CN104320778A - Integrity protection method for long data stream in wireless sensor network - Google Patents

Abstract

The invention discloses a safe and efficient integrity protection method of a wireless sensor network and belongs to the technical field of safety of internet of things. The safe and efficient integrity protection method comprises the following steps that 1 a shared key is sent from a base station (BS) to a sender and a receiver respectively at a pre-configuring stage; 2 the sender uses a signature algorithm to generate signatures of data elements at a signature stage and sends the data elements and the signatures of the data elements to the receiver; 3 the receiver firstly determines that messages are from the sender, then uses the signature algorithm in the previous stage to verify the data elements and the signatures of the data elements at a verification stage. The integrity protection method is a practical method capable of effectively reducing the communication cost of an integrity protection protocol. Due to the fact that the integrity protection method adopts Montgomery modular multiplication which is not adopted in the existing scheme and the input length of a scattering function is limited, the calculation cost of a long data stream is remarkably reduced, and new characteristics of safety and efficiency of a data integrity protection mechanism are achieved.

Description

An Integrity Protection Method for Long Data Streams in Wireless Sensor Networks

technical field

The invention relates to a method for protecting the integrity of long data streams in a wireless sensor network, and belongs to the technical field of Internet of Things security.

Background technique

Today wireless sensor networks have been widely deployed in military, environmental and other commercial applications. In order to transmit data between two sensor nodes in an adversarial network, an integrity protection module should be deployed to ensure that the data will not be disturbed by attackers in the network. No matter how the technology is implemented, the data integrity protection scenario consists of three parts: base station (BS), sender and receiver. Before communicating, the sender and receiver are deployed through the base station using a shared secret. During data transmission, the sender organizes the data into fixed-size elements and generates a message authentication code (MAC) for each data element (via a shared secret). It then sends the data element along with the message authentication code to the receiver. Once the data and message authentication code are received, the receiver will use the shared secret to verify the message authentication code to ensure that the received data has not been tampered with.

Computational cost is a serious problem in the above data integrity protection system. Due to limited energy, senders and receivers are deeply concerned about the high computational cost brought by signing and verifying long data streams. Therefore, in order to improve the life cycle of sensor nodes, the current data integrity protection technology mainly adopts a simple scatter function to generate and verify the message authentication code instead of public key encryption. Unfortunately, in current schemes, the input length of the scatter function depends on the data flow, leading to high computational cost and shorter lifetime. Therefore, a prerequisite for carefully designing a data integrity protection protocol for sensor networks is that the input length of the scattering function is independent of the length of the data stream.

A data integrity protection protocol for sensor networks should meet the following requirements: (1) Correctness. The sender and receiver should ensure that no one in the hostile network can interfere with the data. (2) Strong resistance to replay attacks. The sender and receiver should ensure that the data stream is not fraudulently repeated by an attacker. (3) Strong resistance to sequence errors. The sender and receiver should ensure that the order of multiple data elements is not changed by an attacker. (4) Low cost of signing and verifying long data streams. Since energy is limited, senders and receivers should keep their computational costs low, especially when dealing with long data streams. In particular, when a data stream is decomposed into multiple data elements, the computational cost of the following schemes should be low: (i) sign a long data element; (ii) verify a long data element; (iii) sign multiple Short data elements; (iv) Validate multiple short data elements.

Obviously, designing a data integrity protection method for sensor networks is an important task, because resource-constrained sensor nodes do not have the ability to sign, transmit and verify lengthy data streams. Current schemes based on symmetric keys can satisfy requirements (1), (2) and (3). However, the signing and verification costs are still high for long data streams. More importantly, when considering the research topic, we observe that none of the existing cryptographic primitives can be directly used to achieve the goals discussed above.

Contents of the invention

Purpose of the invention: in order to solve above-mentioned safety and efficiency problem, the present invention proposes a kind of integrity protection method of long data flow in the wireless sensor network, because this method limits the input length of scattering function, and uses Montgomery modular multiplication (MM) Operating on lengthy data streams, this method can provide efficient key distribution, signature and verification algorithms and protocols that meet the above security performance.

Technical solution: a method for integrity protection of long data streams in a wireless sensor network, including:

(1) Pre-configuration method

The pre-configuration method realizes the generation of key material and its distribution from the base station to the sender and receiver; the base station constructs a key generation function according to the method of generating random numbers, and then generates a shared key according to the function and passes the complete/confidential/ The anti-replay protected key distribution channel is assigned to two entities, the sender and the receiver;

(2) Signature method

The signature method enables the sender to communicate with the receiver on data elements and signature issues; when the sender uses the signature algorithm to sign the data elements, the generated signature and message verification code are sent to the receiver;

(3) Verification method

The verification method realizes the receiver's verification of the received signature and message verification code; the receiver first verifies the message verification code through the shared key to ensure that the source of the message is the sender and the message has not been tampered with by interference, and then uses the signature algorithm to verify the signature Validation is performed to obtain data elements.

