CN104283667A - A data transmission method, device and system - Google Patents
A data transmission method, device and system Download PDFInfo
- Publication number
- CN104283667A CN104283667A CN201310269180.9A CN201310269180A CN104283667A CN 104283667 A CN104283667 A CN 104283667A CN 201310269180 A CN201310269180 A CN 201310269180A CN 104283667 A CN104283667 A CN 104283667A
- Authority
- CN
- China
- Prior art keywords
- key
- ciphertext
- node
- private key
- generator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 230000005540 biological transmission Effects 0.000 title claims abstract description 32
- 238000004891 communication Methods 0.000 claims abstract description 9
- 238000010586 diagram Methods 0.000 description 9
- 238000007726 management method Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000004422 calculation algorithm Methods 0.000 description 6
- 238000009826 distribution Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000003860 storage Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 239000002131 composite material Substances 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 235000008694 Humulus lupulus Nutrition 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
本发明公开了一种数据传输方法、装置及系统,其中,用于节点的数据传输方法包括:使用第一密钥加密节点与私钥生成器进行通信的请求,生成第一密文,第一密钥为密钥分发中心预先为所述节点分配的对称密钥;向密钥分发中心发送第一密文;接收并使用第一密钥解密密钥分发中心返回的第二密文,获得本次会话密钥以及第三密文;向私钥生成器转发第三密文;接收并使用本次会话密钥解密私钥生成器发送的、使用本次会话密钥加密的第四密文,获得公开参数以及私钥。本发明中节点使用密钥分发中心采用不同的对称密钥为节点分发的一次一密的会话秘钥与私钥生成器进行通信,有效避免了节点仿冒攻击,同时保证了私钥服务器分发公开参数和节点私钥的安全性。
The present invention discloses a data transmission method, device and system, wherein the data transmission method for a node includes: using a first key to encrypt a request for communication between a node and a private key generator, generating a first ciphertext, and first The key is the symmetric key pre-distributed by the key distribution center for the node; send the first ciphertext to the key distribution center; receive and use the first key to decrypt the second ciphertext returned by the key distribution center, and obtain this The second session key and the third ciphertext; forward the third ciphertext to the private key generator; receive and use the current session key to decrypt the fourth ciphertext sent by the private key generator and encrypted with the current session key, Obtain public parameters and private keys. In the present invention, the node uses the key distribution center to communicate with the private key generator by using different symmetric keys to distribute the one-time secret session key to the node, which effectively avoids the node counterfeiting attack, and at the same time ensures that the private key server distributes the public parameters and the security of the node's private key.
Description
技术领域technical field
本发明涉及物联网安全领域,尤其涉及一种数据传输方法、装置及系统。The present invention relates to the security field of the Internet of Things, in particular to a data transmission method, device and system.
背景技术Background technique
物联网(The Internet of things)是把物品通过射频识别等信息传感设备与互联网连接起来,实现智能化识别和管理。物联网的核心和基础仍然是互联网,是在互联网基础上的延伸和扩展的网络,其用户端延伸和扩展到了任何物品与物品之间,进行信息交换和通信。物联网主要由大量的无线传感器节点、无线传感器网络及互联网组成。无论是传感器节点还是传感器网络本身都存在一定的资源限制,这些限制将直接影响到物联网的安全机制。The Internet of things (The Internet of things) is to connect items with the Internet through radio frequency identification and other information sensing devices to realize intelligent identification and management. The core and foundation of the Internet of Things is still the Internet, which is an extended and expanded network based on the Internet. Its client end extends and extends to any item and item for information exchange and communication. The Internet of Things is mainly composed of a large number of wireless sensor nodes, wireless sensor networks and the Internet. Both the sensor nodes and the sensor network itself have certain resource limitations, which will directly affect the security mechanism of the Internet of Things.
在所有的安全解决方案中,认证加密技术是一切安全技术的基础,通过认证加密可以满足传感器网络认证、保密性、不可否认性、完整性等安全需求。在无线传感器网络的安全机制中认证和加密是最重要的模块,当前,无线传感器网络密钥管理方案和协议可以分为对称密钥管理方案和非对称密钥管理方案。In all security solutions, authenticated encryption technology is the basis of all security technologies, through authenticated encryption can meet the sensor network authentication, confidentiality, non-repudiation, integrity and other security requirements. Authentication and encryption are the most important modules in the security mechanism of wireless sensor networks. At present, wireless sensor network key management schemes and protocols can be divided into symmetric key management schemes and asymmetric key management schemes.
非对称密钥管理方案,由于传感器节点具有计算能力差、存储容量低、能量有限等特殊性,单纯的非对称密钥方式不适合在传感器节点上部署。For the asymmetric key management scheme, due to the particularity of sensor nodes such as poor computing power, low storage capacity, and limited energy, the simple asymmetric key method is not suitable for deployment on sensor nodes.
对称密钥管理方案中例如有E-G方案和q-composite。Examples of symmetric key management schemes include E-G scheme and q-composite.
E-G方案由3个阶段组成。第1阶段为密钥预分配阶段。部署前,部署服务器首先生成一个密钥总数为P的大密钥池及密钥标识,每一节点从密钥池里随机选取k(k<<P)个不同密钥,这种随机预分配方式使得任意两个节点能够以一定的概率存在着共享密钥。第2阶段为共享密钥发现阶段.随机部署后,两个相邻节点若存在共享密钥,就随机选取其中的一个作为双方的配对密钥:否则,进入到第3阶段。第3阶段为密钥路径建立阶段,节点通过与其他存在共享密钥的邻居节点经过若干跳后建立双方的一条密钥路径。The E-G program consists of 3 phases. The first phase is the key pre-distribution phase. Before deployment, the deployment server first generates a large key pool with a total of P keys and key identifiers. Each node randomly selects k (k<<P) different keys from the key pool. This random pre-allocation The method enables any two nodes to have a shared key with a certain probability. The second stage is the shared key discovery stage. After random deployment, if two adjacent nodes have a shared key, randomly select one of them as the pairing key of both parties; otherwise, enter the third stage. The third stage is the key path establishment stage. The node establishes a key path between the two parties after going through several hops with other neighbor nodes with shared keys.
q-composite方案中,节点从密钥总数为|S|的密钥池里预随机选取m个不同的密钥,部署后两个相邻节点至少需要共享q个密钥才能直接建立配对密钥。若共享的密钥数为t(t>=q),则可使用单向散列函数建立配对密钥K=hash(k1||k2||..kz)(密钥序列号事先约定)。In the q-composite scheme, the node pre-randomly selects m different keys from the key pool with the total number of keys |S|. After deployment, two adjacent nodes need to share at least q keys to directly establish a pairing key . If the number of shared keys is t(t>=q), the pairing key K=hash(k1||k2||..kz) can be established using a one-way hash function (the key serial number is agreed in advance).
在基于对称密钥体系的密钥预分配方案中还提出了基于身份的加密(identity-based encryption,IBE)的概念。IBE可以使用消息接收者的身份信息作为公钥,来对消息进行加密。与传统的公钥加密相比,IBE无须证书管理,这样可以极大地简化安全通信的实现。In the key pre-distribution scheme based on the symmetric key system, the concept of identity-based encryption (IBE) is also proposed. IBE can use the identity information of the message recipient as the public key to encrypt the message. Compared with traditional public key encryption, IBE does not require certificate management, which greatly simplifies the implementation of secure communication.
