CN1790981A - Mobile proxy safety route method based on group signature - Google Patents
Mobile proxy safety route method based on group signature Download PDFInfo
- Publication number
- CN1790981A CN1790981A CN 200510111219 CN200510111219A CN1790981A CN 1790981 A CN1790981 A CN 1790981A CN 200510111219 CN200510111219 CN 200510111219 CN 200510111219 A CN200510111219 A CN 200510111219A CN 1790981 A CN1790981 A CN 1790981A
- Authority
- CN
- China
- Prior art keywords
- group
- main frame
- owner
- mobile agent
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The mobile agent safety route method based on group signature in computer application technology field comprises: with group signature mechanism, managing a plurality of hosts and optimizing key allocation; endowing some initial trust degree for every host by mobile agent owner to classify host and decide visit order for said trust degree into some group; in practical movement, sending the mobile agent to some group member in the first group by said owner; after selecting the next visited host by SelectNextHost algorithm, moving with Sending algorithm by current host the agent to the object for receiving agent with Receiving algorithm; for DoS attack, tacking the attacking host by group signature to reassign trust degree and optimize group structure. This invention can reduce DoS attack probability and guarantees security of mobile agent.
Description
Technical field
What the present invention relates to is the method in a kind of Computer Applied Technology field, particularly a kind of mobile proxy safety route method based on group's signature.
Background technology
Expand day by day at computer network, today that people increase day by day to the amount of information demand, the requirement of information gathering has fast and efficiently been satisfied in the appearance of mobile agent.Compare with Web service, mobile code and agent skill group still have many advantages, the execution error that mobile code and mobile proxy technology can avoid unstable networks to cause, cross-platform execution and autonomous flexibility and the adaptability that has improved distributed system that moves, be the strong instrument of realizing Distributed Calculation, vast potential for future development is arranged.But also these characteristics of mobile agent have been brought corresponding safety problem to it just.Such safety problem has two aspects: 1) mobile agent is to the threat of institute's visit main frame.The execution of the binary code of mobile agent on main frame can bring the unauthorized message reference of main frame even distort etc.2) institute's visit main frame is to the threat of mobile agent, as distorts the mobile agent binary code, revises the collected information of mobile agent etc.About first kind of safety problem remarkable progress has been arranged, protected main frame such as the mode of utilizing authentication and degree of belief.And for second kind of safety problem, research still is in the junior stage, and this causes just because of the execution opening that mobile agent brought.Accessed main frame is for certain purpose data collected to mobile agent, the binary code of carrying out is distorted, even malicious host may delete mobile agent, goes down thereby stop mobile agent to continue migration, can't finish set task and turn back to the possessory main frame of mobile agent.Carry out encryption function and can prevent effectively that run time version is modified, but malicious attack (to call DoS attack in the following text) for main frame deletion mobile agent, because main frame can be intervened the execution of the mobile agent on its platform, so be difficult to find effective method to go to eliminate this threat.
Find through literature search prior art, (LNCS 2383 at " AustralasianConference on Information Security and Privacy2002 " (Australia information privacy security conference 2002) for Biljana Cubaleska etc., page 449-463, Springer Verlag) " Howto Play Sherlock Holmes in the World of Mobile Agents " (the Holmes's art in the mobile agent) delivered on, though the risk when having proposed safe Routing Protocol in this article and reducing DoS and take place also can track the main frame of launching a offensive, but based on the technology of conventional digital signature, the key management in this method very complexity makes whole agreement also infeasible for merely.
Summary of the invention
The present invention is directed to the deficiencies in the prior art, a kind of mobile proxy safety route method based on group's signature is provided, make its possibility that DoS attack is taken place and the loss when taking place to attack is kept to minimum, utilize the characteristic of group's signature in the cryptography to form distinct institutional framework and method for routing and make key management become simple, feasible safely and efficiently.If mobile agent does not return on time, the mobile agent owner can determine to implement the host identities of malicious attack according to the anonymous defeasibility of group's signature, reduces its degree of belief and adjusts the fail safe of the institutional framework of group members with further enhancing mobile agent.
