CN112714507A - Method for data security transmission between wireless ad hoc networks - Google Patents

Abstract

The invention discloses a method for safely transmitting data between wireless ad hoc networks, which comprises the following steps: the node constructs a node public key table; a sending node sends a data message to a receiving node; after receiving the data message and carrying out security check, the receiving node sends a response message to the sending node; after receiving the response message and carrying out security check and data comparison, the sending node sends a data confirmation message to the receiving node; and the receiving node receives the data confirmation message and selects to keep or discard the data according to the type of the data confirmation message. On the basis of a network architecture of the wireless ad hoc network, the method integrates a Hash algorithm, a public key cryptographic algorithm and an encryption authentication technology, and designs a brand-new data security transmission method, so that the security interaction of data among the internal nodes of the wireless ad hoc network is realized. The method has wide application range, is easy to realize, is safe and reliable, and can be used in network environments with extremely high safety requirements.

Description

Method for data security transmission between wireless ad hoc networks

Technical Field

The invention relates to a method for safely transmitting data between wireless ad hoc networks, in particular to safe transmission of sensitive data between the wireless ad hoc networks, and belongs to the technical field of combination of wireless communication and cryptography.

Background

The wireless ad hoc network is also called a Mesh network, is a wireless communication system supporting multi-hop relay, each node in the system can move freely, when the system topology changes, the route can be reconstructed quickly and a new network topology is formed, the interconnection and intercommunication of all online nodes in the system can be ensured in real time, the wireless ad hoc network is particularly suitable for application occasions such as field emergency command, fast networking of squads and the like, and is widely applied to the industries of public safety, emergency, military and the like at present.

In view of the particularity of the wireless ad hoc network application, data transmitted therein sometimes needs to be kept secret, and the measures for keeping secret of data in the conventional wireless communication are mainly divided into two types: security for the data itself and security for the data transmission channel. The method can be specifically divided into the following methods:

(1) and MAC address filtering: a hardware controlled mechanism is employed to identify the validity of the access device. The network card of any network hardware equipment only has a unique MAC address, and each node in the wireless ad hoc network can start an MAC address filtering mechanism to judge whether the MAC address of the access equipment is legal or not, so that illegal nodes are prevented from accessing the network.

(2) WEP/WPA/WPA2 encryption: this is a series of systems that protect wifi information security. Since the wireless ad hoc network supports the terminal device to access through wifi, unauthorized terminals can be prohibited from privately connecting to network nodes by using the method.

(3) IPsec: the internet security protocol, which is a protocol packet, protects the network transport protocol suite of the IP protocol by encrypting and authenticating packets of the IP protocol. The VPN technology realized based on the IPsec protocol packet mainly realizes the establishment of a safe transmission channel between two subnetworks with data privacy transmission requirements.

(4) And (3) encryption of an algorithm: the original data is packaged and encrypted, then the data is transmitted to a receiving node through a wireless network, and the receiving node decrypts the encrypted data packet, so that the safety and reliability of data transmission in the air are guaranteed. A common encryption algorithm is AES.

Both traditional MAC address filtering and WEP/WPA 2 encryption employ access safeguards that prevent unauthorized nodes or terminals from entering the network, but neither approach can solve the problem of legitimate nodes traitoring, intentionally tampering with data if they are traitorous, discarding the received data or forging it into other data for continued transmission; the IPsec also adopts encryption and authentication techniques to ensure data security, and it is premised that a fixed VPN tunnel is established between a sending node and a receiving node before data transmission, and the receiving node and the sending node must support additional tunnel protocols, but a wireless ad hoc network has networking flexibility and mobility, and a transmission path between nodes is not fixed but dynamically changes according to a field environment, so that a fixed VPN tunnel cannot be established, and therefore, the IPsec VPN generally has the problems of high cost and high complexity, and is not suitable for many scenes in which the implementation is simple, the existing network structure does not need to be changed, and the operation cost is low, and meanwhile, the IPsec VPN cannot solve the problem of data packet loss; algorithmic encryption is the encryption of the original data itself, and this method cannot solve the problem of source authentication, i.e., cannot determine whether the original data was sent by the sending node, i.e., cannot solve the problem of traitoring of legitimate nodes, and cannot solve the problem of data packet loss.

Disclosure of Invention

The purpose of the invention is as follows: the invention provides a method for safely transmitting data between wireless ad hoc networks, which integrates a Hash algorithm, a public key cryptographic algorithm and an encryption authentication technology on the basis of a network architecture of the wireless ad hoc network and designs a new method for safely transmitting the data, thereby realizing the safe interaction of the data between internal nodes of the wireless ad hoc network. The method has wide application range, is easy to realize, is safe and reliable, and can be used in network environments with extremely high safety requirements.

