US2008292105A1PendingUtilityA1
Lightweight key distribution and management method for sensor networks
Est. expiryMay 22, 2027(~0.9 yrs left)· nominal 20-yr term from priority
H04L 67/12H04L 2209/805H04L 9/0833H04L 9/0825H04W 12/0431H04L 63/0823H04W 12/06H04L 63/062
44
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
A lightweight security framework is disclosed that combines PKI with symmetric key cryptography to exploit the system asymmetry in hierarchical sensor networks. The framework provides protocols for public key exchange, session and group key generation, pair-wise key generation, and network resource protection in a low-cost security architecture. The security framework shifts much of the security-related computational load off of the resource-constrained sensor nodes and on to resource-rich base station nodes. The method is based on the generation and management of two kinds of symmetric keys from a set of bootstrapping asymmetric keys on each node.
Claims
exact text as granted — not AI-modified1 . A method to provide security protection in a sensor network, the sensor network comprising a base station, a sensor node, and a second sensor node, the method comprising:
securely exchanging a pair of public keys between the base station and the first sensor node, the pair of public keys comprising a base station public key and a sensor node public key; securely generating a session key between the base station and the sensor node; and securely distributing a group key, the group key allowing inauthentic messages received by sensor nodes to be dropped quickly.
2 . The method of claim 1 , further comprising:
securely exchanging a second pair of public keys between the base station and the second sensor node, the second pair of public keys comprising the base station public key and a second sensor node public key; and securely generating a second session key between the base station and the second sensor node, the second session key being based on the exchanged second pair of public keys;
wherein group key distribution is based on the session key and the second session key.
3 . The method of claim 1 , securely exchanging a pair of public keys between the base station and the sensor node further comprising:
the sensor node sending the sensor node public key to the base station; the base station signing the base station public key by a certificate authority to produce a signed base station public key; the base station sending the signed base station public key to the sensor node; and the sensor node using the certificate authority public key to validate the signed base station public key.
4 . The method of claim 1 , securely generating a session key between the base station and the sensor node further comprising:
the sensor node sending a first message, a certificate request, to the base station; the base station receiving the first message and sending a certificate including the base station public key, as a second message, to the sensor node; the sensor node generating a third message that contains a random number and an identifier of the sensor node, wherein the random number and the identifier of the sensor node are encrypted based on the base station public key, wherein the random number is generated by the sensor node; and the base station generating the session key and a second random number, wherein the second random number is generated by the base station.
5 . The method of claim 4 , further comprising:
the base station encrypting the random number, the second random number, the session key, and the group key, as a fourth message, and sending the fourth message to the sensor node; the sensor node decrypting the fourth message and verifying the random number; the sensor node sending the second random number, encrypted with the session key, as a fifth message, to the base station; and the base station decrypting the fifth message and verifying that the second random number is valid;
wherein the session key is used for secure communications between the sensor node and the base station.
6 . The method of claim 5 , further comprising:
the base station recording the session key in its key table for the sensor node.
7 . The method of claim 1 , further comprising:
the sensor node encrypting a first message, the first message comprising an identifier of the sensor node, an identifier of the second sensor node, a third random number, and a fourth random number, wherein the first message is protected by the session key shared with the base station sent by the sensor node to the second sensor node; the second sensor node generating a fifth random number and encrypting the fifth random number with a second session key to form an encrypted fifth random number, the second session key enabling secure communication between the second sensor node and the base station; the second sensor node concatenating the encrypted fifth random number with the first message to form a second message and sending the second message to the base station; and the base station generating a pair-wise group key.
8 . The method of claim 7 , further comprising:
the base station encrypting a pair-wise session key into a third message using the session key shared with the sensor node; the base station sending the third message to the sensor node; the base station encrypting the pair-wise group key into a fourth message using the second session key shared with the second sensor node; and the base station sending the fourth message to the second sensor node;
9 . The method of claim 8 , further comprising:
the sensor node decrypting the third message and obtaining the pair-wise group key; and the second sensor node decrypting the fourth message and obtaining the pair-wise group key;
wherein the pair-wise group key enables secure communication between the sensor node and the second sensor node.
10 . A method to securely exchange data between a base station and a sensor node, the method comprising:
exchanging a sensor node public key of the sensor node with a base station public key of the base station; distributing a session key using the sensor node public key, the base station public key, a default group key, and a certificate authority public key; and using the session key to exchange data between the base station and the sensor node.
11 . The method of claim 10 , exchanging a sensor node public key with a base station public key further comprising:
the sensor node sending the sensor node public key to the base station; the base station signing the base station public key by a certificate authority to produce a signed base station public key; the base station sending the signed base station public key to the sensor node; and the sensor node using the certificate authority public key to validate the signed base station public key.
12 . The method of claim 11 , distributing a session key using the sensor node public key, the base station public key, a default group key, and a certificate authority public key further comprising:
the sensor node sending a certificate request message to the base station as a first message; the sensor node receiving a certificate from the base station as a second message, the certificate comprising the base station public key; the sensor node generating a third message by picking a random number and encrypting the random number and a sensor node identifier using the base station public key; the sensor node sending the third message to the base station; the base station obtaining the random number and the sensor node identifier from the sensor node; and the base station sending a fourth message to the sensor node, the fourth message comprising a session key encrypted using the sensor node public key.
13 . The method of claim 12 , the base station obtaining the random number and the sensor node identifier from the sensor node further comprising:
decrypting the third message using a base station private key.
14 . The method of claim 12 , the base station sending a fourth message to the sensor node, the fourth message comprising a session key further comprising:
generating the session key; generating a base station random number; encrypting the random number and the base station random number; encrypting the session key and an ephemeral group key with the sensor node public key; and sending the session key, encrypted random number, encrypted base station random number, and group key to the sensor node as the fourth message.
15 . The method of claim 14 , further comprising:
the base station recording the session key in its key table.
16 . The method of claim 15 , further comprising:
the sensor node decrypting the fourth message using a sensor node private key; the sensor node verifying the random number; and the sensor node sending a fifth message to the base station, the fifth message comprising the base station random number encrypted with the session key.
17 . The method of claim 16 , further comprising:
the base station decrypting the fifth message and verifying that the base station random number matches the base station random number sent in the fourth message.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.