發(fā)布時(shí)間：2018-06-05 01:21

  本文選題：分層訪問控制 + 密鑰推導(dǎo)��； 參考：《西安電子科技大學(xué)》2014年博士論文

【摘要】：隨著通信、網(wǎng)絡(luò)、芯片技術(shù)的不斷發(fā)展,物聯(lián)網(wǎng)作為繼計(jì)算機(jī)、移動(dòng)通信和互聯(lián)網(wǎng)之后的又一次信息技術(shù)革命,已成為當(dāng)前世界新一輪經(jīng)濟(jì)和科技發(fā)展的戰(zhàn)略制高點(diǎn)。物聯(lián)網(wǎng)是指通過信息傳感設(shè)備,按照約定的協(xié)議,把任何物品與互聯(lián)網(wǎng)連接起來,進(jìn)行信息交換和通信,以實(shí)現(xiàn)智能化識(shí)別、定位、跟蹤、監(jiān)控和管理的一種網(wǎng)絡(luò)。感知層作為物聯(lián)網(wǎng)的“末梢神經(jīng)”完成真實(shí)世界中人、物、環(huán)境的感知工作。感知即是獲取信息,主要是利用RFID、藍(lán)牙、紅外等傳感器件采集數(shù)據(jù),經(jīng)由無線傳感網(wǎng)進(jìn)行數(shù)據(jù)交互,并為用戶提供相應(yīng)的數(shù)據(jù)訪問。感知層節(jié)點(diǎn)數(shù)以億計(jì)、節(jié)點(diǎn)的計(jì)算和存儲(chǔ)能力受限等特點(diǎn),使用戶能夠?qū)?jié)點(diǎn)自身信息和對(duì)節(jié)點(diǎn)采集到數(shù)據(jù)的安全有效訪問,成為近期學(xué)術(shù)界和產(chǎn)業(yè)界關(guān)注的研究熱點(diǎn)。本文即是在充分研究物聯(lián)網(wǎng)感知層的特點(diǎn)和訪問控制需求的基礎(chǔ)上,對(duì)物聯(lián)網(wǎng)感知環(huán)境的分層訪問控制機(jī)制展開深入的研究工作。 本論文的研究成果和創(chuàng)新之處主要體現(xiàn)在以下幾個(gè)方面： (1)對(duì)現(xiàn)有分層訪問控制方案進(jìn)行深入研究。將現(xiàn)有分層訪問控制方案分為基于節(jié)點(diǎn)構(gòu)造的分層訪問控制方案和基于有向邊構(gòu)造的分層訪問控制方案兩類,從性能角度,將密鑰存儲(chǔ)量、公共信息量、用戶一次訪問的密鑰存儲(chǔ)量、可擴(kuò)展性作為評(píng)估要素,對(duì)現(xiàn)有方案進(jìn)行了性能分析；從安全性角度將密鑰可恢復(fù)性、密鑰不可區(qū)分性作為安全評(píng)估要素,對(duì)現(xiàn)有方案進(jìn)行了安全分析。通過對(duì)比各類方案的優(yōu)勢(shì),并結(jié)合物聯(lián)網(wǎng)感知環(huán)境的特點(diǎn),確立了適用于物聯(lián)網(wǎng)感知環(huán)境的分層訪問控制機(jī)制。 (2)對(duì)基于節(jié)點(diǎn)分層的訪問控制機(jī)制進(jìn)行研究。針對(duì)感知層節(jié)點(diǎn)數(shù)量巨大,且計(jì)算能力和存儲(chǔ)能力受限的情況下,用戶對(duì)節(jié)點(diǎn)本身信息的訪問控制需求,提出基本的分層訪問控制方案b-HACS;在分析b-HACS可能存在安全風(fēng)險(xiǎn)的基礎(chǔ)上提出安全性增強(qiáng)的分層訪問控制方案es-HACS。兩類方案與其它現(xiàn)有訪問控制進(jìn)行比較,其優(yōu)勢(shì)體現(xiàn)在：每個(gè)用戶和分層節(jié)點(diǎn)僅存儲(chǔ)單個(gè)密鑰(材料)；通過密鑰推導(dǎo)算法獲得訪問當(dāng)前層次及該層以下所有資源的密鑰；減少存儲(chǔ)開銷的同時(shí)提高了系統(tǒng)的安全強(qiáng)度；支持層次節(jié)點(diǎn)的動(dòng)態(tài)擴(kuò)展及密鑰材料的動(dòng)態(tài)更新,既增加了分層模型的靈活性,又減少了層次節(jié)點(diǎn)的通信開銷；滿足標(biāo)準(zhǔn)模型下的可證明安全及其它擴(kuò)展安全。