Summary of the invention
The invention provides a kind of safety method of radio sensing network, select to have high credible node and carry out secure communication, improve the communication security of radio sensing network.
Radio sensing network (WSN, wireless sensor network) communication on is the communication between the node after all, select any two nodes on the radio sensing network, these two nodes are denoted as respectively source node and destination node, these two internodal distances are greater than the communication radius of arbitrary node, but less than two node communication radius sums, there is overlapping region with the communication range that guarantees two nodes.
The encryption method of a kind of radio sensing network of the present invention comprises:
(1) calculates the first PKI and the first private key at source node;
The production method of PKI and private key adopts the unsymmetrical key negotiation mechanism, such as RSA Algorithm, elliptic curve encryption algorithm (ECC), Diffie-Hellman algorithm, El Gamal algorithm, DSA algorithm etc.;
(2) source node is searched the first intermediate node, and the first PKI is sent to the first intermediate node;
(3) first intermediate nodes send to destination node with the first PKI;
(4) destination node uses the first PKI that the first clear data is encrypted, and generates the first encrypt data;
(5) calculate the second PKI and the second private key at destination node, and search the second intermediate node, the first encrypt data and the second PKI are sent to the second intermediate node;
(6) second intermediate nodes send to source node with the first encrypt data and the second PKI;
(7) source node uses the first private key that the first encrypt data is deciphered, and restores the first clear data, to the second plaintext data encryption, generates the second encrypt data with the second PKI, and calculates the 3rd PKI and the 3rd private key;
(8) source node is searched the 3rd intermediate node, and the second encrypt data and the 3rd PKI are sent to the 3rd intermediate node;
(9) the 3rd intermediate nodes send to destination node with the second encrypt data and the 3rd PKI;
(10) destination node uses the second private key that the second encrypt data is deciphered, and restores the second plaintext data, to the 3rd expressly data encryption, generates the 3rd encrypt data with the 3rd PKI, and calculates the public private key pair that makes new advances;
(11) source node and destination node repeat the above process of calculating public private key pair, encryption, deciphering, search intermediate node, pass on PKI and encrypt data by intermediate node, realize communicating by letter between source node and destination node.
By above method, finish once communication between source node and the destination node, the first clear data is sent to source node from destination node, and the second plaintext data are sent to destination node from source node.Afterwards, according to the selection intermediate node of above method circulation great-jump-forward, corresponding PKI and ciphertext transmit between source node and destination node by intermediate node between source node and the destination node.But PKI and ciphertext that each intermediate node receives or transmits can not cooperate, for example, the second intermediate node has received the first encrypt data and the second PKI that sends from destination node in above method, but the first encrypt data is to be generated by the first public key encryption.Like this, even the data on the second intermediate node P2 are intercepted and captured, also can not affect the fail safe of the transmission of data.
In the above method, all intermediate nodes are the interior trusted node of communication range overlapping region of source node and destination node, decision node is that the method for trusted node or malicious node has two kinds, a kind of method is judged as trusted node with its relative stability RS less than the node of default relative stability threshold value RS ', otherwise is malicious node.The relative stability RS of node is node each time after the change in location, and with respect to the mean value of the rate of change of a front change in location, its mathematics tabular form is:
Wherein, t
0The initial time of expression record, t
nThe moment that represents the n time record, pos
0The initial position of expression node, pos
nThe position of node when representing the n time record.
Another kind method is judged as trusted node with its absolute AS less than the node of default absolute threshold value A S ', otherwise is malicious node.The absolute AS of node is node after change in location each time, and with respect to the mean value of rate of change of the change in location first time, its mathematics tabular form is:
Wherein, t
0The initial time of expression record, t
nThe moment that represents the n time record, pos
0The initial position of expression node, pos
nThe position of node when representing the n time record.
The safety communicating method of a kind of radio sensing network of the present invention, the method is judged effective filtering fallacious node with key agreement logical AND data communication logical separation by the feasibility of node, selection has high credible node and carries out secure communication, improves the communication security of radio sensing network.
Embodiment
Describe the safety communicating method of a kind of radio sensing network of the present invention in detail below in conjunction with accompanying drawing
The implementation step.
