物联网感知环境分层访问控制机制研究

发布时间：2018-06-05 01:21

本文选题：分层访问控制 + 密钥推导　；参考：《西安电子科技大学》2014年博士论文

【摘要】：随着通信、网络、芯片技术的不断发展,物联网作为继计算机、移动通信和互联网之后的又一次信息技术革命,已成为当前世界新一轮经济和科技发展的战略制高点。物联网是指通过信息传感设备,按照约定的协议,把任何物品与互联网连接起来,进行信息交换和通信,以实现智能化识别、定位、跟踪、监控和管理的一种网络。感知层作为物联网的“末梢神经”完成真实世界中人、物、环境的感知工作。感知即是获取信息,主要是利用RFID、蓝牙、红外等传感器件采集数据,经由无线传感网进行数据交互,并为用户提供相应的数据访问。感知层节点数以亿计、节点的计算和存储能力受限等特点,使用户能够对节点自身信息和对节点采集到数据的安全有效访问,成为近期学术界和产业界关注的研究热点。本文即是在充分研究物联网感知层的特点和访问控制需求的基础上,对物联网感知环境的分层访问控制机制展开深入的研究工作。本论文的研究成果和创新之处主要体现在以下几个方面： (1)对现有分层访问控制方案进行深入研究。将现有分层访问控制方案分为基于节点构造的分层访问控制方案和基于有向边构造的分层访问控制方案两类,从性能角度,将密钥存储量、公共信息量、用户一次访问的密钥存储量、可扩展性作为评估要素,对现有方案进行了性能分析；从安全性角度将密钥可恢复性、密钥不可区分性作为安全评估要素,对现有方案进行了安全分析。通过对比各类方案的优势,并结合物联网感知环境的特点,确立了适用于物联网感知环境的分层访问控制机制。 (2)对基于节点分层的访问控制机制进行研究。针对感知层节点数量巨大,且计算能力和存储能力受限的情况下,用户对节点本身信息的访问控制需求,提出基本的分层访问控制方案b-HACS;在分析b-HACS可能存在安全风险的基础上提出安全性增强的分层访问控制方案es-HACS。两类方案与其它现有访问控制进行比较,其优势体现在：每个用户和分层节点仅存储单个密钥(材料)；通过密钥推导算法获得访问当前层次及该层以下所有资源的密钥；减少存储开销的同时提高了系统的安全强度；支持层次节点的动态扩展及密钥材料的动态更新,既增加了分层模型的灵活性,又减少了层次节点的通信开销；满足标准模型下的可证明安全及其它扩展安全。此外,针对用户可能因密钥获取时间过长而影响用户访问效率的情况,提出基于树重心分解的密钥推导优化方案,使原有方案的公共信息维持在常量级的前提下,大大提高密钥获取时间,使用户的密钥推导时间由原先的O(logn)级降低到O(loglogn)级。 (3)对基于资源分层的访问控制机制进行研究。针对多用户访问感知层节点采集到的海量数据的需求,在对海量数据资源进行分层管理的基础上,设计了多用户访问控制模型；在该模型下,提出基于Merkle哈希树的多用户层次节点密钥获取方案。方案创新性的将多用户同时访问层次节点考虑在内,并通过合理的设计使每个用户仅掌握单个用户密钥,利用相互独立的哈希链安全高效的获取相应的层次密钥,使单个用户的密钥失效不会影响其它用户的正常访问；提出基于资源分层的访问控制方案,使用户在获取单个层次节点密钥材料的前提下,能够安全高效的访问更多层次节点保护的数据资源,同时使整个感知层网络中层次节点掌握的密钥量和公共信息量维持在常量级；充分考虑用户在实际应用中对层次节点保护资源的访问需求,加入时间约束条件,提出两种时间约束条件下的分层访问控制方案：’TLPOS和TCDS。TLPOS方案从用户获取密钥时间角度进行优化设计,使该方案比现有其它方案在同样级别的密钥获取时间条件下,产生较少的公共信息;TCDS方案从公共信息量角度进行了优化设计,使方案比现有其它方案在产生较少公共信息的前提下,大大提高用户的密钥获取时间。 (4)对层次节点的私钥保护机制进行研究。针对感知层节点计算、存储、续航能力受限条件下,层次节点保存的密钥可能受到敌手离线或在线攻击的情况,提出可证明安全的层次节点私钥保护方案。充分利用口令保护、密钥分割、与服务器动态交互获取部分私钥等技术保证层次节点的私钥安全。与其它现有方案相比,该方案的优势在于：减少了层次节点的计算量和存储量,简化了交互过程参数的设置；将时间同步贯穿整个方案的设计过程,防止重放攻击的同时,更提供了便捷高效的节点私钥失效方案。方案达到了安全私钥获取和高效私钥失效的效果,符合感知层层次节点的安全应用需求,并在随机预言机模型下验证了方案的可证明安全。
[Abstract]:With the development of communication , network and chip technology , Internet of Things has become a strategic point for the new round of economic and technological development in the world .