与非对称密钥管理方法相比,对称密钥的最大优点是计算量小。但是其明显的缺点是必须有一个密钥预分配过程,即事先将对称密钥存储在节点中,对增加和替换节点就显得不够灵活。在物联网的WSN中采用对称密钥系统的缺点是抵抗中间人攻击的能力很有限,不支持对邻居节点的身份认证,更无法抵抗冒充攻击,随着俘获节点的增多,更多的密钥信息将暴露出来。Compared with asymmetric key management methods, the biggest advantage of symmetric keys is that the amount of calculation is small. But its obvious disadvantage is that there must be a key pre-distribution process, that is, the symmetric key is stored in the node in advance, which is not flexible enough for adding and replacing nodes. The disadvantage of using the symmetric key system in the WSN of the Internet of Things is that the ability to resist man-in-the-middle attacks is very limited, it does not support identity authentication of neighbor nodes, and it cannot resist impersonation attacks. With the increase of captured nodes, more key information will be exposed.
发明内容Contents of the invention
为了解决现有技术中存在的上述缺陷,本发明提出一种数据传输方法、装置和系统,能够适应无线传感器节点的特殊性,并且算法实现简单,从而可以提高物联网采集数据传输的安全性和传输效率。In order to solve the above-mentioned defects in the prior art, the present invention proposes a data transmission method, device and system, which can adapt to the particularity of wireless sensor nodes, and the algorithm is simple to implement, thereby improving the security and security of the Internet of Things collection data transmission. transmission efficiency.
本发明的一个方面,提供一种用于节点的数据传输方法,包括以下步骤:One aspect of the present invention provides a data transmission method for a node, comprising the following steps:
使用第一密钥加密节点与私钥生成器进行通信的请求,生成第一密文;其中,所述第一密钥为密钥分发中心预先为所述节点分配的对称密钥;Using the first key to encrypt a request for communication between the node and the private key generator, and generate a first ciphertext; wherein, the first key is a symmetric key previously assigned to the node by the key distribution center;
向密钥分发中心发送所述第一密文;Send the first ciphertext to the key distribution center;
接收并使用第一密钥解密密钥分发中心返回的第二密文,获得所述节点与私钥生成器的本次会话密钥以及第三密文;其中,所述第三密文为:密钥分发中心使用预先为私钥生成器分配的对称密钥将本次会话密钥加密生成的;Receive and use the first key to decrypt the second ciphertext returned by the key distribution center, and obtain the current session key between the node and the private key generator and the third ciphertext; wherein, the third ciphertext is: The key distribution center uses the symmetric key pre-assigned to the private key generator to encrypt and generate the session key;
向私钥生成器转发所述第三密文;forwarding said third ciphertext to a private key generator;
接收并使用本次会话密钥解密私钥生成器发送的、使用本次会话密钥加密的第四密文,获得公开参数以及私钥。Receive and use the current session key to decrypt the fourth ciphertext sent by the private key generator and encrypted with the current session key to obtain the public parameters and the private key.
本发明实施例提出的用于节点的数据传输方法中,节点使用密钥分发中心采用不同的对称密钥为节点分发的一次一密的会话秘钥与私钥生成器进行通信,有效避免了节点仿冒攻击,同时保证了私钥服务器分发公开参数和节点私钥的安全性。In the data transmission method for nodes proposed in the embodiment of the present invention, nodes use different symmetric keys distributed by the key distribution center to communicate with the private key generator to communicate with the private key generator, effectively avoiding the node Counterfeiting attacks, while ensuring the security of private key servers distributing public parameters and node private keys.
本发明实施例还提出一种用于密钥分发中心的数据传输方法,包括以下步骤:The embodiment of the present invention also proposes a data transmission method for the key distribution center, including the following steps:
预先为各节点和私钥生成器分配不同的对称密钥;Assign different symmetric keys to each node and private key generator in advance;
接收节点发送的第一密文,并使用对称密钥中分配给所述节点的第一密钥解密所述第一密文;receiving the first ciphertext sent by the node, and decrypting the first ciphertext using the first key assigned to the node among the symmetric keys;
当所述第一密文是所述节点请求与私钥生成器进行通信时,生成随机参数作为所述节点与私钥生成器的本次会话密钥;When the first ciphertext is that the node requests to communicate with the private key generator, generate a random parameter as the current session key between the node and the private key generator;
使用对称密钥中分配给私钥生成器的第二密钥将本次会话密钥加密生成第三密文;Use the second key assigned to the private key generator in the symmetric key to encrypt the current session key to generate a third ciphertext;
使用第一密钥加密本次会话密钥和第三密文生成第二密文;Using the first key to encrypt the current session key and the third ciphertext to generate the second ciphertext;
将所述第二密文发送至所述节点。Send the second ciphertext to the node.
本发明实施例提出的用于密钥分发中心的数据传输方法中,密钥分发中心器采用不同的对称密钥为节点和私钥生成器分发一次一密的会话秘钥,有效避免了节点仿冒攻击,同时保证了私钥生成器PKG分发公开参数和节点私钥的安全性。In the data transmission method for the key distribution center proposed in the embodiment of the present invention, the key distribution center uses different symmetric keys to distribute one-time-encrypted session keys for nodes and private key generators, effectively avoiding node counterfeiting attacks, while ensuring the security of the private key generator PKG to distribute public parameters and node private keys.
本发明实施例还提出一种用于私钥生成器的数据传输方法,包括以下步骤:The embodiment of the present invention also proposes a data transmission method for a private key generator, comprising the following steps:
接收并使用第二密钥解密节点转发的密钥分发中心生成的第三密文,获取与所述节点的本次会话密钥;其中,所述第二密钥为密钥分发中心预先为私钥生成器分配的对称密钥;Receive and use the second key to decrypt the third ciphertext generated by the key distribution center forwarded by the node, and obtain the current session key with the node; A symmetric key assigned by the key generator;
使用本次会话密钥将预先生成的公开参数及所述节点的私钥加密后生成第四密文;Using the current session key to encrypt the pre-generated public parameters and the private key of the node to generate the fourth ciphertext;
将所述第四密文发送至所述节点。Send the fourth ciphertext to the node.
本发明实施例提出的用于私钥生成器的数据传输方法中,私钥生成器通过密钥分发中心器采用预先分配的不同的对称密钥为节点分发的一次一密的会话秘钥,与节点进行通信,有效避免了节点仿冒攻击,同时保证了私钥服务器分发公开参数和节点私钥的安全性。In the data transmission method for the private key generator proposed by the embodiment of the present invention, the private key generator uses the different pre-allocated symmetric keys to distribute the one-time secret session key to the nodes through the key distribution center, and Nodes communicate, effectively avoiding node counterfeiting attacks, and at the same time ensuring the security of private key servers distributing public parameters and node private keys.