Such as Fig. 1, node A, B are two nodes on the radio sensing network, are labeled as respectively source node A and target node b, and its communication range is take node as the center of circle, with communication radius R separately
A, R
BBe the circle of radius, these two internodal distances are L
AB, two euclidean distance between node pair L
ABSatisfy max (R
A, R
B)<L
AB<R
A+ R
B, max (R
A, R
B) two node communication radiuses of expression are larger one.Distance L between the two
ABSatisfy this condition so that the communication range of two nodes has common factor S
AB, this common factor is called the ND zone (NeighborDiscovery) of source node A and target node b.If L
AB≤ max (R
A, R
B), namely one of them node can be covered by the communication range of another node, then can direct communication between these two nodes.
Communication between source node A and the target node b shows as mutual data transmission between two nodes.In radio sensing network, data with the form of packet in transmission over networks.The data M A that source node A will need to transmit is cut apart and is packaged into l packet MA
1, MA
2... MA
l, the data M B that target node b will need to transmit is cut apart and is packaged into m packet MB
1, MB
2... MB
mL and m can equate, also can not wait, and depend on the data volume of needs transmission, but the amount of capacity of each packet equates.
As shown in Figure 2, realize that according to these two nodes of the present invention the method for secure communication is:
(1) source node A calculates a pair of PKI PKA
1With private key PSA
1
The production method of PKI and private key adopts the unsymmetrical key negotiation mechanism, such as RSA Algorithm, elliptic curve encryption algorithm (ECC), Diffie-Hellman algorithm, El Gamal algorithm, DSA algorithm etc.
(2) source node A is at ND zone S
ABIn find out an intermediate node P
1, with PKI PKA
1Send to intermediate node P
1
Because distant between source node A and target node b and can't direct communication then needs to come transfer of data by intermediate node.At ND zone S
ABIn the intermediate node that finds out must guarantee that the communication radius of the intermediate node that source node A and target node b are all found out covers, and makes source node A can both communicate by letter with the intermediate node that finds out with target node b.
Exist malicious node on the radio sensing network, if selected the intermediate node of malicious node as transfer of data, then communication security will be on the hazard.Therefore need to distinguish malicious node and trusted node.On radio sensing network, the physical location of node generally can change.But the amplitude of malicious node change in location and frequency are all greater than trusted node.Based on this, can judge whether a certain node is malicious node.
The invention provides two kinds of methods of judging malicious node.A kind of is relative stability determination methods (Relative Stability Choose is called for short RSC), and another kind is absolute determination methods (Absolute Stability Choose is called for short ASC).
As shown in Figure 3, the relative stability determination methods of malicious node is:
At initial time t
0Record the position pos of this node
0, at t
1Constantly record the position pos of this node
1, at t
2Constantly record the position pos of this node
2... the time interval of twice record can be set to equate or do not wait that the time interval is data rule of thumb, and sample with one minute to five minutes interval, because subsequent calculations is rate of change, size blanking time of therefore choosing can not affect accuracy.The number of times of record can be regulated, and the more judgements to node of the number of times of record are more accurate, generally get 5~10 times.
Then the relative stability RS of computing node.The relative stability RS of node is defined as node each time after the change in location, and with respect to the mean value of the rate of change of a front change in location, its mathematics tabular form is:
With the relative stability RS of this node and default relative stability threshold value RS ', this threshold value is ND zone S within the some cycles
ABIn the mean value that changes of all modal displacements.Relatively, if RS 〉=RS ' judges that then this node is malicious node; If RS<RS ' judges that then this node is trusted node.
Absolute determination methods and the relative stability determination methods of malicious node are similar, as shown in Figure 4, at first also must record each constantly t
0, t
1... the position pos of this node
0, pos
1..., the absolute AS of computing node then.The absolute AS of node is defined as node after change in location each time, and with respect to the mean value of rate of change of the change in location first time, its mathematics tabular form is:
With the absolute AS of this node and default absolute threshold value A S ' comparison, if AS 〉=AS ' judges that then this node is malicious node; If AS<AS ' judges that then this node is trusted node.
Source node A is by relative stability determination methods or absolute determination methods (the selective basis communication node of determination methods was finished through negotiation before communication), at the ND zone of source node A and target node b S
ABIn find out a trusted node P
1As intermediate node, and with the PKI PKA that calculates
1Send to intermediate node P
1
(3) intermediate node P
1With PKI PKA
1Send to target node b.