The technical scheme is as follows: the invention adopts the following technical scheme: a method for safely transmitting data between wireless ad hoc networks is provided, which comprises the following steps:

step 1, each node in the wireless ad hoc network independently generates an RSA key pair, a private key in the key pair is independently and safely stored by each node, a public key in the key pair is broadcasted to other nodes, the nodes construct a node public key table according to the received public key, and if the node public key table of each node is successfully created, the step 2 is carried out;

step 2, the sending node encrypts original data by using a Hash algorithm, an asymmetric encryption algorithm and a digital signature to obtain a data ciphertext, the data ciphertext is constructed into a data message and sent to the receiving node, and meanwhile, a timer is set to wait for a response message of the receiving node;

step 3, the receiving node extracts a data ciphertext from the data message, decrypts the data ciphertext, performs security check on the decrypted data, and needs to successively judge whether the decrypted data is transmitted by the transmitting node and whether original data contained in the data is not tampered;

if the two judgments are yes, the security check is passed, the receiving node encrypts the original data hash value contained in the data by using a hash algorithm, an asymmetric encryption algorithm and a digital signature to obtain a response ciphertext with complete data, the response ciphertext is constructed into an IP datagram and is sent to the sending node as a response message, and meanwhile, a timer is set to wait for a data confirmation message returned by the sending node;

if one of the two judgments is negative, the security check is not passed, the receiving node constructs a response ciphertext of which the data security check fails, and the response ciphertext is constructed into an IP datagram and is sent to the sending node as a response message;

step 4, the sending node extracts a response ciphertext from the received response message, firstly clears the timer set in the step 2, then decrypts the response ciphertext, and then carries out security check on the decrypted response message, so that whether the response message is sent by the receiving node or not and whether a response value carried in the response message is not tampered or not are sequentially judged;

if the two judgments are yes, the security check is passed, the type of the response information is continuously judged, if the response information is complete data, the sending node compares the hash value of the original data carried in the response information with the hash value of the original data stored locally, if the comparison is consistent, the receiving node receives the correct original data, and the sending node sends a data confirmation message to the receiving node to inform the receiving node that the original data is correct; if the comparison is not consistent, the receiving node does not receive correct original data, the sending node sends a data confirmation message to the receiving node to inform the receiving node to discard the original data, and the step 2 is returned again to resend the data message; if the data is the response information of the data security check failure, returning to the step 2 again to retransmit the data message;

if one of the two judgments is negative, the security check is not passed, and the sending node sends a data confirmation message to the receiving node to inform the receiving node of retransmitting the response message;

step 5, the receiving node receives the data confirmation message, firstly clears the timer set in the step 3, then judges the type of the data confirmation message, and if the data confirmation message is the correct data confirmation message of the original data, the original data is reserved; if the data is the data confirmation message with incorrect original data, discarding the original data; and returning to the step 3 to resend the response message if the data confirmation message fails the security check in the step 4.

The invention discloses a method for safely transmitting data between wireless ad hoc networks, wherein the step 2 further comprises the following steps:

step 201, a sending node encrypts original data by using a hash algorithm to obtain an original data hash value, and stores the original data hash value locally;

step 202, the sending node uses its own private key to digitally sign the original data and the hash value of the original data to obtain a signature value;

step 203, the sending node searches a public key of the receiving node in a local node public key table according to the IP information of the receiving node, and then carries out asymmetric encryption on the three items of data, namely the original data, the hash value of the original data and the signature value, by using the public key of the receiving node to obtain a data ciphertext;

step 204, the sending node constructs a data message from the data ciphertext according to a standard IP datagram format, sends the data message to the receiving node through the wireless ad hoc network, and sets a timer to wait for a response message of the receiving node;

step 205, when the timer setting time is up, if the sending node does not receive the response message of the receiving node, the sending node sends the data message to the receiving node again, and simultaneously carries out failure statistics, if the sending node does not receive the response message of the receiving node when the timer setting time is up for three times, an alarm of network abnormity is generated and the timer is cleared;

if the answer message is received, the process of resolving the answer message in step 4 is entered, and the timer is cleared.

The invention discloses a method for safely transmitting data between wireless ad hoc networks, wherein the step 3 further comprises the following steps:

step 301, a receiving node extracts a data ciphertext from a received data message, and then decrypts the data ciphertext by using a private key of the receiving node to obtain original data, an original data hash value and a signature value;

step 302, the receiving node performs security check on the decrypted data, looks up the public key of the sending node from the local node public key table according to the IP information of the sending node, verifies the signature by using the public key of the sending node and the three data of the signature value, the original data and the original data hash value, and if the signature passes, the original data and the original data hash value in the data ciphertext are really constructed and sent by the sending node, and the step 303 is entered; if the verification is not passed, discarding the data message, and if the security check is not passed, entering step 304 to send a response message that the verification is not passed to the sending node;

step 303, the receiving node encrypts the original data by using a hash algorithm to obtain an original data hash value, compares the hash value with an original data hash value decrypted from the data ciphertext, if the comparison is consistent, the original data is not tampered or lost, the security check is passed, and step 304 is entered to send a response message with complete data to the sending node; if the comparison is inconsistent, it indicates that the original data may be tampered or lost, the security check does not pass, and step 304 is performed to send a response message that the hash values are not matched to the sending node;

step 304, the receiving node constructs a corresponding response message according to the security check result, if the decrypted data passes the security check, the receiving node encrypts the hash value of the original data by using a hash algorithm to obtain the hash value of the original data, then digitally signs the hash value of the original data and the hash value of the original data by using a private key of the receiving node to obtain a signature value, then the receiving node searches a public key of the sending node in a local node public key table, encrypts the three data of the hash value of the original data, the hash value of the original data and the signature value by using the public key to obtain a response ciphertext, the receiving node constructs the response message according to a standard IP datagram format, sends the response message to the sending node through a wireless ad hoc network, and sets a timer to wait for the data confirmation message of the sending node, if the data confirmation message sent by the sending node is not received when the set time of the timer is up, the response message is sent to the sending node again, if the data confirmation message of the sending node is not received when the set time of the timer is up for three times, the alarm of network abnormity is generated, and the decrypted data is discarded and the timer is cancelled;

if the decrypted data does not pass the security check, the receiving node constructs failure information, meanwhile, a Hash algorithm is used for encrypting the failure information to obtain a Hash value of the failure information, then a private key of the receiving node is used for carrying out digital signature on the failure information and the Hash value of the failure information to obtain a signature value, then the receiving node searches a public key of the sending node in a local node public key table, the public key is used for encrypting the failure information, the Hash value of the failure information and the signature value to obtain a response ciphertext of the data security check failure, the receiving node constructs the response message according to a standard IP datagram format, and the response message is sent to the sending node through a wireless ad hoc network.

The invention discloses a method for safely transmitting data between wireless ad hoc networks, wherein the step 4 further comprises the following steps:

step 401, after receiving the response message, the sending node firstly clears the timer set in step 2, then extracts the response ciphertext from the response message, and then decrypts the response ciphertext by using its own private key to obtain the decrypted response message;

step 402, the sending node performs security check on the response information, extracts a signature value and response data from the response information, then searches the public key of the receiving node from the local node public key table according to the IP address information of the receiving node, then performs signature verification on the response data by using the receiving node public key, the signature value and the response data, if the signature verification passes, the response data is really constructed and sent by the receiving node, and the step 403 is entered; if the verification is not passed, step 406 is entered, a data confirmation message that the verification is not passed is sent to the receiving node, and the receiving node is notified to retransmit the response message;

step 403, the sending node extracts the response value and the hash value of the response value from the response data, recalculates the hash value of the response value by using a hash algorithm, then compares the hash value with the hash value of the response value carried in the response data, if the comparison is consistent, the security check is passed, the step 404 is entered, if the comparison is inconsistent, the security check is not passed, the step 406 is entered, a data confirmation message that the hash value is not matched and passed is sent to the receiving node, and the receiving node is informed to retransmit the response message;

step 404, the sending node judges the type of the response value, and if the response value is a complete data response value, the step 405 is entered; if the data is the response value of the data security check failure, returning to the step 2 again, and retransmitting the data message by the sending node;

step 405, the sending node compares the hash value of the original data carried by the response data with the hash value of the original data stored locally in step 2, if the comparison is consistent, the receiving node receives the correct original data, the security check is passed, and step 406 is entered to send a data confirmation message that the original data is correct to the receiving node; if the comparison is inconsistent, it indicates that the original data received by the receiving node is incorrect or lost, and step 406 is entered to send a data confirmation message that the original data is incorrect to the receiving node;

step 406, the sending node constructs a corresponding data confirmation message according to the security check result, if the original data received by the receiving node is correct, the data in the data confirmation message is confirmed to mark the position 1, if the original data received by the receiving node is wrong, the data is confirmed to mark the position 0, if the answer message is not checked to be signed or the hash value of the answer message is not matched, the data is confirmed to mark the position 2; the data confirmation method includes the steps that data confirmation information is built through a data confirmation flag bit and an original data hash value, then digital signature is conducted on the data confirmation information through a private key of a sending node to obtain a signature value, then a public key of a receiving node is searched in a local node public key table, the data confirmation flag bit, the original data hash value and the signature value are encrypted through the public key of the receiving node to obtain a data confirmation ciphertext, finally the sending node builds a data confirmation message through the data confirmation ciphertext according to a standard IP datagram format, and the data confirmation message is sent to the receiving node through a wireless ad hoc network.

The invention discloses a method for safely transmitting data between wireless ad hoc networks, wherein the step 5 further comprises the following steps:

step 501, the receiving node receives the data confirmation message and cancels the timer set in step 3;

step 502, a receiving node extracts a data confirmation ciphertext from a data confirmation message, the receiving node decrypts the data confirmation ciphertext by using a private key of the receiving node, extracts data confirmation information and a signature value from the decrypted data, then searches a public key of a sending node from a local node public key table according to IP address information of the sending node, uses the data confirmation information and the signature value, verifies the signature by combining the public key in three ways, if the signature passes, the data confirmation information is really constructed and sent by the sending node, then extracts a data confirmation flag bit and an original data hash value from the data confirmation information, if the data confirmation flag position is 1, corresponding original data are found locally according to the original data hash value, and the original data are correct and reserved; if the data confirmation mark position is 0, corresponding original data is found locally according to the hash value of the original data, and the original data is discarded if the original data is incorrect; if the data confirm mark position 2, returning to the step 3, the receiving node sends the response message to the sending node again, and simultaneously, setting a timer to wait for the data confirm message returned by the sending node; and if the verification is not passed, returning to the step 3, and the receiving node sends the response message to the sending node again.

The method for the safe data transmission between the wireless ad hoc networks, provided by the invention, is characterized in that the setting time of the timer in the step 2 can be adjusted according to the actual situation.

The method for the secure data transmission between the wireless ad hoc networks, provided by the invention, is characterized in that the setting time of the timer in the step 3 can be adjusted according to the actual situation.