作为上述技术方案的优选,所述预先生成的公开参数及所述节点的私钥的生成方法包括:As a preference of the above technical solution, the method for generating the pre-generated public parameters and the private key of the node includes:
选取域元素a,b∈Fp,满足椭圆曲线方程E:y2≡x3+ax+b(mod p),其中,Δ=4a3+27b2≠0(mod p);Select domain elements a,b∈F p to satisfy the elliptic curve equation E:y 2 ≡x 3 +ax+b(mod p), where Δ=4a 3 +27b 2 ≠0(mod p);
根据p及a,b值和椭圆曲线方程E计算E(Fp)点集;Calculate E(F p ) point set according to p and a, b value and elliptic curve equation E;
在E(Fp)点集中选取基点G,利用椭圆曲线加法规则及倍点规则求解G点的阶;Select the base point G in the E(F p ) point set, and use the elliptic curve addition rule and the point doubling rule to solve the order of G point;
生成随机数s作为系统的主密钥,根据G点的阶和s计算公开参数和节点的私钥。Generate a random number s as the master key of the system, and calculate the public parameters and the private key of the node according to the order and s of the G point.
本发明实施例提出一种节点,包括:An embodiment of the present invention proposes a node, including:
生成第一密文模块,用于使用第一密钥加密节点与私钥生成器进行通信的请求,生成第一密文;其中,所述第一密钥为密钥分发中心预先为所述节点分配的对称密钥;Generate a first ciphertext module, used to use the first key to encrypt the request of the node to communicate with the private key generator, and generate the first ciphertext; wherein, the first key is the key distribution center for the node in advance the assigned symmetric key;
第一发送模块,用于向密钥分发中心发送所述第一密文;A first sending module, configured to send the first ciphertext to the key distribution center;
第一接收模块,用于接收并使用第一密钥解密密钥分发中心返回的第二密文,获得所述节点与私钥生成器的本次会话密钥以及第三密文;其中,所述第三密文为:密钥分发中心使用预先为私钥生成器分配的对称密钥将本次会话密钥加密生成的;The first receiving module is used to receive and use the first key to decrypt the second ciphertext returned by the key distribution center, and obtain the current session key and the third ciphertext between the node and the private key generator; wherein, the The third ciphertext is: the key distribution center uses the symmetric key pre-allocated to the private key generator to encrypt and generate the session key;
第二发送模块,用于向私钥生成器转发所述第三密文;A second sending module, configured to forward the third ciphertext to the private key generator;
第二接收模块,用于接收并使用本次会话密钥解密私钥生成器发送的、使用本次会话密钥加密的第四密文,获得公开参数以及私钥。The second receiving module is configured to receive and use the current session key to decrypt the fourth ciphertext sent by the private key generator and encrypted with the current session key, to obtain the public parameters and the private key.
本发明实施例提出一种密钥分发中心,包括:The embodiment of the present invention proposes a key distribution center, including:
分配模块,用于预先为各节点和私钥生成器分配不同的对称密钥;An allocation module, which is used to pre-allocate different symmetric keys for each node and private key generator;
第三接收模块,用于接收节点发送的第一密文,并使用对称密钥中分配给所述节点的第一密钥解密所述第一密文;A third receiving module, configured to receive the first ciphertext sent by the node, and decrypt the first ciphertext using the first key assigned to the node among the symmetric keys;
生成会话密钥模块,用于当所述第一密文是所述节点请求与私钥生成器进行通信时,生成随机参数作为所述节点与私钥生成器的本次会话密钥;Generate a session key module, used to generate random parameters as the current session key between the node and the private key generator when the first ciphertext is that the node requests to communicate with the private key generator;
生成第三密文模块,用于使用对称密钥中分配给私钥生成器的第二密钥将本次会话密钥加密生成第三密文;Generate a third ciphertext module, which is used to encrypt the current session key using the second key assigned to the private key generator in the symmetric key to generate a third ciphertext;
生成第二密文模块,用于使用第一密钥加密本次会话密钥以及第三密文生成第二密文;Generate a second ciphertext module, which is used to encrypt the current session key using the first key and the third ciphertext to generate the second ciphertext;
第三发送模块,用于将所述第二密文发送至所述节点。A third sending module, configured to send the second ciphertext to the node.
本发明实施例提出一种私钥生成器,包括:The embodiment of the present invention proposes a private key generator, including:
第四接收模块,用于接收并使用第二密钥解密节点转发的密钥分发中心生成的第三密文,获取与所述节点的本次会话密钥;其中,所述第二密钥为密钥分发中心预先为私钥生成器分配的对称密钥;The fourth receiving module is used to receive and use the second key to decrypt the third ciphertext generated by the key distribution center forwarded by the node, and obtain the current session key with the node; wherein the second key is The symmetric key pre-assigned by the key distribution center to the private key generator;
生成第四密文模块,用于使用本次会话密钥将预先生成的公开参数及所述节点的私钥加密后生成第四密文;Generate a fourth ciphertext module, which is used to encrypt the pre-generated public parameters and the private key of the node using the session key to generate the fourth ciphertext;
第四发送模块,用于将所述第四密文发送至所述节点。A fourth sending module, configured to send the fourth ciphertext to the node.
作为上述技术方案的优选,所述装置还包括:As a preference of the above technical solution, the device also includes:
生成模块,用于选取域元素a,b∈Fp,满足椭圆曲线方程E:y2≡x3+ax+b(mod p),其中,Δ=4a3+27b2≠0(mod p);根据p及a,b值和椭圆曲线方程E计算E(Fp)点集;在E(Fp)点集中选取基点G,利用椭圆曲线加法规则及倍点规则求解G点的阶;生成随机数s作为系统的主密钥,根据G点的阶和s计算公开参数和节点的私钥。The generation module is used to select domain elements a,b∈F p , satisfying the elliptic curve equation E:y 2 ≡x 3 +ax+b(mod p), where, Δ=4a 3 +27b 2 ≠0(mod p) ; Calculate E(F p ) point set according to p and a, b value and elliptic curve equation E; select base point G in E(F p ) point set, use elliptic curve addition rule and doubling point rule to solve the order of G point; generate The random number s is used as the master key of the system, and the public parameters and the private key of the node are calculated according to the order and s of the G point.
本发明还提出一种数据传输系统,包括节点、密钥分发中心和私钥生成器,其中,所述节点用于:The present invention also proposes a data transmission system, including a node, a key distribution center and a private key generator, wherein the node is used for:
使用第一密钥加密节点与私钥生成器进行通信的请求,生成第一密文;其中,所述第一密钥为密钥分发中心预先为所述节点分配的对称密钥;Using the first key to encrypt a request for communication between the node and the private key generator, and generate a first ciphertext; wherein, the first key is a symmetric key previously assigned to the node by the key distribution center;
向密钥分发中心发送所述第一密文;Send the first ciphertext to the key distribution center;
接收并使用第一密钥解密密钥分发中心返回的第二密文,获得所述节点与私钥生成器的本次会话密钥以及第三密文;其中,所述第三密文为:密钥分发中心使用预先为私钥生成器分配的对称密钥将本次会话密钥加密生成的;Receive and use the first key to decrypt the second ciphertext returned by the key distribution center, and obtain the current session key between the node and the private key generator and the third ciphertext; wherein, the third ciphertext is: The key distribution center uses the symmetric key pre-assigned to the private key generator to encrypt and generate the session key;
向私钥生成器转发所述第三密文;forwarding said third ciphertext to a private key generator;
接收并使用本次会话密钥解密私钥生成器发送的、使用本次会话密钥加密的第四密文,获得公开参数以及私钥;Receive and use the current session key to decrypt the fourth ciphertext sent by the private key generator and encrypted with the current session key, to obtain the public parameters and the private key;
所述密钥分发中心用于:The key distribution center is used for:
预先为各节点和私钥生成器分配不同的对称密钥;Assign different symmetric keys to each node and private key generator in advance;
接收节点发送的第一密文,并使用对称密钥中分配给所述节点的第一密钥解密所述第一密文;receiving the first ciphertext sent by the node, and decrypting the first ciphertext using the first key assigned to the node among the symmetric keys;
当所述第一密文是所述节点请求与私钥生成器进行通信时,生成随机参数作为所述节点与私钥生成器的本次会话密钥;When the first ciphertext is that the node requests to communicate with the private key generator, generate a random parameter as the current session key between the node and the private key generator;
使用对称密钥中分配给私钥生成器的第二密钥将本次会话密钥加密生成第三密文;Use the second key assigned to the private key generator in the symmetric key to encrypt the current session key to generate a third ciphertext;
使用第一密钥加密本次会话密钥和第三密文生成第二密文;Using the first key to encrypt the current session key and the third ciphertext to generate the second ciphertext;
将所述第二密文发送至所述节点;sending the second ciphertext to the node;
所述私钥生成器用于:The private key generator is used to:
接收并使用第二密钥解密所述节点转发的密钥分发中心生成的第三密文,获取与所述节点的本次会话密钥;其中,所述第二密钥为密钥分发中心预先为私钥生成器分配的对称密钥;receiving and using the second key to decrypt the third ciphertext generated by the key distribution center forwarded by the node, and obtaining the current session key with the node; A symmetric key assigned to the private key generator;
使用本次会话密钥将预先生成的公开参数及所述节点的私钥加密后生成第四密文;Using the current session key to encrypt the pre-generated public parameters and the private key of the node to generate the fourth ciphertext;
将所述第四密文发送至所述节点。Send the fourth ciphertext to the node.