(4) target node b receives PKI PKA
1After, PKA uses public-key
1To packet MB
1Encrypt, generate corresponding encrypt data SB
1
(5) target node b calculates a pair of PKI PKB
1With private key PSB
1, the production method of PKI and private key adopts the unsymmetrical key negotiation mechanism equally.
(6) target node b is at ND zone S
ABIn find out intermediate node P
2, with PKI PKB
1With encrypt data SB
1Send to intermediate node P
2
The lookup method of intermediate node judges at first according to the determination methods of above-described malicious node whether certain node is malicious node, and malicious node is filtered, and selects a trusted node to transmit data as intermediate node.
Below the lookup method of all intermediate nodes all identical, all be at ND zone S
ABIn find out trusted node as intermediate node.
(7) intermediate node P
2With PKI PKB
1With encrypt data SB
1Send to source node A.
(8) source node A uses private key PSA
1With encrypt data SB
1Deciphering restores packet MB
1
(9) source node A PKI PKB
1To packet MA
1Encrypt, generate corresponding encrypt data SA
1
(10) source node A adopts the unsymmetrical key negotiation mechanism to calculate a pair of PKI PKA
2With private key PSA
2
(11) source node A is at ND zone S
ABIn search intermediate node P
3, with encrypt data SA
1With PKI PKA
2Send to intermediate node P
3
(12) intermediate node P
3With encrypt data SA
1With PKI PKA
2Send to target node b.
(13) target node b uses private key PSB
1With encrypt data SA
1Deciphering restores packet MA
1
(14) target node b PKI PKA
2To packet MB
2Encrypt, generate corresponding encrypt data SB
2
(15) target node b adopts the unsymmetrical key negotiation mechanism to calculate a pair of PKI PKB
2With private key PSB
2
Then, target node b is searched intermediate node P
4, with encrypt data SB
2With PKI PKB
2Send to intermediate node P
4, by P
4With encrypt data SB
2With PKI PKB
2Transfer to source node A.Repeat said process, constantly search intermediate node, pass on PKI and encrypt data by intermediate node.But each intermediate node reception or the PKI and the encrypt data that pass on can not cooperatively interact.For example, intermediate node P
2The PKI PKB that receives or pass on
1With encrypt data SB
1Do not mate, because encrypt data SB
1The PKI PKA that target node b adopts source node A to calculate
1To packet MB
1Encrypt and generate.Equally, intermediate node P
3The PKI PKA that receives or pass on
2With encrypt data SA
1Do not mate, because encrypt data SA
1The PKI PKB that source node A adopts the target source Node B to calculate
1To packet MA
1Encrypt and generate.Like this, even the PKI on the intermediate node and encrypt data are intercepted and captured, can not utilize the PKI of intercepting and capturing to crack the encrypt data of intercepting and capturing, protect the fail safe of communication data.
According to above method, the double counting public private key pair, encrypt, search the process of intermediate node, deciphering, ultimate source node A will receive all packet MB
1, MB
2... MB
m, this m packet reconfigured to recover data M B.Equally, target node b will receive all packet MA
1, MA
2... MA
l, this l packet reconfigured to recover data M A.Owing to the packet on the node is to be encrypted by the PKI that calculates on another node, and the public private key pair of each packet is not identical, then must calculate altogether m to public private key pair at source node A, must calculate altogether l public private key pair at target node b.Like this, even ganging up also, adjacent two intermediate nodes can not bring larger threat to whole communication process.For example, if above-mentioned first intermediate node P
1With second intermediate node P
2Gang up first intermediate node P
1With its PKI PKA that receives
1Send second intermediate node P to
2Because second intermediate node P
2Can receive by PKI PKA
1To packet MB
1The encrypt data SB that encrypts and generate
1, second intermediate node P so
2Might utilize PKI PKA
1To encrypt data SB
1Crack, and crack out packet MB
1But packet MB
1Be the sub-fraction among the data M B, even crack out packet MB
1Security threat to whole data M B is also just very little.