Beneficial effect: Compared with the prior art, the integrity protection method of the long data flow in the wireless sensor network provided by the present invention ensures the data integrity of the sensor network, referred to as IPLDS, which is based on two scattering functions. However, unlike current mechanisms based on scattering functions, IPLDS is a new approach based on a novel signature algorithm. The present invention does not use traditional signature algorithms for the following reasons: In current signature algorithms, the scatter function operates on the entire data stream, which is rather time-consuming. On the other hand, noting that Montgomery Modular Multiplication (MM) is more efficient than scatter functions, IPLDS is designed to mainly perform Montgomery Modular Multiplication (MM) operations on data streams and allow multiple data elements to share the operation of a scatter function. By doing this, both the sender and receiver can significantly reduce computational costs.

Through safety analysis and benefit evaluation, the method meets the required safety goal. This approach also validates the efficiency of IPLDS theoretically and experimentally, showing that it can meet all the above requirements. The research of this method is of great significance to improve the integrity protection technology of long data streams, and then promote the safe development of my country's Internet of Things and the prosperity of the Internet economy.

Description of drawings

Figure 1 is the system model of the data integrity protection scheme.

Figure 2 is a flowchart of the pre-configuration phase.

Figure 3 is a flow chart of the signature phase.

Figure 4 is a flowchart of the verification phase.

Detailed ways

Below in conjunction with specific embodiment, further illustrate the present invention, should be understood that these embodiments are only used to illustrate the present invention and are not intended to limit the scope of the present invention, after having read the present invention, those skilled in the art will understand various equivalent forms of the present invention All modifications fall within the scope defined by the appended claims of the present application.

The system model of the data integrity protection scheme of wireless sensor network is shown in Fig.1. It includes the entities involved in the method of the present invention, the protocol for communication between these entities, and the algorithms that run on the protocol.

The present invention defines three entities: base station (BS), sender and receiver. The base station (BS) is used to generate the key and transmit the shared key to the sender and receiver respectively. After the sender obtains the key and initial value from the base station, it needs to use the signature algorithm to generate a signature and message authentication code (MAC) for the data element to be sent, and send it to the receiver. The receiver needs to first check whether the source of the message is the sender, and determine whether the message should be handled by itself. The message is then verified using a signature algorithm resulting in a data element.

The design basis of the method of the present invention is that the input length of the scattering function is independent of the length of the data stream and the Montgomery modular multiplication (MM). The input length of the scatter function is independent of the length of the data stream means that no matter how long the data stream is, the input length of the scatter function used in this method is a fixed value, which will effectively reduce the calculation cost. In addition, the Montgomery modular multiplication (MM) is much more efficient than the scattering function, and using the Montgomery modular multiplication (MM) to operate on lengthy data streams will also significantly reduce the computational cost of long data streams.

Generally speaking, the integrity protection method of the long data flow in the wireless sensor network provided by the present invention is a practical method that can effectively reduce the communication cost of the integrity protection protocol, because it adopts the The Montgomery Modular Multiplication (MM) and the input length of the scattering function are limited, thereby significantly reducing the calculation cost of long data streams, and satisfying the new security and high-efficiency characteristics of the data integrity protection mechanism.

The details are as follows:

(1) Preconfigured methods, including:

The preconfiguration method enables the generation of keying material and its distribution from the base station to the sender and receiver. The base station constructs a key generation function according to the method of generating random numbers, and then generates a shared key according to the function and distributes it to the two entities of the sender and the receiver through the key distribution channel of complete/confidential/anti-replay protection.

The pre-configuration method enables the sender and receiver to have shared keying material. Make sure that the sender and receiver can use the correct key for signature algorithm and verification before and after communication.

(2) New signature methods, including:

The signature method enables the sender to communicate with the receiver about data elements and signature issues. After the sender uses the signature algorithm Gensig to sign the data element, the generated signature and message authentication code (MAC) are sent to the receiver.

The signature method enables the sender to send the correct signature and message authentication code (MAC) to the receiver in an adversarial network, avoiding replay attacks and sequence errors.

(3) New verification methods, including:

The verification method implements the receiver's verification of the received signature and message verification code. The receiver first verifies the message verification code through the shared key to ensure that the source of the message is the sender and the message has not been tampered with, and then uses the signature algorithm to verify the signature to obtain the data element.

The verification method completes the verification process on the basis of pre-configuration and signature, so that the key material generated in the pre-configuration stage is applied to the message verification code and signature generated in the signature stage.

Through the above verification process, it can be judged whether most of the blocks in the received message are transmitted correctly.