Has the advantages that: the invention has the following beneficial effects:

the invention uses a data security transmission method as a main means, fuses a Hash algorithm, a public key cryptographic algorithm and an encryption authentication technology on the basis of the network architecture of the wireless ad hoc network, and can realize the security interaction of data between the internal nodes of the wireless ad hoc network. The invention has wide application range, easy realization, safety and reliability, does not need to increase hardware resources of the wireless ad hoc network, namely, does not change the structure of the existing IP network, does not need network nodes to support other protocols, does not need to change the communication protocol of the wireless ad hoc network, only needs to carry out encryption authentication on the original data per se at the software level and encapsulate the original data into IP messages for transmission, ensures that the data is not lost and falsified in the transmission process, effectively prevents legitimate nodes from falsifiing the data at the same time, and can be used in network environments with extremely high safety requirements.

Drawings

FIG. 1 is a wireless ad hoc network topology according to the present invention;

FIG. 2 is a flow chart of a method for secure data transmission according to the present invention;

FIG. 3 is a flow chart of node public key table creation in the present invention;

FIG. 4 is a schematic diagram of a node public key table and a node public key entry structure in the present invention;

FIG. 5 is a flow chart of a sending node constructing a data message in the present invention;

FIG. 6 is a flow chart of a receiving node parsing a data message and constructing a response message in the present invention;

FIG. 7 is a flow chart of a sending node parsing a response message and constructing a data confirmation message in the present invention;

fig. 8 is a flow chart of a receiving node parsing a data acknowledgement message in the present invention.

Detailed Description

The method for secure data transmission between wireless ad hoc networks according to the present invention will be described in detail with reference to the accompanying drawings and embodiments:

it should be noted that, the precondition of the method for securely transmitting data between wireless ad hoc networks of the present invention is that the wireless ad hoc networks have been successfully networked, and all nodes in the wireless ad hoc networks have been interconnected and intercommunicated.

As shown in fig. 1, there are five online nodes in the wireless ad hoc network, and assuming that node a is a sending node and node D is a receiving node, node a needs to send the acquired data to node D, and it can be seen from the network topology of the wireless ad hoc network that the data successively passes through node B and node C, and finally reaches node D. The data may be lost while propagating over the air due to the presence of signal interference or network congestion, and node B or node C may also tamper with the data or deliberately drop the original data and send the fake data to node D.

As shown in fig. 2, the method for securely transmitting data between wireless ad hoc networks according to the present invention mainly comprises the following steps:

1. each node in the wireless ad hoc network independently constructs a node public key table, and the node public key table contains public key information of all online nodes in the wireless ad hoc network;

2. the sending node encrypts original data by using a Hash algorithm, an asymmetric encryption algorithm and a digital signature technology, constructs a data message and sends the data message to the receiving node;

3. after receiving the data message, the receiving node obtains original data through decryption and signature verification, then encrypts response data by using a Hash algorithm, an asymmetric encryption algorithm and a digital signature technology, constructs a response message and sends the response message to the sending node;

4. after receiving the response message, the sending node obtains response data through decryption and signature verification, judges whether the receiving node receives correct original data or not according to the response data, encrypts data confirmation information by using a Hash algorithm, an asymmetric encryption algorithm and a digital signature technology, constructs a data confirmation message and sends the data confirmation message to the receiving node;

5. and after receiving the data confirmation message, the receiving node obtains the data confirmation message through decryption and signature verification, and judges whether the received original data is correct or not according to the data confirmation message.

As shown in fig. 3 to 8, the specific steps of the method for securely transmitting data between wireless ad hoc networks according to the present invention are as follows:

1. creation of node public key table

As shown in fig. 3, each node in the wireless ad hoc network independently generates an RSA key pair, where the RSA key pair includes a private key and a public key; each node independently and safely stores the private key of the node and simultaneously broadcasts the public key to other nodes; each node constructs a node public key table of the node according to the received public key; the node public Key table contains public Key information of all nodes in the wireless ad hoc network, the node public Key table is composed of a plurality of node public Key entries, each node in the wireless ad hoc network corresponds to one node public Key entry, the node public Key table and the node public Key entries are structurally shown in fig. 4, Key values of the node public Key entries correspond to node IP information, and Value values of the node public Key entries correspond to public Key information generated by the IP nodes. The generation of the RSA key pair is already in the prior art, and therefore, the present invention is not described herein.

2. Sending node constructing data message

As shown in fig. 5, the sending node encrypts the original data by using a hash algorithm to obtain an original data hash value, the hash algorithm ensures that the original data cannot be reversely calculated by the original data hash value, and meanwhile, the original data corresponds to a unique original data hash value, so that the safety of the original data can be effectively ensured, and the original data can be timely detected to be tampered. Assuming that the original data is data and the hash value of the original data is data _ hash = hash (data), the data _ hash is saved locally. The hash () represents the hash algorithm encryption process, and the hash () used later in the present invention represents the definition, which is not described again.

The sending node uses a private key of the sending node to digitally sign two items of data, namely original data and an original data hash value, to obtain a signature value, the digital signature ensures that the signed data can only be successfully signed by a public key corresponding to the private key used by the signature, the public key and the private key belong to the same pair, and one node belongs to the public key and the private key to ensure that the signed data is really constructed and signed by the node, and other nodes cannot forge the node to send the data because other nodes do not have the private keys of the node. Assuming that the private key is a privateKey, the signature value is sign _ data = sign (data | | data _ hash, privateKey). The later used | in the invention all represents the definition and is not repeated; sign (a, b) represents a digital signature process, a represents data to be signed, b represents a private key required by the digital signature, and sign (a, b) used later in the invention represents the definition and is not described again.

The sending node searches a local node public key table according to the IP information of the receiving node, finds out the public key of the receiving node, and then encrypts the three items of data, namely the original data, the original data hash value and the signature value, by using the public key to obtain a data ciphertext, wherein the ciphertext encrypted by the public key can only be decrypted by a corresponding private key, so that the ciphertext can only be decrypted by the receiving node by using the private key of the receiving node, and other nodes can not decrypt the ciphertext because of the absence of the private key of the receiving node. Then, the original data, the hash value of the original data, and the signature value are firstly combined to form data to be encrypted, that is, msg = data | | data _ hash | | sign _ data, assuming that public key is a receiving node public key, and a data ciphertext is en _ msg = encry (msg, public key), where encry (a, b) represents an encryption process in an asymmetric encryption algorithm, a represents data to be encrypted, and b represents a public key used for encryption.

The sending node constructs a data message from the data ciphertext en _ msg according to a standard IP datagram format, sends the data message to the receiving node, and sets a timer to wait for a response message of the receiving node, wherein the setting time of the timer can be adjusted according to actual conditions; if the response message is received when the timer does not reach the set time, entering the analysis process of the response message and clearing the timer; if the sending node still does not receive the response message when the set time of the timer is up, the data message is sent to the receiving node again, meanwhile, failure statistics is carried out, and if the response message is not received when the set time of the timer is up for three times, a warning of network abnormity is generated and the timer is cleared.

3. The receiving node parses the data message and constructs a reply message

As shown in fig. 6, a receiving node extracts a data ciphertext en _ msg from a data message, and then decrypts the data ciphertext by using its private key privateKey, msg = decrypt (en _ msg, privateKey), msg is decrypted data, and original data, an original data hash value data _ hash, and a signature value sign _ data are extracted from msg, where decrypt (a, b) represents a decryption process in an asymmetric encryption algorithm, a represents data to be decrypted, and b represents a private key used for decryption.

The receiving node carries out security check on the decrypted data msg, according to the IP information of the transmitting node, a public key of the transmitting node is searched from a local node public key table, the public key of the transmitting node and three items of data, namely a signature value sign _ data, original data and an original data hash value data _ hash, are used for signature verification, isValid = verify (public key, data | data _ hash, sign _ data), if the isValid is True, the signature verification is passed, and the situation that the data | data _ hash in the data cipher is actually constructed and transmitted by the transmitting node is explained; if isValid is False, the verification tag does not pass, the data message is discarded, and the security check does not pass. The verify (a, b, c) is defined as a signature verification process in the digital signature, a is a public key corresponding to a private key used by the digital signature, b is data to be signed verified, and c is a signature value obtained by the digital signature.

For the data passing the verification, the data comprises original data and a hash value of the original data, namely data | | data _ hash, the receiving node recalculates the hash value of the original data, new _ data _ hash = hash (data), and then the new _ data _ hash and the data _ hash are compared, if the comparison is consistent, the original data is not tampered or lost, and if the comparison is inconsistent, the original data is possibly tampered or lost.

For the condition that the verification passes and the hash values of the original data are consistent, that is, the data is complete, the receiving node encrypts the hash value of the original data by using a hash algorithm to obtain the hash value of the original data, namely, data _ hash = hash (data _ hash), then digitally signs the response data reply _ data = data _ hash with a private key of the receiving node itself to obtain a signature value, namely, sign _ data = sign (data _ hash, privatemskey), then the receiving node searches for the public key of the transmitting node in a local node public key table, encrypts the msg = data _ hash _ signature _ data with a public key to obtain a response, namely, the msen _ msg = cry (data _ hash _ data), receives the response message and transmits the response message to the receiving node according to an IP-response network format, and the response message is constructed by a wireless datagram network, setting a timer to wait for a data confirmation message of a sending node, wherein the setting time of the timer can be adjusted according to the actual situation, and if the setting time of the timer is not up, the timer is cleared when the data confirmation message is received; if the data confirmation message sent by the sending node is not received when the set time of the timer is up, the response message is sent to the sending node again, if the data confirmation message of the sending node is not received when the set time of the timer is up for three times, the alarm of network abnormity is generated, and the decrypted data is discarded and the timer is cancelled.

Aiming at the condition that the signature verification is not passed or the comparison of the hash values of the original data is inconsistent, the receiving node creates failure information fail _ data, which means that the data security check fails, and the fail _ data contains a failure flag bit which indicates the reason of the failure, such as the non-pass of the signature verification or the inconsistency of the hash values of the original data in matching; the receiving node encrypts the fail _ data by using a hash algorithm to obtain a hash value of failure information, namely fail _ hash = hash (fail _ data), then digitally signs the response data reply _ data = fail _ hash by using a private key of the receiving node to obtain a signature value, namely sign _ data = sign (fail _ data fail _ hash, private key), then encrypts the msg = fail _ data fail _ hash _ data by using a public key of the transmitting node to obtain a response ciphertext, namely en _ msg = encrypt (fail _ data fail _ hash _ data, public key of the transmitting node), and then the receiving node constructs a response message according to a standard IP (IP) datagram and transmits the response message to the transmitting node through a wireless ad hoc network.