In order to verify performance of the present invention, we have carried out following test under the Netlogo of Northwestern Univ USA platform: be provided with Three role in the environment of experiment, a kind of is trusted node, their movement rule is to produce by random function to have the displacement that stable fluctuation changes, and quantity is 100; Another is the base station, and the position immobilizes, and quantity is 10; At last a kind of is malicious node, and its change in location is random high-speed mobile, and one has 20.
Test the communication efficiency an of the inventive method
We select five group nodes, and this five group node all communicates according to the method that the present invention searches intermediate node by great-jump-forward, selects in addition a group node as a comparison, and this group node is according to the communication mode of traditional stationary nodes.The packet that each handshake procedure transmission is set is 128k, tests the time that each handshake procedure experiences, relatively the loss of its performance.A handshake procedure represents to transmit mutually between two communication nodes the process of a packet, is referred to as the session that communicates by letter.
Test result data as shown in Figure 5, the ordinate of test data figure represents the time that each communication session experiences, unit is millisecond, which session abscissa represents, a nethermost test result that curve is the communication mode of traditional stationary nodes among the figure, above five curves represent respectively five groups of test results that communicate according to the inventive method.
By the figure sight, at the node communication initial phase, namely in first session, stationary nodes communication pattern and great-jump-forward coded communication of the present invention all need to calculate public private key pair, and its required time is suitable, is about 700ms, and performance is basically identical.And after first session, because each session of great-jump-forward communication means needs to search for new intermediate node and calculates new public private key pair, therefore the required time longer, performance loss is larger, than time that first session consumes without significant change.And traditional stationary nodes communication pattern need not to search for new intermediate node, also need not to calculate new public private key pair, the time less that each session is required, and than first session, the time that consumes obviously reduces.Communication means of the present invention is 81.7% with respect to the mean value of stationary nodes communication pattern performance loss.
For improving efficient of the present invention, the coding structure of algorithm is adjusted:
1, the formation logic of the public private key pair of next Session and the transmission logic of current Session packet are calculated by thread parallel, take Fig. 2 as example, when target node b with encrypt data bag SB
1With PKI PKB
1Send to intermediate node P
2After, namely begin to calculate next public private key pair PKB
2, PSB
2, and need not by the time to receive intermediate node P
3The data of passing on just begin to calculate public private key pair.Parallel computation is to shorten call duration time like this.
2, with the size of the packet of each Session, be increased to 1024k.Packet size is larger, its time of transmitting between two nodes is longer, source node A and target node b can take full advantage of the transmission time of packet and process static traffic, as encrypting, deciphering, calculating public private key pair, can improve like this utilization ratio of time.
After the algorithm adjustment, repeated experiments.Again after the test experimental result that draws as shown in Figure 6 because packet size increases, the elapsed time of first session is increased to about 2800ms.Afterwards, be 11.5% according to the method after improving with respect to the performance loss mean value of stationary nodes communication pattern, significantly reduced the loss of performance, optimized communication efficiency.
Test the communications security of two the inventive method
Selected 4 group nodes, all adopted great-jump-forward coded communication pattern of the present invention, wherein the lookup method of 2 groups of intermediate nodes adopts the relative stability determination methods, is called for short SCR; The lookup method of other 2 groups of intermediate nodes adopts the absolute determination methods, is called for short SCA.
Select quantity by the node of testing within 10 minutes, the efficient that the evaluate safety node is selected.
Experimental data is as shown in the table, by apparent it, RSC algorithm and ASC algorithm all are to judge malicious node by the variation of stabilizing distance, detection in conjunction with the historical position data, for the logic of node Dynamic Selection provides tighter credible detection algorithm, as a whole, algorithm can filter a large amount of malicious nodes, the node of selecting to have higher-security from mobile radio network communicates, effective guarantee the communication security on the radio sensing network.
Table 1 adopts different nodes to search algorithm to the comparison of malicious node screening effeciency
The intermediate node lookup method |
The intermediate node sum |
Ordinary node |
Malicious node |
The node efficiency of selection |
The RSC algorithm |
905 |
871 |
34 |
96.2% |
The RSC algorithm |
865 |
839 |
26 |
97.0% |
The ASC algorithm |
896 |
867 |
29 |
96.8% |
The ASC algorithm |
849 |
812 |
37 |
95.6% |