此外,針對(duì)用戶可能因密鑰獲取時(shí)間過長而影響用戶訪問效率的情況,提出基于樹重心分解的密鑰推導(dǎo)優(yōu)化方案,使原有方案的公共信息維持在常量級(jí)的前提下,大大提高密鑰獲取時(shí)間,使用戶的密鑰推導(dǎo)時(shí)間由原先的O(logn)級(jí)降低到O(loglogn)級(jí)。 (3)對(duì)基于資源分層的訪問控制機(jī)制進(jìn)行研究。針對(duì)多用戶訪問感知層節(jié)點(diǎn)采集到的海量數(shù)據(jù)的需求,在對(duì)海量數(shù)據(jù)資源進(jìn)行分層管理的基礎(chǔ)上,設(shè)計(jì)了多用戶訪問控制模型；在該模型下,提出基于Merkle哈希樹的多用戶層次節(jié)點(diǎn)密鑰獲取方案。方案創(chuàng)新性的將多用戶同時(shí)訪問層次節(jié)點(diǎn)考慮在內(nèi),并通過合理的設(shè)計(jì)使每個(gè)用戶僅掌握單個(gè)用戶密鑰,利用相互獨(dú)立的哈希鏈安全高效的獲取相應(yīng)的層次密鑰,使單個(gè)用戶的密鑰失效不會(huì)影響其它用戶的正常訪問；提出基于資源分層的訪問控制方案,使用戶在獲取單個(gè)層次節(jié)點(diǎn)密鑰材料的前提下,能夠安全高效的訪問更多層次節(jié)點(diǎn)保護(hù)的數(shù)據(jù)資源,同時(shí)使整個(gè)感知層網(wǎng)絡(luò)中層次節(jié)點(diǎn)掌握的密鑰量和公共信息量維持在常量級(jí)；充分考慮用戶在實(shí)際應(yīng)用中對(duì)層次節(jié)點(diǎn)保護(hù)資源的訪問需求,加入時(shí)間約束條件,提出兩種時(shí)間約束條件下的分層訪問控制方案：’TLPOS和TCDS。TLPOS方案從用戶獲取密鑰時(shí)間角度進(jìn)行優(yōu)化設(shè)計(jì),使該方案比現(xiàn)有其它方案在同樣級(jí)別的密鑰獲取時(shí)間條件下,產(chǎn)生較少的公共信息;TCDS方案從公共信息量角度進(jìn)行了優(yōu)化設(shè)計(jì),使方案比現(xiàn)有其它方案在產(chǎn)生較少公共信息的前提下,大大提高用戶的密鑰獲取時(shí)間。 (4)對(duì)層次節(jié)點(diǎn)的私鑰保護(hù)機(jī)制進(jìn)行研究。針對(duì)感知層節(jié)點(diǎn)計(jì)算、存儲(chǔ)、續(xù)航能力受限條件下,層次節(jié)點(diǎn)保存的密鑰可能受到敵手離線或在線攻擊的情況,提出可證明安全的層次節(jié)點(diǎn)私鑰保護(hù)方案。充分利用口令保護(hù)、密鑰分割、與服務(wù)器動(dòng)態(tài)交互獲取部分私鑰等技術(shù)保證層次節(jié)點(diǎn)的私鑰安全。與其它現(xiàn)有方案相比,該方案的優(yōu)勢(shì)在于：減少了層次節(jié)點(diǎn)的計(jì)算量和存儲(chǔ)量,簡化了交互過程參數(shù)的設(shè)置；將時(shí)間同步貫穿整個(gè)方案的設(shè)計(jì)過程,防止重放攻擊的同時(shí),更提供了便捷高效的節(jié)點(diǎn)私鑰失效方案。方案達(dá)到了安全私鑰獲取和高效私鑰失效的效果,符合感知層層次節(jié)點(diǎn)的安全應(yīng)用需求,并在隨機(jī)預(yù)言機(jī)模型下驗(yàn)證了方案的可證明安全。
[Abstract]:With the development of communication , network and chip technology , Internet of Things has become a strategic point for the new round of economic and technological development in the world .

The research results and innovations of this thesis are mainly embodied in the following aspects :

( 1 ) The existing layered access control scheme is deeply researched . The existing layered access control scheme is divided into hierarchical access control scheme based on node structure and hierarchical access control scheme based on the edge structure . From the performance perspective , the key storage amount , the public information amount , the key storage amount and the scalability accessed by the user are used as the evaluation factors , and the performance analysis is carried out on the existing scheme ;
By comparing the advantages of various schemes and the characteristics of networked sensing environment , a hierarchical access control mechanism for Internet - of - things - aware environment is established .

( 2 ) A hierarchical access control scheme ( b - HACS ) based on node hierarchy is studied in this paper . In view of the large number of nodes and the limited computing power and storage capacity , a basic hierarchical access control scheme ( b - HACS ) is proposed , which is based on analyzing the potential security risks of b - HACS .
obtaining a key of an access current level and all resources below the layer through a key derivation algorithm ;
the storage cost is reduced , and the security strength of the system is improved ;
the dynamic expansion of the hierarchical node and the dynamic update of the key material are supported , the flexibility of the layered model is increased , and the communication cost of the hierarchical node is reduced ;
In addition , the key derivation and optimization scheme based on the decomposition of the center of gravity of the tree is proposed , so that the public information of the original scheme is maintained at the constant level , so that the key derivation time of the user is reduced from the original O ( logn ) level to the O ( loglogn ) level .

( 3 ) A multi - user access control model is designed on the basis of hierarchical management of massive data resources .
Under the model , a multi - user hierarchical node key acquisition scheme based on Merkle hash tree is proposed .
the invention provides an access control scheme based on resource tiering , which enables a user to safely and efficiently access data resources protected by a more multi - level node under the premise of acquiring a single hierarchical node key material , and simultaneously maintains the key quantity and the public information amount mastered by the hierarchical nodes in the whole sensing layer network at constant levels ;
A hierarchical access control scheme : ' TLPOS and TCDS . TLPOS scheme is proposed to optimize design of hierarchical access control scheme : ' TLPOS and TCDS . TLPOS scheme optimizes design from user ' s obtaining key time angle to make the scheme less public information than other schemes at the same level of key acquisition time .

( 4 ) The private key protection scheme of the hierarchical node is studied . According to the condition of computing , storing and cruising ability of the sensing layer node , the key stored by the hierarchical node may be protected by the enemy ' s offline or online attacks . The key security of the hierarchical node can be ensured by using the techniques of password protection , key partition , and dynamic interaction with the server . Compared with other existing schemes , the scheme has the advantages that : the calculation amount and the storage amount of the hierarchical node are reduced , and the setting of the interactive process parameters is simplified ;
The scheme achieves the effect of secure private key acquisition and efficient private key failure , meets the security application requirement of the sensing layer number node , and verifies the proof safety of the scheme under the model of the random oracle machine .
【學(xué)位授予單位】：西安電子科技大學(xué)
【學(xué)位級(jí)別】：博士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP391.44;TN929.5

【參考文獻(xiàn)】

相關(guān)期刊論文 前9條

1 韓心慧;龍勤;司端鋒;諸葛建偉;葉志遠(yuǎn);;一個(gè)基于單向散列函數(shù)的實(shí)用等級(jí)密鑰管理方案[J];北京大學(xué)學(xué)報(bào)(自然科學(xué)版);2008年04期

2 孫其博;劉杰;黎，

本文編號(hào)：1979761