The research results and innovations of this thesis are mainly embodied in the following aspects :

( 1 ) The existing layered access control scheme is deeply researched . The existing layered access control scheme is divided into hierarchical access control scheme based on node structure and hierarchical access control scheme based on the edge structure . From the performance perspective , the key storage amount , the public information amount , the key storage amount and the scalability accessed by the user are used as the evaluation factors , and the performance analysis is carried out on the existing scheme ;
By comparing the advantages of various schemes and the characteristics of networked sensing environment , a hierarchical access control mechanism for Internet - of - things - aware environment is established .

( 2 ) A hierarchical access control scheme ( b - HACS ) based on node hierarchy is studied in this paper . In view of the large number of nodes and the limited computing power and storage capacity , a basic hierarchical access control scheme ( b - HACS ) is proposed , which is based on analyzing the potential security risks of b - HACS .
obtaining a key of an access current level and all resources below the layer through a key derivation algorithm ;
the storage cost is reduced , and the security strength of the system is improved ;
the dynamic expansion of the hierarchical node and the dynamic update of the key material are supported , the flexibility of the layered model is increased , and the communication cost of the hierarchical node is reduced ;
In addition , the key derivation and optimization scheme based on the decomposition of the center of gravity of the tree is proposed , so that the public information of the original scheme is maintained at the constant level , so that the key derivation time of the user is reduced from the original O ( logn ) level to the O ( loglogn ) level .

( 3 ) A multi - user access control model is designed on the basis of hierarchical management of massive data resources .
Under the model , a multi - user hierarchical node key acquisition scheme based on Merkle hash tree is proposed .
the invention provides an access control scheme based on resource tiering , which enables a user to safely and efficiently access data resources protected by a more multi - level node under the premise of acquiring a single hierarchical node key material , and simultaneously maintains the key quantity and the public information amount mastered by the hierarchical nodes in the whole sensing layer network at constant levels ;
A hierarchical access control scheme : ' TLPOS and TCDS . TLPOS scheme is proposed to optimize design of hierarchical access control scheme : ' TLPOS and TCDS . TLPOS scheme optimizes design from user ' s obtaining key time angle to make the scheme less public information than other schemes at the same level of key acquisition time .

( 4 ) The private key protection scheme of the hierarchical node is studied . According to the condition of computing , storing and cruising ability of the sensing layer node , the key stored by the hierarchical node may be protected by the enemy ' s offline or online attacks . The key security of the hierarchical node can be ensured by using the techniques of password protection , key partition , and dynamic interaction with the server . Compared with other existing schemes , the scheme has the advantages that : the calculation amount and the storage amount of the hierarchical node are reduced , and the setting of the interactive process parameters is simplified ;
The scheme achieves the effect of secure private key acquisition and efficient private key failure , meets the security application requirement of the sensing layer number node , and verifies the proof safety of the scheme under the model of the random oracle machine .
【学位授予单位】：西安电子科技大学
【学位级别】：博士
【学位授予年份】：2014
【分类号】：TP391.44;TN929.5

【参考文献】