The present invention is achieved by the following technical solutions, and the present invention is used for mobile agent need visit the situation that multiple host just can be finished preplanned mission.In order better to manage multiple host, and the relevant encryption key distribution problem of optimization, introduce the mechanism of group's signature: mobile agent the owner give certain initial trust degree for every main frame, main frame is attributed to certain group in each cryptography group signature according to degree of belief, also determines the order that it is accessed simultaneously; In actual migration, the mobile agent owner at first sends to a certain group members in first group to mobile agent, behind the next accessed main frame that mobile agent is chosen by SelectNextHost (selecting next main frame) algorithm, current main frame migrates to this main frame by Sending (transmission) algorithm with mobile agent, and next accessed host-initiated Receiving (reception) algorithm carries out the reception of mobile agent; After DoS attack took place, also structure was knitted by assignment trust value and optimization group again to trace the main frame of launching a offensive by the affirmation authority of group's signature.
Described SelectNextHost algorithm, specific as follows:
(1) judges that whether current sender is last main frame among this group, if jump to (2), otherwise jumps to (3);
(2) if last main frame among this group judges that then whether this group be last group in the route approach, if last group, then mobile agent MA returns and acts on behalf of the owner, otherwise returns the ID of first main frame of next group;
(3) main frame of not visiting among the selection group carries out the transmission of mobile agent, and skips the main frame that those have attempted sending for M time failure, in this case, assert this main frame off-line, and can prevent main frame refusal execution agency's situation.
Described Sending algorithm, specific as follows:
(1) carrying out the SelectNextHost algorithm selects next group members (not necessarily in a group) or acts on behalf of the owner as the destination host that sends.
(2) whether in a group, produce the different Host Lists of visit according to destination host with this machine.
(3) destination host of selecting to the first step is acted on behalf of in transmission.
(4) the wait destination host is beamed back group Signature Confirmation.If receive effective affirmation at the appointed time, continue to carry out; Otherwise, the rebound first step.If any main frame still receives the agency after the secure threshold that method is set is attempted for M time invalid, then assert the reception that this main frame is not online or refusal is acted on behalf of, any main frame of implementing DoS attack can not obtain any affirmation, when mobile agent was not got back in the mobile agent owner hand on time, the mobile agent owner just can determine malicious host by checking the affirmation that each main frame is preserved.
(5) preservation confirms local data base.
Described Receiving algorithm, specific as follows:
(1) receives mobile agent.
(2) each parameter validity in the checking mobile agent.
(3) parameter is effective, whether produces different group's Signature Confirmations according to the sender with oneself in a group, confirms that content is uid (unique identifier) number of mobile agent, if in same a group, the recipient represents this claim tag name, not in same a group, represents this group signature; Otherwise, if parameter is invalid, directly send the agency to acting on behalf of the owner, stop to receive agreement.
(4) beam back group affirmation of signature form to the sender.In order to allow the mobile agent owner be lost this malicious host of location, back by certain host implementation DoS attack at mobile agent, need each to receive main frame and all must beam back a affirmation to the sender by recipient group's signature, if send main frame and receive main frame in a group, then receiving main frame is the uid signature with own private key, the checking that the transmission main frame can be signed by the PKI in this group; If send main frame and receive main frame not in a group, then receive main frame and represent the place group to sign, send the checking that main frame is signed with the group's PKI that receives main frame place group; Act on behalf of the owner if mobile agent turns back at this moment, then the mobile agent owner uses the private key signature of oneself.
Mobile agent moves and finishes predetermined target according to the route order according to SelectNextHost, Sending and Receiving algorithm.When mobile agent was not got back to the mobile agent owner on time, DoS attack had taken place in the owner just supposition, will launch to follow the trail of and find out the malicious host of implementing attack this moment:
(1) owner sends the request of tracking to the monarchial power prestige of first group, comprises first mass-sending in the request and gives possessory affirmation, and this affirmation has the signature of certain whole group of group members representative among the group;
(2) the anonymous defeasibility decision monarchial power prestige of group's signature can be found out signer, and the identity of this signer is returned to the owner;
(3) owner sends the request of tracking to this signer, if this signer transmits as requested, it just can provide the affirmation of returning to a certain the follow-up group members of the owner;
(4) owner finds out next accessed group members by the signature of verifying this affirmation and Xiang Qifa goes the request of following the trail of;
(5) and the like, represent the place group to sign up to certain group members that is confirmed to be among the next group that certain group members is provided, the owner just according to this part affirmation find the next group of mobile agent visit, and this part affirmation covered send group's monarchial power prestige so far in the request of tracking;
(6) subsequently each group all repeat with first faciation with process, up to the group members that finds can not provide effective affirmation, the owner can determine that this group members promptly is a main frame of implementing DoS attack.
The tracking experience of the mobile agent owner after according to DoS attack repeatedly just can be determined degree of belief (when mobile agent was visited certain main frame, it can not implement the possibility of DoS attack) for it according to the number of times of each host implementation DoS attack.The initial value of the degree of belief of each main frame depends on the owner to initially the presetting of this main frame, and with DoS attack of the every enforcement of aft engine, its degree of belief is lowered certain value.The owner based on the different degree of belief of each main frame, is divided into different groups to main frame when arranging new roaming path, the degree of belief of the group members in each group is in identical scope.If degree of belief drops to the lowest limit, the owner will no longer consider this main frame.
In the DoS attack technology of the present invention in antagonism mobile agent field, obtained obvious improvement, and made based on the safety routing method of the mobile agent of signing more pratical and feasible.Outstanding feature of the present invention is to adopt group's signature technology to carry out security hardening, also makes based on the key management of the safety routing method of signing simple and pratical and feasible more.By SelectNextHost, Sending and Receiving algorithm, can prevent effectively that malice from skipping rival's main frame and uniting and gang up the initiation DoS attack.And DoS attack that can be in mobile agent is when taking place, and it is minimum to make system loss drop to.Simultaneously, this method can track the malicious host of initiating DoS attack by the characteristic of group's signature, can change the trust value and its group who is belonged to and route order of respective host thus, further promote the routing safety of mobile agent, reduce the entire system risk, avoided the limitation of present other kinds means effectively.
Description of drawings
Fig. 1 is the inventive method schematic diagram
Embodiment
In conjunction with content of the present invention, provide following examples:
Set up a mobile proxy system that 12 accessed main frames are arranged, these 12 main frames are divided into 4 groups according to the initial trust degree, and as shown in Figure 1,4 groups are respectively g
1, g
2, g
3, g
4g
1In 3 members are arranged, be respectively m
1,1, m
1,2, m
1,3g
2In 4 members are arranged, be respectively m
2,1, m
2,2, m
2,3, m
2,4g
3In 2 members are arranged, be respectively m
3,1, m
3,2g
4In 4 members are arranged, be respectively m
4,1, m
4,2, m
4,3, m
4,4Now begin a transition process of mobile agent, at first act on behalf of the owner and carry out the SelectNextHost algorithm and select to send and to act on behalf of g
1Group's m
1,1, suppose m
1,1Receive the agency and return effective affirmation to the owner as requested, mobile agent is at m
1,1On finish the task of setting after, m
1,1Carry out the SelectNextHost algorithm and select next main frame, suppose that it selects m
1,2But m
1,2Not online, so m
1,1Carry out the SelectNextHost algorithm once more and select m
1,3, transmit mobile agent to m
1,3And receive effective affirmation that it returns, m subsequently