4. The sending node parses the reply message and constructs a data confirmation message

As shown in fig. 7, after receiving the response message, the sending node first clears a timer set by itself and waiting for the receiving node to reply to the response message, then extracts a response ciphertext en _ msg from the response message, and then decrypts the en _ msg with a private key privateKey of the sending node, to obtain decrypted response information, that is, msg = decrypt (en _ msg, privateKey), extracts a signature value sign _ data and response data reply _ data from the msg, where the response data consists of a response value reply _ value and a hash value reply _ hash corresponding to the response value reply _ value, and according to the type of the response information, the response data is either reply _ data = data _ hash, or reply _ data = fail _ hash.

The sending node carries out security check on the response information msg, a public key publishKey of the receiving node is searched from a local node public key table according to IP address information of the receiving node, then the response data is checked, isValid = verify (publishkey, reply _ data, sign _ data), if isValid is True, the check is passed, and the reply _ data is really constructed and sent by the receiving node; if the verification is not passed, the response information is discarded, the security check is not passed, and a data confirmation message of the non-passing verification is sent to the receiving node to inform the receiving node of retransmitting the response message.

For the condition that the verification passes, the sending node respectively extracts the reply value reply _ value and the hash value reply _ hash corresponding to the reply value reply _ value from the reply _ data, then recalculates the hash value of the reply _ value, compares the hash value with the reply _ hash, if the comparison is consistent, the reply _ value is not tampered or lost, if the comparison is inconsistent, the security check is not passed, and sends a data confirmation message that the hash value is not matched and passes to the receiving node to inform the receiving node of retransmitting the reply message.

And for the condition that the hash values are consistent in comparison, the sending node judges the reply value reply _ value type, and if the reply value reply _ data fails in data security check, the sending node reassembles the original data into a data message and sends the data message to the receiving node.

For the condition that the hash values are compared consistently, the sending node judges the reply value reply _ value type, if the data is complete, the sending node compares the data _ hash with the original data hash value data _ hash stored locally, and if the data _ hash is consistent, the sending node indicates that the receiving node has received correct original data, and sends a data confirmation message that the original data is correct to the receiving node; if the comparison is inconsistent, the original data received by the receiving node is wrong or lost, a data confirmation message that the original data is wrong is sent to the receiving node, and the original data is assembled into a data message again and sent to the receiving node.

The sending node constructs a corresponding data confirmation message according to the signature checking result and the safety checking result, if the original data received by the receiving node is correct, the data in the data confirmation message is confirmed to mark the position 1, if the original data received by the receiving node is wrong, the data is confirmed to mark the position 0, if the response message is not passed in signature checking or the hash value of the response message is not matched, the data is confirmed to mark the position 2; the method comprises the steps of constructing data confirmation information confirm _ info by using a data confirmation flag bit and an original data hash value, namely confirm _ info = flag | | data _ hash, then digitally signing data confirmation information by using a private key privateKey of a sending node, namely sign _ data = sign (confirm _ info, privateKey), then searching a public key pubic key of a receiving node in a local node public key table, encrypting the confirm _ info and sign _ msg by using a pubic key, namely en _ msg = encrypt (flag | | data _ hash | | sign _ data, publicKey), obtaining a data confirmation ciphertext _ msg, and finally constructing a data confirmation message by the en _ msg according to a standard IP datagram format by the sending node, and sending the data confirmation message to the receiving node through wireless self-networking.

5. Receiving node parsing data confirmation message

As shown in fig. 8, upon receiving the data confirmation message, the receiving node first cancels the set timer waiting for the sending node to reply the data confirmation message; then, the receiving node extracts a data confirmation ciphertext en _ msg from the data confirmation message, decrypts the en _ msg by using a private key privateKey of the receiving node, namely msg = decrypt (en _ msg, privateKey), extracts a signature value sign _ data and data confirmation information confirm _ info from the msg, and then verifies the confirm _ info by using a public key of the transmitting node, namely isValid = verify (publicKey, confirm _ info, sign _ data), if isValid is True, the verification passes, which indicates that the confirm _ info is actually constructed and transmitted by the transmitting node; and if the verification tag does not pass, discarding the data confirmation information, simultaneously resending the response message to the sending node, and simultaneously setting a timer to wait for the data confirmation message returned by the sending node.

For the condition that the signature check passes, further explaining that the receiving node analyzes a data confirmation flag bit flag and an original data hash value data _ hash from the confirm _ info, then the value set by the flag is judged, if the flag is 1, the corresponding original data is found locally according to the data hash value, and the original data is reserved; if the flag is 0, finding corresponding original data locally according to the data _ hash, and discarding the original data; and if the flag is 2, the receiving node resends the response message to the sending node, and simultaneously sets a timer to wait for a data confirmation message returned by the sending node.

The above-described embodiments are merely illustrative of the preferred embodiments of the present invention, and do not limit the scope of the present invention, and various modifications and improvements of the technical solution of the present invention may be made by those skilled in the art without departing from the spirit of the present invention, which is defined by the claims.