本发明的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本发明而了解。本发明的目的和其他优点可通过在所写的说明书、权利要求书、以及附图中所特别指出的结构来实现和获得。Additional features and advantages of the invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
下面通过附图和实施例,对本发明的技术方案做进一步的详细描述。The technical solutions of the present invention will be described in further detail below with reference to the accompanying drawings and embodiments.
附图说明Description of drawings
附图用来提供对本发明的进一步理解,并且构成说明书的一部分,与本发明的实施例一起用于解释本发明,并不构成对本发明的限制。在附图中:The accompanying drawings are used to provide a further understanding of the present invention, and constitute a part of the description, and are used together with the embodiments of the present invention to explain the present invention, and do not constitute a limitation to the present invention. In the attached picture:
图1是本发明实施例提出的用于节点的数据传输方法流程图;FIG. 1 is a flowchart of a data transmission method for a node proposed in an embodiment of the present invention;
图2是本发明实施例提出的用于密钥分发中心的数据传输方法流程图;Fig. 2 is a flow chart of a data transmission method for a key distribution center proposed by an embodiment of the present invention;
图3是本发明实施例提出的用于私钥生成器的数据传输方法流程图;Fig. 3 is a flow chart of a data transmission method for a private key generator proposed by an embodiment of the present invention;
图4是本发明实施例中私钥生成器PKG生成公开参数及节点的私钥的方法流程图;Fig. 4 is the flow chart of the method that private key generator PKG generates public parameter and the private key of node in the embodiment of the present invention;
图5是本发明实施例提出的节点的结构示意图;FIG. 5 is a schematic structural diagram of a node proposed in an embodiment of the present invention;
图6是本发明实施例提出的密钥分发中心的结构示意图;Fig. 6 is a schematic structural diagram of a key distribution center proposed by an embodiment of the present invention;
图7是本发明实施例提出的私钥生成器的结构示意图。Fig. 7 is a schematic structural diagram of a private key generator proposed by an embodiment of the present invention.
具体实施方式Detailed ways
以下结合附图对本发明的优选实施例进行说明,应当理解,此处所描述的优选实施例仅用于说明和解释本发明,并不用于限定本发明。The preferred embodiments of the present invention will be described below in conjunction with the accompanying drawings. It should be understood that the preferred embodiments described here are only used to illustrate and explain the present invention, and are not intended to limit the present invention.
如图1所示,本发明实施例提出的一种用于节点的数据传输方法,包括以下步骤:As shown in Figure 1, a data transmission method for a node proposed by an embodiment of the present invention includes the following steps:
步骤S101:使用第一密钥加密节点与私钥生成器进行通信的请求,生成第一密文;其中,所述第一密钥为密钥分发中心预先为所述节点分配的对称密钥;Step S101: use the first key to encrypt the request of the node to communicate with the private key generator, and generate a first ciphertext; wherein, the first key is a symmetric key previously assigned to the node by the key distribution center;
步骤S102:向密钥分发中心发送所述第一密文;Step S102: sending the first ciphertext to the key distribution center;
步骤S103:接收并使用第一密钥解密密钥分发中心返回的第二密文,获得所述节点与私钥生成器的本次会话密钥以及第三密文;其中,所述第三密文为:密钥分发中心使用预先为私钥生成器分配的对称密钥将本次会话密钥加密生成的;Step S103: Receive and use the first key to decrypt the second ciphertext returned by the key distribution center, and obtain the current session key between the node and the private key generator and the third ciphertext; wherein, the third ciphertext The text is: the key distribution center uses the symmetric key pre-assigned to the private key generator to encrypt and generate the session key;
步骤S104:向私钥生成器转发所述第三密文;Step S104: forwarding the third ciphertext to the private key generator;
步骤S105:接收并使用本次会话密钥解密私钥生成器发送的、使用本次会话密钥加密的第四密文,获得公开参数以及私钥。Step S105: Receive and use the current session key to decrypt the fourth ciphertext sent by the private key generator and encrypted with the current session key, to obtain the public parameters and the private key.
本发明实施例提出的用于节点的数据传输方法中,节点使用密钥分发中心采用不同的对称密钥为节点分发的一次一密的会话秘钥与私钥生成器进行通信,有效避免了节点仿冒攻击,同时保证了私钥服务器分发公开参数和节点私钥的安全性。In the data transmission method for nodes proposed in the embodiment of the present invention, nodes use different symmetric keys distributed by the key distribution center to communicate with the private key generator to communicate with the private key generator, effectively avoiding the node Counterfeiting attacks, while ensuring the security of private key servers distributing public parameters and node private keys.
如图2所示,本发明实施例提出的一种用于密钥分发中心的数据传输方法,包括以下步骤:As shown in Figure 2, a data transmission method for a key distribution center proposed by an embodiment of the present invention includes the following steps:
步骤S201:预先为各节点和私钥生成器分配不同的对称密钥;Step S201: assign different symmetric keys to each node and private key generator in advance;
步骤S202:接收节点发送的第一密文,并使用对称密钥中分配给所述节点的第一密钥解密所述第一密文;Step S202: receiving the first ciphertext sent by the node, and decrypting the first ciphertext using the first key assigned to the node among the symmetric keys;
步骤S203:当所述第一密文是所述节点请求与私钥生成器进行通信时,生成随机参数作为所述节点与私钥生成器的本次会话密钥;Step S203: When the first ciphertext is that the node requests to communicate with the private key generator, generate a random parameter as the current session key between the node and the private key generator;
步骤S204:使用对称密钥中分配给私钥生成器的第二密钥将本次会话密钥加密生成第三密文;Step S204: using the second key assigned to the private key generator in the symmetric key to encrypt the current session key to generate a third ciphertext;
步骤S205:使用第一密钥加密本次会话密钥和第三密文生成第二密文;Step S205: use the first key to encrypt the current session key and the third ciphertext to generate the second ciphertext;
步骤S206:将所述第二密文发送至所述节点。Step S206: Send the second ciphertext to the node.