1,3Repeat and m
1,1Same work, but with the main frame m among the group
1,1Existed in the accessed Host List, and this moment m
1,2Still not online, so m
1,3Carry out the SelectNextHost algorithm and select down a group g
2In m
2,1And mobile agent is sent to m
2,1Suppose m
2,1In time beam back effective affirmation but continue to transmit but the deletion mobile agent is promptly carried out DoS attack.Behind special time, act on behalf of the owner and find that the agency does not return, and just begins tracing process on time.At first, act on behalf of the owner send the request of following the trail of subsidiary received confirm g
1Group's monarchial power prestige is assumed to m
1,3, according to the attribute m of group's signature
1,3The signer that identifies affirmation is and the result is returned the owner that the owner is then to m
1,1Send out and remove request of following the trail of and m
1,1Provide effective affirmation.The owner judges that through checking signer is m
1,3And Xiang Qifa goes the request of following the trail of.m
1,3After providing effective affirmation, the owner uses m
1,2(because g
1Has only m among the group
1,2Do not visit in the Host List this group) and g
2, g
3, g
4PKI to verify and identify signer be g
2The group.The owner is to g
2Group's monarchial power prestige is sent out the request of tracking and subsidiary m
1,3The affirmation of being provided.It is m that the monarchial power prestige identifies signer
2,1And the result returned the owner.The owner is then to m
2,1Send out the request of following the trail of of going, certainly, m
2,1Can't provide any effective affirmation, because its deletion rather than continue to transmit mobile agent, so far, acting on behalf of the main frame that the owner just can determine to implement malicious attack is m
2,1
From top example as can be known, the mobile proxy safety route method based on group's signature can track the main frame of launching a offensive when DoS takes place.Can make DoS attack that back tracking cost takes place according to the degree of belief accessed order of sequence arrangement main frame from low to high and be kept to minimum.Simultaneously by the characteristic of group's signature, simpler for the management of group's private key of each main frame, this is the significant improved place of the inventive method and makes the practicable key of system.
Claims (7)
1, a kind of mobile proxy safety route method based on group's signature, it is characterized in that: the mechanism of introducing group's signature is managed multiple host, optimized encryption key distribution: mobile agent the owner give certain initial trust degree for every main frame, main frame is attributed to certain group in each cryptography group signature according to degree of belief, also determines the order that it is accessed simultaneously; In actual migration, the mobile agent owner at first sends to a certain group members in first group to mobile agent, behind the next accessed main frame that mobile agent is chosen by the SelectNextHost algorithm, current main frame migrates to this main frame by the Sending algorithm with mobile agent, and next accessed host-initiated Receiving algorithm carries out the reception of mobile agent; After DoS attack took place, also structure was knitted by assignment trust value and optimization group again to trace the main frame of launching a offensive by the affirmation authority of group's signature.
2, the mobile proxy safety route method based on group's signature according to claim 1 is characterized in that, described SelectNextHost algorithm is specific as follows:
(1) judges that whether current sender is last main frame among this group, if jump to (2), otherwise jumps to (3);
(2) if last main frame among this group judges that then whether this group be last group in the route approach, if last group, then mobile agent MA returns and acts on behalf of the owner, otherwise returns the ID of first main frame of next group;
(3) main frame of not visiting among the selection group carries out the transmission of mobile agent, and skips the main frame that those have attempted sending for M time failure, in this case, assert this main frame off-line, and can prevent main frame refusal execution agency's situation.
3, the mobile proxy safety route method based on group's signature according to claim 1 is characterized in that, described Sending algorithm is specific as follows:
(1) carrying out the SelectNextHost algorithm selects next group members or acts on behalf of the owner as the destination host that sends;
(2) whether in a group, produce according to destination host and visited Host List with this machine;
(3) destination host of selecting to the first step is acted on behalf of in transmission;
(4) the wait destination host is beamed back group Signature Confirmation, if receive effective affirmation at the appointed time, continues to carry out; Otherwise, the rebound first step;
(5) preservation confirms local data base.