Claims (5)

1. A method for data security transmission between wireless ad hoc networks is characterized by comprising the following specific steps:

step 1, each node in the wireless ad hoc network independently generates an RSA key pair, a private key in the key pair is independently and safely stored by each node, a public key in the key pair is broadcasted to other nodes, the nodes construct a node public key table according to the received public key, and if the node public key table of each node is successfully created, the step 2 is carried out;

step 2, the sending node encrypts original data by using a Hash algorithm, an asymmetric encryption algorithm and a digital signature to obtain a data ciphertext, the data ciphertext is constructed into a data message and sent to the receiving node, and meanwhile, a timer is set to wait for a response message of the receiving node;

step 3, the receiving node extracts a data ciphertext from the data message, decrypts the data ciphertext, performs security check on the decrypted data, and needs to successively judge whether the decrypted data is transmitted by the transmitting node and whether original data contained in the data is not tampered;

if the two judgments are yes, the security check is passed, the receiving node encrypts the original data hash value contained in the data by using a hash algorithm, an asymmetric encryption algorithm and a digital signature to obtain a response ciphertext with complete data, the response ciphertext is constructed into an IP datagram and is sent to the sending node as a response message, and meanwhile, a timer is set to wait for a data confirmation message returned by the sending node;

if one of the two judgments is negative, the security check is not passed, the receiving node constructs a response ciphertext of which the data security check fails, and the response ciphertext is constructed into an IP datagram and is sent to the sending node as a response message;

step 4, the sending node extracts a response ciphertext from the received response message, firstly clears the timer set in the step 2, then decrypts the response ciphertext, and then carries out security check on the decrypted response message, so that whether the response message is sent by the receiving node or not and whether a response value carried in the response message is not tampered or not are sequentially judged;

if the two judgments are yes, the security check is passed, the type of the response information is continuously judged, if the response information is complete data, the sending node compares the hash value of the original data carried in the response information with the hash value of the original data stored locally, if the comparison is consistent, the receiving node receives the correct original data, and the sending node sends a data confirmation message to the receiving node to inform the receiving node that the original data is correct; if the comparison is not consistent, the receiving node does not receive correct original data, the sending node sends a data confirmation message to the receiving node to inform the receiving node to discard the original data, and the step 2 is returned again to resend the data message; if the data is the response information of the data security check failure, returning to the step 2 again to retransmit the data message;

if one of the two judgments is negative, the security check is not passed, and the sending node sends a data confirmation message to the receiving node to inform the receiving node of retransmitting the response message;

step 5, the receiving node receives the data confirmation message, firstly clears the timer set in the step 3, then judges the type of the data confirmation message, and if the data confirmation message is the correct data confirmation message of the original data, the original data is reserved; if the data is the data confirmation message with incorrect original data, discarding the original data; and returning to the step 3 to resend the response message if the data confirmation message fails the security check in the step 4.

2. The method according to claim 1, wherein the step 2 further comprises:

step 201, a sending node encrypts original data by using a hash algorithm to obtain an original data hash value, and stores the original data hash value locally;

step 202, the sending node uses its own private key to digitally sign the original data and the hash value of the original data to obtain a signature value;

step 203, the sending node searches a public key of the receiving node in a local node public key table according to the IP information of the receiving node, and then carries out asymmetric encryption on the three items of data, namely the original data, the hash value of the original data and the signature value, by using the public key of the receiving node to obtain a data ciphertext;

step 204, the sending node constructs a data message from the data ciphertext according to a standard IP datagram format, sends the data message to the receiving node through the wireless ad hoc network, and sets a timer to wait for a response message of the receiving node;

step 205, when the timer setting time is up, if the sending node does not receive the response message of the receiving node, the sending node sends the data message to the receiving node again, and simultaneously carries out failure statistics, if the sending node does not receive the response message of the receiving node when the timer setting time is up for three times, an alarm of network abnormity is generated and the timer is cleared;

if the answer message is received, the process of resolving the answer message in step 4 is entered, and the timer is cleared.

3. The method according to claim 1, wherein the step 3 further comprises:

step 301, a receiving node extracts a data ciphertext from a received data message, and then decrypts the data ciphertext by using a private key of the receiving node to obtain original data, an original data hash value and a signature value;

step 302, the receiving node performs security check on the decrypted data, looks up the public key of the sending node from the local node public key table according to the IP information of the sending node, verifies the signature by using the public key of the sending node and the three data of the signature value, the original data and the original data hash value, and if the signature passes, the original data and the original data hash value in the data ciphertext are really constructed and sent by the sending node, and the step 303 is entered; if the verification is not passed, discarding the data message, and if the security check is not passed, entering step 304 to send a response message that the verification is not passed to the sending node;

step 303, the receiving node encrypts the original data by using a hash algorithm to obtain an original data hash value, compares the hash value with an original data hash value decrypted from the data ciphertext, if the comparison is consistent, the original data is not tampered or lost, the security check is passed, and step 304 is entered to send a response message with complete data to the sending node; if the comparison is inconsistent, it indicates that the original data may be tampered or lost, the security check does not pass, and step 304 is performed to send a response message that the hash values are not matched to the sending node;

step 304, the receiving node constructs a corresponding response message according to the security check result, if the decrypted data passes the security check, the receiving node encrypts the hash value of the original data by using a hash algorithm to obtain the hash value of the original data, then digitally signs the hash value of the original data and the hash value of the original data by using a private key of the receiving node to obtain a signature value, then the receiving node searches a public key of the sending node in a local node public key table, encrypts the three data of the hash value of the original data, the hash value of the original data and the signature value by using the public key to obtain a response ciphertext, the receiving node constructs the response message according to a standard IP datagram format, sends the response message to the sending node through a wireless ad hoc network, and sets a timer to wait for the data confirmation message of the sending node, if the data confirmation message sent by the sending node is not received when the set time of the timer is up, the response message is sent to the sending node again, if the data confirmation message of the sending node is not received when the set time of the timer is up for three times, the alarm of network abnormity is generated, and the decrypted data is discarded and the timer is cancelled;

if the decrypted data does not pass the security check, the receiving node constructs failure information, meanwhile, a Hash algorithm is used for encrypting the failure information to obtain a Hash value of the failure information, then a private key of the receiving node is used for carrying out digital signature on the failure information and the Hash value of the failure information to obtain a signature value, then the receiving node searches a public key of the sending node in a local node public key table, the public key is used for encrypting the failure information, the Hash value of the failure information and the signature value to obtain a response ciphertext of the data security check failure, the receiving node constructs the response message according to a standard IP datagram format, and the response message is sent to the sending node through a wireless ad hoc network.

4. The method according to claim 1, wherein the step 4 further comprises:

step 401, after receiving the response message, the sending node firstly clears the timer set in step 2, then extracts the response ciphertext from the response message, and then decrypts the response ciphertext by using its own private key to obtain the decrypted response message;

step 402, the sending node performs security check on the response information, extracts a signature value and response data from the response information, then searches the public key of the receiving node from the local node public key table according to the IP address information of the receiving node, then performs signature verification on the response data by using the receiving node public key, the signature value and the response data, if the signature verification passes, the response data is really constructed and sent by the receiving node, and the step 403 is entered; if the verification is not passed, step 406 is entered, a data confirmation message that the verification is not passed is sent to the receiving node, and the receiving node is notified to retransmit the response message;

step 403, the sending node extracts the response value and the hash value of the response value from the response data, recalculates the hash value of the response value by using a hash algorithm, then compares the hash value with the hash value of the response value carried in the response data, if the comparison is consistent, the security check is passed, the step 404 is entered, if the comparison is inconsistent, the security check is not passed, the step 406 is entered, a data confirmation message that the hash value is not matched and passed is sent to the receiving node, and the receiving node is informed to retransmit the response message;

step 404, the sending node judges the type of the response value, and if the response value is a complete data response value, the step 405 is entered; if the data is the response value of the data security check failure, returning to the step 2 again, and retransmitting the data message by the sending node;

step 405, the sending node compares the hash value of the original data carried by the response data with the hash value of the original data stored locally in step 2, if the comparison is consistent, the receiving node receives the correct original data, the security check is passed, and step 406 is entered to send a data confirmation message that the original data is correct to the receiving node; if the comparison is inconsistent, it indicates that the original data received by the receiving node is incorrect or lost, and step 406 is entered to send a data confirmation message that the original data is incorrect to the receiving node;

step 406, the sending node constructs a corresponding data confirmation message according to the security check result, if the original data received by the receiving node is correct, the data in the data confirmation message is confirmed to mark the position 1, if the original data received by the receiving node is wrong, the data is confirmed to mark the position 0, if the answer message is not checked to be signed or the hash value of the answer message is not matched, the data is confirmed to mark the position 2; the data confirmation method includes the steps that data confirmation information is built through a data confirmation flag bit and an original data hash value, then digital signature is conducted on the data confirmation information through a private key of a sending node to obtain a signature value, then a public key of a receiving node is searched in a local node public key table, the data confirmation flag bit, the original data hash value and the signature value are encrypted through the public key of the receiving node to obtain a data confirmation ciphertext, finally the sending node builds a data confirmation message through the data confirmation ciphertext according to a standard IP datagram format, and the data confirmation message is sent to the receiving node through a wireless ad hoc network.

5. The method according to claim 1, wherein the step 5 further comprises:

step 501, the receiving node receives the data confirmation message and cancels the timer set in step 3;

step 502, a receiving node extracts a data confirmation ciphertext from a data confirmation message, the receiving node decrypts the data confirmation ciphertext by using a private key of the receiving node, extracts data confirmation information and a signature value from the decrypted data, then searches a public key of a sending node from a local node public key table according to IP address information of the sending node, uses the data confirmation information and the signature value, verifies the signature by combining the public key in three ways, if the signature passes, the data confirmation information is really constructed and sent by the sending node, then extracts a data confirmation flag bit and an original data hash value from the data confirmation information, if the data confirmation flag position is 1, corresponding original data are found locally according to the original data hash value, and the original data are correct and reserved; if the data confirmation mark position is 0, corresponding original data is found locally according to the hash value of the original data, and the original data is discarded if the original data is incorrect; if the data confirm mark position 2, returning to the step 3, the receiving node sends the response message to the sending node again, and simultaneously, setting a timer to wait for the data confirm message returned by the sending node; and if the verification is not passed, returning to the step 3, and the receiving node sends the response message to the sending node again.

Images