本发明实施例提出的用于密钥分发中心的数据传输方法中,密钥分发中心器采用不同的对称密钥为节点和私钥生成器分发一次一密的会话秘钥,有效避免了节点仿冒攻击,同时保证了私钥生成器PKG分发公开参数和节点私钥的安全性。In the data transmission method for the key distribution center proposed in the embodiment of the present invention, the key distribution center uses different symmetric keys to distribute one-time-encrypted session keys for nodes and private key generators, effectively avoiding node counterfeiting attacks, while ensuring the security of the private key generator PKG to distribute public parameters and node private keys.
如图3所示,本发明实施例提出的一种用于私钥生成器的数据传输方法,包括以下步骤:As shown in Figure 3, a data transmission method for a private key generator proposed by an embodiment of the present invention includes the following steps:
步骤S301:接收并使用第二密钥解密节点转发的密钥分发中心生成的第三密文,获取与所述节点的本次会话密钥;其中,所述第二密钥为密钥分发中心预先为私钥生成器分配的对称密钥;Step S301: Receive and use the second key to decrypt the third ciphertext generated by the key distribution center forwarded by the node, and obtain the current session key with the node; wherein, the second key is the key distribution center A pre-assigned symmetric key for the private key generator;
步骤S302:使用本次会话密钥将预先生成的公开参数及所述节点的私钥加密后生成第四密文;Step S302: using the current session key to encrypt the pre-generated public parameters and the private key of the node to generate a fourth ciphertext;
步骤S303:将所述第四密文发送至所述节点。Step S303: Send the fourth ciphertext to the node.
本发明实施例提出的用于私钥生成器的数据传输方法中,私钥生成器通过密钥分发中心器采用预先分配的不同的对称密钥为节点分发的一次一密的会话秘钥,与节点进行通信,有效避免了节点仿冒攻击,同时保证了私钥服务器分发公开参数和节点私钥的安全性。In the data transmission method for the private key generator proposed by the embodiment of the present invention, the private key generator uses the different pre-allocated symmetric keys to distribute the one-time secret session key to the nodes through the key distribution center, and Nodes communicate, effectively avoiding node counterfeiting attacks, and at the same time ensuring the security of private key servers distributing public parameters and node private keys.
其中,私钥生成器PKG生成公开参数及节点的私钥时可以采用如图4所示的方案:Among them, the private key generator PKG can use the scheme shown in Figure 4 when generating public parameters and private keys of nodes:
选取一个素数有限域Fp,然后选取Fp上一条椭圆曲线E,使其阶为一大素数n,或者是一个大素数n与另一个小整数的乘积。然后选取一个阶n的点G,产生系统参数T=(p,a,b,G,Ppub,q,h,H1,H2)。此参数变量均为公开的系统参数。具体过程如下:Choose a finite field of prime numbers F p , and then choose an elliptic curve E on F p so that its order is a large prime number n, or the product of a large prime number n and another small integer. Then select a point G of order n to generate system parameters T=(p,a,b,G,P pub ,q,h,H1,H2). This parameter variable is a public system parameter. The specific process is as follows:
步骤S401:选取域元素a,b∈Fp,满足方程E:y2≡x3+ax+b(mod p),其中,Δ=4a3+27b2≠0(mod p)。Step S401: select domain elements a, b∈F p to satisfy the equation E:y 2 ≡x 3 +ax+b(mod p), where Δ=4a 3 +27b 2 ≠0(mod p).
步骤S402:根据选取的p及a,b值和椭圆曲线E计算相应的E(Fp)点集。具体过程如下:Step S402: Calculate the corresponding E(F p ) point set according to the selected p, a, b values and the elliptic curve E. The specific process is as follows:
设x取值在集合{0,1,2,...,p-1},带入椭圆曲线方程E中,求解y=d(modp),求解的过程是二次剩余求解过程。二次剩余定义是形如y2≡d(mod p)的同余式,其中p>1。若此同余式有解,则d称为模p的二次剩余;若此同余式无解,则d称为模p的二次非剩余。利用欧拉判别法判断是否有解:若p是奇素数且p不能整除d,则:Assuming that the value of x is in the set {0, 1, 2, ..., p-1}, bring it into the elliptic curve equation E, and solve y=d(modp), the solution process is a quadratic residual solution process. A quadratic residue is defined as a congruence of the form y 2 ≡d(mod p), where p>1. If the congruence has a solution, then d is called a quadratic residue modulo p; if the congruence has no solution, then d is called a quadratic non-residue modulo p. Use Euler's discriminant to judge whether there is a solution: if p is an odd prime number and p cannot divide d, then:
d是模p的二次剩余的充要条件为:d(p-1)/2=1(mod p)The necessary and sufficient condition for d to be a quadratic residue modulo p is: d (p-1)/2 =1(mod p)
d是模p的二非次剩余的充要条件为:d(p-1)/2=-1(mod p);The necessary and sufficient condition for d to be a quadratic non-subordinate remainder modulo p is: d (p-1)/2 =-1(mod p);
对于素数p=3mod4,二次剩余d的平方根是:±d(p+1)/4mod p;For a prime number p=3mod4, the square root of the quadratic residue d is: ±d (p+1)/4 mod p;
步骤S403:取得点集解后,在曲线E(Fp)上选取基点G=(xg,yg),利用椭圆曲线加法规则及倍点规则求解G点的阶。求解过程如下:Step S403: After obtaining the point set solution, select the base point G=(x g , y g ) on the curve E(F p ), and use the elliptic curve addition rule and the point doubling rule to solve the order of point G. The solution process is as follows:
加法规则:P(x1,y1)+Q(x2,y2)=S(x3,y3),其中:Addition rule: P(x 1 ,y 1 )+Q(x 2 ,y 2 )=S(x 3 ,y 3 ), where:
x3=λ2-x1-x2 x 3 =λ 2 -x 1 -x 2
y3=λ(x1-x3)-y1 y 3 =λ(x 1 -x 3 )-y 1
倍点规则:P(x1,y1)+P(x1,y1)=2P(x1,y1)=S(x3,y3),其中:Doubling rule: P(x 1 ,y 1 )+P(x 1 ,y 1 )=2P(x 1 ,y 1 )=S(x 3 ,y 3 ), where:
x3=λ2-2x1 x 3 =λ 2 -2x 1
y3=λ(x1-x3)-y1 y 3 =λ(x 1 -x 3 )-y 1
a为椭圆曲线方程中一次项的系数。求解中,x3,y3,λ均取mod p。分别求出2G,3G…nG=0(为无穷远点),n即为所求G点的阶。同时,参数满足如下限制:h=E(Fp)/q,E(Fp)≠p,pB≠1(mod q),其中,1≤B<20,h≤4,p,q还应满足p=2mod3且p=6q-1。a is the coefficient of the first-order term in the elliptic curve equation. In solving, x 3 , y 3 , and λ all take mod p. Calculate 2G, 3G...nG=0 (point at infinity), and n is the order of the G point. At the same time, the parameters satisfy the following constraints: h=E(F p )/q, E(F p )≠p, p B ≠1(mod q), where, 1≤B<20, h≤4, p, q also Should satisfy p=2mod3 and p=6q-1.