4, the mobile proxy safety route method based on group's signature according to claim 1 is characterized in that, described Receiving algorithm is specific as follows:
(1) receives mobile agent;
(2) each parameter validity in the checking mobile agent;
(3) parameter is effective, whether produces group's Signature Confirmation in a group according to sender and oneself, confirms that content is uid number of mobile agent, if in same a group, the recipient represents this claim tag name, otherwise, represent this group signature; If parameter is wrong, directly send the agency to acting on behalf of the owner, stop to receive agreement;
(4) beam back group affirmation of signature form to the sender.
5, according to claim 1 or 4 described mobile proxy safety route methods based on group's signature, it is characterized in that, described Receiving algorithm, in order to allow the mobile agent owner be lost this malicious host of location, back by certain host implementation DoS attack at mobile agent, need each to receive main frame and all must beam back a affirmation to the sender by recipient group's signature, if send main frame and receive main frame in a group, then receiving main frame is the uid signature with own private key, the checking that the transmission main frame can be signed by the PKI in this group; If send main frame and receive main frame not in a group, then receive main frame and represent the place group to sign, send the checking that main frame is signed with the group's PKI that receives main frame place group; Act on behalf of the owner if mobile agent turns back at this moment, then the mobile agent owner uses the private key signature of oneself.
6, the mobile proxy safety route method based on group's signature according to claim 1, it is characterized in that, when mobile agent was not got back to the mobile agent owner on time, DoS attack had taken place in the owner just supposition, will launch to follow the trail of and find out the malicious host of implementing attack this moment:
(1) owner sends the request of tracking to the monarchial power prestige of first group, comprises first mass-sending in the request and gives possessory affirmation, and this affirmation has the signature of certain whole group of group members representative among the group;
(2) the anonymous defeasibility decision monarchial power prestige of group's signature can be found out signer, and the identity of this signer is returned to the owner;
(3) owner sends the request of tracking to this signer, if this signer transmits as requested, it just can provide the affirmation of returning to a certain the follow-up group members of the owner;
(4) owner finds out next accessed group members by the signature of verifying this affirmation and Xiang Qifa goes the request of following the trail of;
(5) and the like, represent the place group to sign up to certain group members that is confirmed to be among the next group that certain group members is provided, the owner just according to this part affirmation find the next group of mobile agent visit, and this part affirmation covered send group's monarchial power prestige so far in the request of tracking;
(6) subsequently each group all repeat with first faciation with process, up to the group members that finds can not provide effective affirmation, the owner can determine that this group members promptly is a main frame of implementing DoS attack.
7, mobile proxy safety route method based on group's signature according to claim 1, it is characterized in that, the tracking experience of the mobile agent owner after according to DoS attack repeatedly, just can determine degree of belief for it according to the number of times of each host implementation DoS attack, the initial value of the degree of belief of each main frame depends on the owner's initially presetting this main frame, with DoS attack of the every enforcement of aft engine, its degree of belief is lowered certain value, the owner is when arranging new roaming path, degree of belief based on each main frame, main frame is divided into corresponding group, the degree of belief of the group members in each group is in identical scope, if degree of belief drops to the lowest limit, the owner excludes the route scope with this main frame.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200510111219XA CN100561912C (en) | 2005-12-08 | 2005-12-08 | Mobile proxy safety route method based on group's signature |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200510111219XA CN100561912C (en) | 2005-12-08 | 2005-12-08 | Mobile proxy safety route method based on group's signature |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1790981A true CN1790981A (en) | 2006-06-21 |
