, intermediate node P
2The PKI PKB that receives or pass on
1With encrypt data SB
1And not matching, because encrypt data SB
1Be the PKI PKA that target node b adopts source node A to calculate
1To packet MB
1Encrypt and generate.Equally, intermediate node P
3The PKI PKA that receives or pass on
2With encrypt data SA
1And not matching, because encrypt data SA
1Be the PKI PKB that source node A adopts the target source Node B to calculate
1To packet MA
1Encrypt and generate.Like this,, can not utilize the PKI of intercepting and capturing to crack the encrypt data of intercepting and capturing, protect the fail safe of communication data even PKI on the intermediate node and encrypt data are intercepted and captured.
According to above method, the double counting public private key pair, encrypt, search the process of intermediate node, deciphering, ultimate source node A will receive all packet MB
1, MB
2... MB
m, this m packet reconfigured to recover data M B.Equally, target node b will receive all packet MA
1, MA
2... MA
l, this l packet reconfigured to recover data M A.Owing to the packet on the node is to be encrypted by the PKI that calculates on another node, and the public private key pair of each packet is all inequality, then must calculate m altogether to public private key pair at source node A, must calculate l public private key pair altogether at target node b.Like this, even ganging up also, adjacent two intermediate nodes can not bring bigger threat to whole communication process.For example, if above-mentioned first intermediate node P
1With second intermediate node P
2Gang up first intermediate node P
1With its PKI PKA that receives
1Send second intermediate node P to
2Because second intermediate node P
2Can receive by PKI PKA
1To packet MB
1The encrypt data SB that encrypts and generate
1, second intermediate node P so
2Might utilize PKI PKA
1To encrypt data SB
1Crack, and crack out packet MB
1But packet MB
1Be the sub-fraction among the data M B, even crack out packet MB
1Security threat to whole data M B is also just very little.
In order to verify performance of the present invention, we have carried out following test under the Netlogo of Northwestern Univ USA platform: be provided with three kinds of roles in the environment of experiment, a kind of is trusted node, their mobile rule is to produce by random function to have the displacement that stable fluctuation changes, and quantity is 100; Another is the base station, and fixed-site is constant, and quantity is 10; At last a kind of is malicious node, and its change in location is random high-speed mobile, and one has 20.
Test the communication efficiency an of the inventive method
We select five group nodes, and this five group node all communicates according to the method that the present invention searches intermediate node by great-jump-forward, selects a group node in addition as a comparison, and this group node is according to the communication mode of traditional stationary nodes.It is 128k that each handshake procedure data packets for transmission is set, and tests the time that each handshake procedure experiences, relatively the loss of its performance.A handshake procedure represents to transmit mutually between two communication nodes the process of a packet, is referred to as the session that communicates by letter.
Test result data as shown in Figure 5, the ordinate of test data figure is represented each communication time that session experienced, unit is a millisecond, which session abscissa represents, a nethermost test result that curve is the communication mode of conventional fixed node among the figure, above five curves represent five groups of test results that communicate according to the inventive method respectively.
By the figure sight, at the node communication initial phase, promptly in first session, stationary nodes communication pattern and great-jump-forward coded communication of the present invention all need to calculate public private key pair, and its required time is suitable, is about 700ms the performance basically identical.And after first session, because each session of great-jump-forward communication means needs to search for new intermediate node and calculates new public private key pair, therefore the required time is longer, and performance loss is bigger, does not have significant change than the time that first session consumed.And traditional stationary nodes communication pattern need not to search for new intermediate node, also need not to calculate new public private key pair, the time less that each session is required, and than first session, the time that is consumed obviously reduces.Communication means of the present invention is 81.7% with respect to the mean value of stationary nodes communication pattern performance loss.
For improving efficient of the present invention, the coding structure of algorithm is adjusted:
1, the formation logic of the public private key pair of next Session and the transmission logic of current Session packet being calculated by thread parallel, is example with Fig. 2, when target node b with encrypt data bag SB
1With PKI PKB
1Send to intermediate node P
2After, promptly begin to calculate next public private key pair PKB
2, PSB
2, and need not to receive by the time intermediate node P
3The data of passing on just begin to calculate public private key pair.Parallel computation is to shorten call duration time like this.
2, with the size of the packet of each Session, be increased to 1024k.Packet size is big more, its time of transmitting between two nodes is long more, source node A and target node b can make full use of the transmission time of packet and handle static traffic, as encrypting, deciphering, calculating public private key pair, can improve the utilization ratio of time like this.
After the algorithm adjustment, repeated experiments.Once more after the test experimental result that draws as shown in Figure 6 because packet size increases, the elapsed time of first session increases to about 2800ms.Afterwards, be 11.5% according to the method after improving with respect to the performance loss mean value of stationary nodes communication pattern, reduced the loss of performance significantly, optimized communication efficiency.
Test the communications security of two the inventive method
Selected 4 group nodes, all adopted great-jump-forward coded communication pattern of the present invention, wherein the lookup method of 2 groups of intermediate nodes adopts the relative stability determination methods, is called for short SCR; The lookup method of other 2 groups of intermediate nodes adopts the absolute determination methods, is called for short SCA.
Select quantity by the node of testing within 10 minutes, the efficient that the evaluate safety node is selected.
Experimental data is as shown in the table, by apparent it, RSC algorithm and ASC algorithm all are to judge malicious node by the variation of stabilizing distance, detection in conjunction with the historical position data, for the logic of node Dynamic Selection provides tighter credible detection algorithm, as a whole, algorithm can filter a large amount of malicious nodes, the node of selecting to have higher-security from mobile radio network communicates, and has effectively ensured the communication security on the radio sensing network.
Table 1 adopts different nodes to search the comparison of algorithm to the malicious node screening effeciency
The intermediate node lookup method |
The intermediate node sum |
Ordinary node |
Malicious node |
The node efficiency of selection |
The RSC algorithm |
905 |
871 |
34 |
96.2% |
The RSC algorithm |
865 |
839 |
26 |
97.0% |
The ASC algorithm |
896 |
867 |
29 |
96.8% |
The ASC algorithm |
849 |
812 |
37 |
95.6% |