步骤S404:生成一个随机数*,s为系统的主密钥,并计算Ppub=s*G(利用倍点规则);对于任意给定的字符串ID∈{0,1}*,选择Hash散列函数H1:{0,1}*→G1 *,这个Hash函数把用户的身份ID映射到G1中的一个元素;H2:G1→{0,1}n,这个Hash函数决定M(明文空间)是{0,1}n,目的是将字符标示转化为离散值,便于加密、解密算法处理;将标识管理对应的标识IDid映射到椭圆曲线E(Fp)上的点Pid,并生成对应的私钥PIDid=s*Pid。此外,还可以根据各个节点发送来的标识信息进行验证,然后在PKG中生成相应的各个节点的私钥记录。Step S404: Generate a random number *, s is the master key of the system, and calculate P pub =s*G (using the doubling point rule); for any given string ID∈{0,1}*, select Hash hash function H 1 :{ 0,1} * →G 1 * , this Hash function maps the user’s identity ID to an element in G1; H 2 :G 1 →{0,1} n , this Hash function determines that M (plaintext space) is { 0,1} n , the purpose is to convert the character mark into a discrete value, which is convenient for encryption and decryption algorithm processing; map the mark ID id corresponding to mark management to the point P id on the elliptic curve E(F p ), and generate the corresponding Private key PID id =s*P id . In addition, verification can also be performed according to the identification information sent by each node, and then corresponding private key records of each node are generated in the PKG.
步骤S405:公开系统参数T=(p,a,b,G,Ppub,q,h,H1,H2)。Step S405: Publish system parameters T=(p, a, b, G, P pub , q, h, H1, H2).
本发明实施例中提出的椭圆曲线加法规则及倍点规则求解G点阶的方法,提高了对IBE算法生成的密钥破解的难度。The method of solving the G-point order by the elliptic curve addition rule and the doubling rule proposed in the embodiment of the present invention increases the difficulty of deciphering the key generated by the IBE algorithm.
以下,结合节点、密钥分发中心(KDC)以及私钥生成器(PKG)来对本发明实施例进行描述:Below, the embodiment of the present invention will be described in conjunction with nodes, key distribution center (KDC) and private key generator (PKG):
一、系统初始化:1. System initialization:
系统初始化主要用于实现KDC对传感器节点及PKG的认证、PKG公开参数及节点私钥的生成。System initialization is mainly used to realize KDC's authentication of sensor nodes and PKG, generation of PKG public parameters and node private key.
1、传感器节点及PKG在KDC上注册1. Sensor nodes and PKG are registered on KDC
1)密钥分发中心KDC是经权威机构认证的。1) The key distribution center KDC is certified by an authority.
2)传感器节点注册时,KDC为每个传感器节点分配不同的对称密钥,KDC知道每个传感器节点的密钥。每个传感器节点都可以用这个密钥和KDC安全通信;2) When sensor nodes register, KDC assigns different symmetric keys to each sensor node, and KDC knows the key of each sensor node. Each sensor node can use this key to communicate securely with the KDC;
例如KDC与传感器节点A的对称密钥为KA-KDC;KDC与私钥生成器PKG的对称密钥为KPKG-KDC;KDC存储节点的ID、PGK的ID及对应的对称密钥KA-KDC、KPKG-KDC。For example, the symmetric key between KDC and sensor node A is K A-KDC ; the symmetric key between KDC and private key generator PKG is K PKG-KDC ; the ID of KDC storage node, the ID of PGK and the corresponding symmetric key K A -KDC , K PKG-KDC .
3)KDC将经认证的节点ID信息,通过KPKG-KDC加密发送给PKG,PKG解密后在数据库中存储节点ID信息。3) KDC sends the authenticated node ID information to PKG through K PKG-KDC encryption, and PKG stores the node ID information in the database after decryption.
2、PKG公开参数及节点私钥的生成,该过程可参考上文,在此不再赘述。2. For the generation of PKG public parameters and node private keys, the process can refer to the above, and will not be repeated here.
二、传感器节点与PKG的会话密钥的分发:2. Distribution of session keys between sensor nodes and PKG:
1、当传感器节点A要与PKG进行通信,传输IBE的公开参数及由PKG生成的A的私钥时,A具有KA-KDC,ID;KDC具有KA-KDC及KPKG-KDC;PKG具有KPKG-KDC、IBE的公开参数及由PKG生成的A的私钥。1. When sensor node A wants to communicate with PKG and transmit the public parameters of IBE and the private key of A generated by PKG, A has K A-KDC , ID; KDC has K A-KDC and K PKG-KDC ; PKG It has K PKG-KDC , the public parameters of IBE and the private key of A generated by PKG.
2、A使用KA-KDC加密想要和PKG通信的请求信息,通过KA-KDC(A,PKG)发送给KDC。2. A uses K A-KDC to encrypt the request information to communicate with PKG, and sends it to KDC through K A-KDC (A, PKG) .
3、KDC收到请求后,利用保存的KA-KDC进行解密,知道A想要和PKG进行通信。KDC生成随机参数R1,将R1作为本次A与PKG进行通信的会话密钥。3. After receiving the request, KDC uses the stored K A-KDC to decrypt, knowing that A wants to communicate with PKG. The KDC generates a random parameter R1, and uses R1 as the session key for the communication between A and PKG.
4、KDC利用已知的A及PKG的对称密钥加密,将KA-KDC(R1,KPKG-KDC(A,R1))发送给A。4. KDC encrypts with the known symmetric key of A and PKG, and sends K A-KDC (R1, K PKG-KDC (A, R1)) to A.
5、A收到KDC发送的密文后,利用KA-KDC解密,获得本次会话密钥R1及KPKG-KDC(A,R1)。A将KPKG-KDC(A,R1)发送给PKG。5. After receiving the ciphertext sent by the KDC, A decrypts it with K A-KDC to obtain the current session key R1 and K PKG-KDC (A, R1). A sends K PKG-KDC (A, R1) to PKG.
6、PKG收到密文后利用KPKG-KDC进行解密,取得R1。6. After receiving the ciphertext, PKG uses K PKG-KDC to decrypt and obtain R1.
三、PKG公开参数、私钥的分发及采集信息的加解密:3. PKG public parameters, distribution of private keys and encryption and decryption of collected information:
1、PKG利用会话密钥R1将公开参数及由PKG生成的A的私钥加密后发送给传感器节点A。1. The PKG encrypts the public parameters and A's private key generated by the PKG with the session key R1 and sends them to the sensor node A.
2、传感器节点A利用IBE算法及已取得的公开参数、将汇聚节点的ID作为公钥,对采集信息进行加密处理,并将密文逐跳传递至汇集节点。2. Sensor node A uses the IBE algorithm and the obtained public parameters, uses the ID of the sink node as the public key, encrypts the collected information, and transmits the ciphertext to the sink node hop by hop.
3、汇聚节点利用从PGK获取的私钥进行解密,取得原文。3. The sink node uses the private key obtained from PGK to decrypt and obtain the original text.