As can be seen from the technical solutions provided by the above-mentioned embodiments of the present invention, this invention is a practical method that can effectively reduce the communication cost of the integrity protection protocol, because it uses the Montgomery Modular Multiplication (MM) that is not used in the existing solutions. ), and limit the input length of the scatter function, which is embodied in the following way: first, fill the input data of the scatter function to a length l, where l satisfies l%512=448. Then, the input data is further padded into multiple 512-bit blocks. Finally, it performs 80 permutation operations on each block, outputting a 160-bit string. If a data element is longer than 512 bits, the scatter function will split it into multiple 512-bit chunks. In addition, in the signature and verification stages, each data element uses only one Montgomery modular multiplication, which significantly reduces the computational cost of long data streams and satisfies the new security and efficiency features of the data integrity protection mechanism.

The embodiment of the present invention includes three parts: (1) pre-configuration stage; (2) signature stage; (3) verification stage.

In the pre-configuration stage, the base station generates a set of shared keys through a key generation algorithm and sends them to two entities, the sender and the receiver. The base station is a trusted entity that establishes a trust relationship with the sender and receiver respectively, and the key distribution channel between them should provide complete/confidential/anti-replay protection to ensure that the sender and receiver can get the correct key.

In the signature phase, the sender can communicate with the receiver on data elements and signature issues.

In the verification phase, the receiver verifies the received signature and message verification code.

The above three parts are firstly generated by the base station and assigned keys to the two entities of the sender and the receiver, followed by the completion of the signature phase, and finally the verification phase.

In order to facilitate the understanding of the embodiments of the present invention, the embodiments of the present invention will be described below (the following embodiments are all specific descriptions in the scenario of a single data element).

Embodiment one

The design of this embodiment completes the pre-configuration. The purpose of pre-configuration is to generate key material and distribute shared key material to the sender and receiver. Including but not limited to the following steps:

Step 100, the base station constructs a key generation function, and generates key material by this function;

Step 102, the base station establishes a trusted distribution channel between the sender and the receiver, and distributes keys to the sender and receiver respectively.

As shown in Figure 2, the steps are described as follows:

Step 100: the base station first constructs a key generation function Genkey. The base station then operates with this function: sk←Genkey(1 ^λ ), which takes the security parameter λ as input and sk as output, where sk includes a random initial value p and two random The generated shared secret key {β ₀ , β ₁ }. In this algorithm, the length of λ determines the security level of {β ₀ , β ₁ } in IPLDS, the larger the λ, the larger the key space and the more difficult it is to crack (usually, in order to avoid exhaustive cracking, information security It is recognized in the field that λ should reach at least 80 bits to achieve a major level of security). Furthermore, the length of p should exceed λ bits.

Step 102: After generating the key material, the base station sends the shared key to the sender and the receiver respectively through the key distribution channel that provides complete/confidential/anti-replay protection, and the sender and the receiver will respectively hold sk={ β ₀ , β ₁ , p} carry out the next signature and verification, which will be explained in detail in the following steps (for the multi-data element scenario, the set of keys generated by the base station for the sender and receiver is sk= {β ₀ ,β ₁ ,...,β _s ,p}).

The purpose of the signature phase is: the sender signs the data element block and sends the signature and message verification code to the receiver. Including but not limited to the following steps:

Step 104: The sender uses a signature algorithm to sign the data element.

Step 106: the sender sends the identity information and signature to the receiver in the hostile network.

As shown in Figure 3, the specific description is as follows:

Step 104: At this stage, the sender uses the signature algorithm Gensig to sign the data element d∈Z _p (Z _p is a set of natural numbers smaller than p). Considering the data elements d and sk={β ₀ , β ₁ ∈ Z _p }, the sender divides the data element d into two d _f and d _l of the same length, the Gensig algorithm takes d and sk as input, and proceeds as follows Signature calculation for data element d: τ=SHA1(β ₀ ||sID||rID||d _f )+β ₁ d ₁ mod p, where sID is the identity of the sender and rID is the identity of the receiver, due to the scattering function The input length of β is 448 bits, then the length of β ₀ ||sID||rID||d _f should be equal to 448 bits (and for multi-element data scenarios, the sender divides the data elements into s data (d ₁ ,...d _s ∈ Z _p ), and generate a signature for multiple data elements as $\mathrm{\τ}=\mathrm{SHA}1\left({\mathrm{\β}}_0\right|\left|\mathrm{sID}\right|\left|\mathrm{ID}\right)+\underset{i=1}{\overset{\mathrm{the\; s}}{\mathrm{\Σ}}}{\mathrm{\β}}_i{d}_i\mathrm{mod}p).$

Step 106: After the sender performs the signature algorithm, then send the signature and message verification code (sID, rID, d, τ) to the receiver in the hostile network.

The purpose of the verification phase is to realize the verification of the received signature by the receiver. Including but not limited to the following steps:

Step 108: After receiving the message, the sender first checks whether the source is the sender, and whether it should be handled by itself.

Step 110: After confirming the authenticity of the message, use the signature algorithm for verification.

As shown in Figure 4, the verification phase is specifically described as follows:

Step 108: Once (sID, rID, d, τ) is received from the sender, the receiver (rID) first checks (sID, rID) to determine that this data was sent by the sender (sID) and should be processed by itself ( During the configuration phase, both the sender and the receiver know each other’s identity information, which can be used for subsequent identity verification).

Step 110: After confirming the source of the message, the receiver continues to use the Gensig algorithm to verify (d,τ), and the verification formula is as follows: τ=SHA1(β ₀ ||sID||rID||d _f )+β ₁ d ₁ mod p , to compare whether the calculated and received are consistent, and if they are consistent, it is considered that the correct data element is obtained. The Gensig algorithm is the same as that in the signature phase (the algorithm in the multi-data element scenario is also the same as the corresponding algorithm in the signature phase).

Claims (4)

1. A method for integrity protection of long data streams in a wireless sensor network, characterized in that, comprising: (1) Pre-configuration method The pre-configuration method realizes the generation of key material and its distribution from the base station to the sender and receiver; the base station constructs a key generation function according to the method of generating random numbers, and then generates a shared key according to the function and passes the complete/confidential/ The anti-replay protected key distribution channel is assigned to two entities, the sender and the receiver; (2) Signature method The signature method enables the sender to communicate with the receiver on data elements and signature issues; when the sender uses the signature algorithm to sign the data elements, the generated signature and message verification code are sent to the receiver; (3) Verification method The verification method realizes the receiver's verification of the received signature and message verification code; the receiver first verifies the message verification code through the shared key to ensure that the source of the message is the sender and the message has not been tampered with by interference, and then uses the signature algorithm to verify the signature Validation is performed to obtain data elements. 2. the integrity protection method of long data flow in the wireless sensor network as claimed in claim 1, is characterized in that, pre-configuration method comprises the steps: Step 100: The base station first constructs a key generation function Genkey; the base station then operates on this function: sk←Genkey(1 ^λ ), it takes the security parameter λ as input and a random initial value p sum to the sender and receiver Party's two random shared keys {β ₀ , β ₁ } as output; in this algorithm, λ is the length of {β ₀ , β ₁ } that determines the security level of IPLDS, and the length of p should exceed λ bits ; Step 102: After generating the key material, the base station sends the shared key to the sender and the receiver respectively through the key distribution channel that provides complete/confidential/anti-replay protection, and the sender and the receiver will respectively hold sk={ β ₀ , β ₁ ,p} perform signature and verification. For multiple data element scenarios, a set of keys generated by the base station for the sender and receiver is sk={β ₀ ,β ₁ ,……,β _s ,p} . 3. the integrity protection method of long data flow in wireless sensor network as claimed in claim 1, is characterized in that, signature method comprises the steps: Step 104: The sender uses the signature algorithm Gensig to sign the data element d∈Z _p ; considering the data element d and sk={β ₀ , β ₁ ∈ Z _p }, the sender divides the data element d into two equal-length df and dl, and calculate the signature of data element d as τ=SHA1(β ₀ ||sID||rID||d _f )+β ₁ d ₁ modp, where sID is the sender’s identity and rID is the receiver’s identity, and the length of β ₀ ||sID||rID||d _f should be 448 bits, and for the multi-element data scenario, the sender divides the data elements into s data (d ₁ ,……d _s ∈ Z _p ) , and generate a signature for the multi-data element as $\mathrm{\τ}=\mathrm{SHA}1\left({\mathrm{\β}}_0\right|\left|\mathrm{sID}\right|\mathrm{ID})+\underset{i=1}{\overset{\mathrm{the\; s}}{\mathrm{\Σ}}}{\mathrm{\β}}_i{d}_i\mathrm{mod}p;$ Step 106: After the sender performs the signature algorithm, then send the signature and message verification code (sID, rID, d, τ) to the receiver in the hostile network. 4. the integrity protection method of long data stream in wireless sensor network as claimed in claim 1, is characterized in that, verification method comprises the steps: Step 108: Once (sID, rID, d, τ) is received from the sender, the receiver (rID) first checks (sID, rID) to make sure that this data was sent by the sender (sID) and should be processed by itself; Step 110: After confirming the source of the message, the recipient continues to use the Gensig algorithm to verify (d, τ) to further obtain data elements. The Gensig algorithm is the same as that in the signature method, and the algorithm in the scenario of multiple data elements is also the same as that in the signature method. The corresponding algorithm is the same.