| CN100561912C CN100561912C (en) | 2009-11-18 |
Family
ID=36788514
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200510111219XA Expired - Fee Related CN100561912C (en) | 2005-12-08 | 2005-12-08 | Mobile proxy safety route method based on group's signature |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100561912C (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101022458B (en) * | 2007-03-23 | 2010-10-13 | 杭州华三通信技术有限公司 | Conversation control method and control device |
| CN101296181B (en) * | 2008-06-26 | 2010-12-08 | 电子科技大学 | IP network two-stage fault-tolerance intrusion-tolerance routing mechanism based on faith |
| CN101978651A (en) * | 2008-03-19 | 2011-02-16 | 株式会社东芝 | Group signature system, device, and program |
| CN101584158B (en) * | 2006-11-17 | 2013-03-27 | 高通股份有限公司 | Method and apparatus for efficient routing in communication networks |
| CN115033912A (en) * | 2022-04-20 | 2022-09-09 | 郑州轻工业大学 | Block chain-based medical data cross-device anonymous verification method, device and equipment |
-
2005
- 2005-12-08 CN CNB200510111219XA patent/CN100561912C/en not_active Expired - Fee Related
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101584158B (en) * | 2006-11-17 | 2013-03-27 | 高通股份有限公司 | Method and apparatus for efficient routing in communication networks |
| CN101022458B (en) * | 2007-03-23 | 2010-10-13 | 杭州华三通信技术有限公司 | Conversation control method and control device |
| CN101978651A (en) * | 2008-03-19 | 2011-02-16 | 株式会社东芝 | Group signature system, device, and program |
| CN101978651B (en) * | 2008-03-19 | 2014-09-17 | 株式会社东芝 | Group signature system, device, and method |
| CN101296181B (en) * | 2008-06-26 | 2010-12-08 | 电子科技大学 | IP network two-stage fault-tolerance intrusion-tolerance routing mechanism based on faith |
| CN115033912A (en) * | 2022-04-20 | 2022-09-09 | 郑州轻工业大学 | Block chain-based medical data cross-device anonymous verification method, device and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100561912C (en) | 2009-11-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111885133B (en) | Block chain-based data processing method and device and computer storage medium | |
| US7793335B2 (en) | Computer-implemented method, system, and program product for managing log-in strikes | |
| CN101540755B (en) | Method, system and device for recovering data | |
| CN101193103B (en) | A method and system for allocating and validating identity identifier | |
| WO2010068824A1 (en) | Systems and methods for performing remote configuration compliance assessment of a networked computer device | |
| CN105634956A (en) | Message forwarding method, device and system | |
| CN101771537A (en) | Processing method and certificating method for distribution type certificating system and certificates of certification thereof | |
| CN113642019A (en) | Double-layer grouping Byzantine fault-tolerant consensus method and system | |
| KR100791412B1 (en) | Real time early warning system and method for cyber threats | |
| CN100561912C (en) | Mobile proxy safety route method based on group's signature | |
| CN111260470A (en) | Mixed block chain architecture system and processing method | |
| CN105224541A (en) | The uniqueness control method of data, information storage means and device | |
| CN107454162A (en) | A kind of system for improving cloud computing environment reliability | |
| CN109981637B (en) | Multi-source cross composite authentication method for Internet of things based on block chain | |
| Latah et al. | When SDN and blockchain shake hands | |
| CN103269371A (en) | EPC network DS checking method and system based on Anycast | |
| CN105743922A (en) | Method, device and system for inter-domain communication | |
| CN112437059B (en) | Collaborative defense strategy transceiving method for networking group intelligent system | |
| CN113242305B (en) | Cross-chain transaction processing method, device, computer equipment and medium | |
| CN111200584A (en) | System and method for optimizing black and white list mechanism based on block chain technology | |
| CN112653506B (en) | Block chain-based handover flow method for spatial information network | |
| JP2009031831A (en) | Community communication network, communication control method, community management server, community management method, and program | |
| CN112217770B (en) | Security detection method, security detection device, computer equipment and storage medium | |
| Chen et al. | Application of blockchain in the cluster of unmanned aerial vehicles | |
| Osagie et al. | The architectural dynamics of encapsulated botnet detection (EDM) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20091118 Termination date: 20121208 |