本发明实施例提出的数据方案首先通过传感器节点及PKG在KDC进行认证注册,KDC采用不同的对称密钥为节点分发一次一密的会话秘钥,有效防止了仿冒行为;考虑到传感器节点的特殊性,采用了基于身份的加密算法IBE,公钥是对方的身份标识ID,生成的密钥只有节点自己有,当一个节点被破获后,牵涉不到其他节点的安全,不影响全网的安全,与网络的规模无关,这样保证了网络的强健壮性,并且通过加法规则及倍点规则求解了G点阶,提高了算法的安全性,从而保证了信息的私密性、安全性、可靠性。The data scheme proposed by the embodiment of the present invention first authenticates and registers in the KDC through the sensor nodes and PKG, and the KDC uses different symmetric keys to distribute one-time secret session keys to the nodes, effectively preventing counterfeiting; considering the special characteristics of the sensor nodes The identity-based encryption algorithm IBE is adopted. The public key is the identity ID of the other party. The generated key is only owned by the node itself. When a node is cracked, it does not involve the security of other nodes and does not affect the security of the entire network. , has nothing to do with the scale of the network, which ensures the robustness of the network, and solves the G-point order through the addition rule and the doubling rule, which improves the security of the algorithm, thus ensuring the privacy, security and reliability of information .
通过本发明实施例提出的数据传输方法,提高了物联网采集数据传输的安全性和传输效率,为物联网数据传输安全保障提供了可靠的支撑。Through the data transmission method proposed by the embodiment of the present invention, the security and transmission efficiency of the data transmission collected by the Internet of Things are improved, and reliable support is provided for the security guarantee of the data transmission of the Internet of Things.
相应地,本发明实施例还提出一种节点,如图5所示,包括:Correspondingly, the embodiment of the present invention also proposes a node, as shown in FIG. 5 , including:
生成第一密文模块501,用于使用第一密钥加密节点与私钥生成器进行通信的请求,生成第一密文;其中,所述第一密钥为密钥分发中心预先为所述节点分配的对称密钥;Generate a first ciphertext module 501, used to use the first key to encrypt the request of the node to communicate with the private key generator, and generate the first ciphertext; wherein, the first key is the key distribution center for the Symmetric keys assigned by nodes;
第一发送模块502,用于向密钥分发中心发送所述第一密文;A first sending module 502, configured to send the first ciphertext to the key distribution center;
第一接收模块503,用于接收并使用第一密钥解密密钥分发中心返回的第二密文,获得所述节点与私钥生成器的本次会话密钥以及第三密文;其中,所述第三密文为:密钥分发中心使用预先为私钥生成器分配的对称密钥将本次会话密钥加密生成的;The first receiving module 503 is configured to receive and use the first key to decrypt the second ciphertext returned by the key distribution center, and obtain the current session key and the third ciphertext between the node and the private key generator; wherein, The third ciphertext is: the key distribution center uses the symmetric key pre-allocated to the private key generator to encrypt and generate the session key;
第二发送模块504,用于向私钥生成器转发所述第三密文;The second sending module 504 is configured to forward the third ciphertext to the private key generator;
第二接收模块505,用于接收并使用本次会话密钥解密私钥生成器发送的、使用本次会话密钥加密的第四密文,获得公开参数以及私钥。The second receiving module 505 is configured to receive and use the current session key to decrypt the fourth ciphertext encrypted by the current session key sent by the private key generator, to obtain the public parameters and the private key.
如图6所示,本发明实施例还提出一种密钥分发中心,包括:As shown in Figure 6, the embodiment of the present invention also proposes a key distribution center, including:
分配模块601,用于预先为各节点和私钥生成器分配不同的对称密钥;An allocation module 601, configured to pre-allocate different symmetric keys for each node and private key generator;
第三接收模块602,用于接收节点发送的第一密文,并使用对称密钥中分配给所述节点的第一密钥解密所述第一密文;The third receiving module 602 is configured to receive the first ciphertext sent by the node, and decrypt the first ciphertext using the first key assigned to the node among the symmetric keys;
生成会话密钥模块603,用于当所述第一密文是所述节点请求与私钥生成器进行通信时,生成随机参数作为所述节点与私钥生成器的本次会话密钥;Generate a session key module 603, configured to generate random parameters as the current session key between the node and the private key generator when the first ciphertext is that the node requests to communicate with the private key generator;
生成第三密文模块604,用于使用对称密钥中分配给私钥生成器的第二密钥将本次会话密钥加密生成第三密文;Generate a third ciphertext module 604, configured to use the second key assigned to the private key generator in the symmetric key to encrypt the current session key to generate a third ciphertext;
生成第二密文模块605,用于使用第一密钥加密本次会话密钥以及第三密文生成第二密文;Generating a second ciphertext module 605, configured to use the first key to encrypt the current session key and the third ciphertext to generate a second ciphertext;
第三发送模块606,用于将所述第二密文发送至所述节点。A third sending module 606, configured to send the second ciphertext to the node.
如图7所示,本发明实施例还提出一种私钥生成器,包括:As shown in Figure 7, the embodiment of the present invention also proposes a private key generator, including:
第四接收模块701,用于接收并使用第二密钥解密节点转发的密钥分发中心生成的第三密文,获取与所述节点的本次会话密钥;其中,所述第二密钥为密钥分发中心预先为私钥生成器分配的对称密钥;The fourth receiving module 701 is configured to receive and use the second key to decrypt the third ciphertext generated by the key distribution center forwarded by the node, and obtain the current session key with the node; wherein the second key The symmetric key pre-assigned to the private key generator by the key distribution center;
生成第四密文模块702,用于使用本次会话密钥将预先生成的公开参数及所述节点的私钥加密后生成第四密文;Generate a fourth ciphertext module 702, configured to use the current session key to encrypt the pre-generated public parameters and the private key of the node to generate a fourth ciphertext;
第四发送模块703,用于将所述第四密文发送至所述节点。A fourth sending module 703, configured to send the fourth ciphertext to the node.
所述私钥生成器还包括:The private key generator also includes:
生成模块,用于选取素数有限域上的一条椭圆曲线,使其阶为一大素数n,或者是一个大素数n与另一个小整数的乘积;选择椭圆曲线上的基点,计算基点的阶n,产生所述公开参数和节点的私钥。The generation module is used to select an elliptic curve on the finite field of prime numbers, and make its order be a large prime number n, or the product of a large prime number n and another small integer; select a base point on the elliptic curve, and calculate the order n of the base point , to generate the public parameters and the private key of the node.
本发明实施例还提出一种数据传输系统,包括节点、密钥分发中心和私钥生成器,其中,所述节点用于:The embodiment of the present invention also proposes a data transmission system, including a node, a key distribution center, and a private key generator, wherein the node is used for:
使用第一密钥加密节点与私钥生成器进行通信的请求,生成第一密文;其中,所述第一密钥为密钥分发中心预先为所述节点分配的对称密钥;Using the first key to encrypt a request for communication between the node and the private key generator, and generate a first ciphertext; wherein, the first key is a symmetric key previously assigned to the node by the key distribution center;
向密钥分发中心发送所述第一密文;Send the first ciphertext to the key distribution center;
接收并使用第一密钥解密密钥分发中心返回的第二密文,获得所述节点与私钥生成器的本次会话密钥以及第三密文;其中,所述第三密文为:密钥分发中心使用预先为私钥生成器分配的对称密钥将本次会话密钥加密生成的;Receive and use the first key to decrypt the second ciphertext returned by the key distribution center, and obtain the current session key between the node and the private key generator and the third ciphertext; wherein, the third ciphertext is: The key distribution center uses the symmetric key pre-assigned to the private key generator to encrypt and generate the session key;
向私钥生成器转发所述第三密文;forwarding said third ciphertext to a private key generator;
接收并使用本次会话密钥解密私钥生成器发送的、使用本次会话密钥加密的第四密文,获得公开参数以及私钥;Receive and use the current session key to decrypt the fourth ciphertext sent by the private key generator and encrypted with the current session key, to obtain the public parameters and the private key;
所述密钥分发中心用于:The key distribution center is used for:
预先为各节点和私钥生成器分配不同的对称密钥;Assign different symmetric keys to each node and private key generator in advance;
接收节点发送的第一密文,并使用对称密钥中分配给所述节点的第一密钥解密所述第一密文;receiving the first ciphertext sent by the node, and decrypting the first ciphertext using the first key assigned to the node among the symmetric keys;
当所述第一密文是所述节点请求与私钥生成器进行通信时,生成随机参数作为所述节点与私钥生成器的本次会话密钥;When the first ciphertext is that the node requests to communicate with the private key generator, generate a random parameter as the current session key between the node and the private key generator;
使用对称密钥中分配给私钥生成器的第二密钥将本次会话密钥加密生成第三密文;Use the second key assigned to the private key generator in the symmetric key to encrypt the current session key to generate a third ciphertext;
使用第一密钥加密本次会话密钥和第三密文生成第二密文;Using the first key to encrypt the current session key and the third ciphertext to generate the second ciphertext;
将所述第二密文发送至所述节点;sending the second ciphertext to the node;
所述私钥生成器用于:The private key generator is used to:
接收并使用第二密钥解密所述节点转发的密钥分发中心生成的第三密文,获取与所述节点的本次会话密钥;其中,所述第二密钥为密钥分发中心预先为私钥生成器分配的对称密钥;receiving and using the second key to decrypt the third ciphertext generated by the key distribution center forwarded by the node, and obtaining the current session key with the node; A symmetric key assigned to the private key generator;
使用本次会话密钥将预先生成的公开参数及所述节点的私钥加密后生成第四密文;Using the current session key to encrypt the pre-generated public parameters and the private key of the node to generate the fourth ciphertext;
将所述第四密文发送至所述节点。Send the fourth ciphertext to the node.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) having computer-usable program code embodied therein.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and combinations of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a Means for realizing the functions specified in one or more steps of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart flow or flows and/or block diagram block or blocks.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.
Claims (9)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310269180.9A CN104283667B (en) | 2013-07-01 | 2013-07-01 | A kind of data transmission method, apparatus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310269180.9A CN104283667B (en) | 2013-07-01 | 2013-07-01 | A kind of data transmission method, apparatus and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104283667A true CN104283667A (en) | 2015-01-14 |
| CN104283667B CN104283667B (en) | 2017-11-21 |
Family
ID=52258181
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310269180.9A Active CN104283667B (en) | 2013-07-01 | 2013-07-01 | A kind of data transmission method, apparatus and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104283667B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104967517A (en) * | 2015-07-24 | 2015-10-07 | 电子科技大学 | A network data aggregation method for wireless sensors |
| CN106067874A (en) * | 2016-05-20 | 2016-11-02 | 深圳市金立通信设备有限公司 | A kind of method by data record to server end, terminal and server |
| CN114339745A (en) * | 2021-12-28 | 2022-04-12 | 中国电信股份有限公司 | Key distribution method, system and related equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030026433A1 (en) * | 2001-07-31 | 2003-02-06 | Matt Brian J. | Method and apparatus for cryptographic key establishment using an identity based symmetric keying technique |
| CN103166919A (en) * | 2011-12-13 | 2013-06-19 | 中国移动通信集团黑龙江有限公司 | Method and system for information transmission of Internet of Things |
-
2013
- 2013-07-01 CN CN201310269180.9A patent/CN104283667B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030026433A1 (en) * | 2001-07-31 | 2003-02-06 | Matt Brian J. | Method and apparatus for cryptographic key establishment using an identity based symmetric keying technique |
| CN103166919A (en) * | 2011-12-13 | 2013-06-19 | 中国移动通信集团黑龙江有限公司 | Method and system for information transmission of Internet of Things |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104967517A (en) * | 2015-07-24 | 2015-10-07 | 电子科技大学 | A network data aggregation method for wireless sensors |
| CN104967517B (en) * | 2015-07-24 | 2018-03-20 | 电子科技大学 | A kind of network data convergence method for wireless senser |
| CN106067874A (en) * | 2016-05-20 | 2016-11-02 | 深圳市金立通信设备有限公司 | A kind of method by data record to server end, terminal and server |
| CN106067874B (en) * | 2016-05-20 | 2019-07-12 | 深圳市金立通信设备有限公司 | It is a kind of by the method for data record to server end, terminal and server |
| CN114339745A (en) * | 2021-12-28 | 2022-04-12 | 中国电信股份有限公司 | Key distribution method, system and related equipment |
| CN114339745B (en) * | 2021-12-28 | 2024-01-26 | 中国电信股份有限公司 | Key distribution method, system and related equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104283667B (en) | 2017-11-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6670395B2 (en) | System and method for distribution of identity-based key material and certificate | |
| CN104539423B (en) | A kind of implementation method without CertPubKey cipher system of no Bilinear map computing | |
| CN109873699B (en) | Revocable identity public key encryption method | |
| CN103986574B (en) | A kind of Tiered broadcast encryption method of identity-based | |
| CN103746811B (en) | Anonymous signcryption method from identity public key system to certificate public key system | |
| CN104811302B (en) | Certificateless Elliptic Curve Hybrid Signcryption Method | |
| CN105187205B (en) | The authentication key agreement method and negotiating system based on level identity base without certificate | |
| CN102970144B (en) | The authentication method of identity-based | |
| JP2004208262A (en) | Apparatus and method of ring signature based on id employing bilinear pairing | |
| Li et al. | Cryptanalysis and improvement for certificateless aggregate signature | |
| CN108880796A (en) | It is a kind of for server efficiently based on the outsourcing decryption method of encryption attribute algorithm | |
| CN108183791A (en) | Applied to the Intelligent terminal data safe processing method and system under cloud environment | |
| SenthilKumar et al. | Review of asymmetric key cryptography in wireless sensor networks | |
| CN104796260B (en) | A kind of short ciphertext identity base encryption method for meeting forward secrecy | |
| CN105141419A (en) | Attribute-based signature method and attribute-based signature system in large attribute universe | |
| Liao et al. | Security analysis of a certificateless provable data possession scheme in cloud | |
| CN104283667B (en) | A kind of data transmission method, apparatus and system | |
| CN103490890A (en) | Combination public key authentication password method based on conic curves | |
| CN103746810A (en) | Anonymous sign-cryption method from certificate public key system to identity public key system | |
| CN105207781A (en) | Novel-system wireless sensor network encryption algorithm | |
| Sung et al. | ID-based sensor node authentication for multi-layer sensor networks | |
| KR101507572B1 (en) | ID-Based Key Authentication Method for Security of Sensor Data Communications | |
| Tian et al. | Cryptanalysis and improvement of a certificateless multi-proxy signature scheme | |
| Li et al. | Key management using certificateless public key cryptography in ad hoc networks | |
| Manjunath et al. | An hybrid secure scheme for secure transmission in grid based Wireless Sensor Network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |