+

CN101635918A - Method for hierarchichal onion rings routing - Google Patents

Method for hierarchichal onion rings routing Download PDF

Info

Publication number
CN101635918A
CN101635918A CN200910023640A CN200910023640A CN101635918A CN 101635918 A CN101635918 A CN 101635918A CN 200910023640 A CN200910023640 A CN 200910023640A CN 200910023640 A CN200910023640 A CN 200910023640A CN 101635918 A CN101635918 A CN 101635918A
Authority
CN
China
Prior art keywords
node
gateway
onion
ring
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200910023640A
Other languages
Chinese (zh)
Other versions
CN101635918B (en
Inventor
庞辽军
李茹
裴庆祺
焦李成
李慧贤
刘思伯
赵晓辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN2009100236403A priority Critical patent/CN101635918B/en
Publication of CN101635918A publication Critical patent/CN101635918A/en
Application granted granted Critical
Publication of CN101635918B publication Critical patent/CN101635918B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开一种分层洋葱环路由方法,将无线Mesh网络中的节点分为三类:网关,可信任节点和普通节点,OP节点和网关是诱导节点,OP节点在环的初始化过程中起选择路由的作用,所有OP节点和网关的集合构成匿名集;把网络的洋葱路由分为两层环路,第一层路由:由匿名集的不相邻可信节点OP和网关组成的环形路径;第二层路由:在可信节点OP之间由普通节点Fi填充构成的环路,第二层路由在初始化过程中由OP节点和网关随机选择,通过洋葱环路由的分层环路实现Mesh网络匿名安全通信。本发明使用分层洋葱环通信协议,匿名集的OP节点和网关共同参与路由选择,有效混淆路径阻止交集攻击。减少计算量和减轻网关的负担,加速建环过程,更好地利用网络资源减少延迟。

Figure 200910023640

The invention discloses a layered onion ring routing method, which divides the nodes in the wireless Mesh network into three categories: gateways, trustworthy nodes and ordinary nodes, OP nodes and gateways are induced nodes, and the OP nodes play an important role in the initialization process of the ring. The role of route selection, the collection of all OP nodes and gateways constitutes an anonymous set; the onion routing of the network is divided into two layers of loops, the first layer of routing: a ring path composed of non-adjacent trusted nodes OP and gateways in the anonymous set ;Second-layer routing: the ring formed by ordinary nodes F i filled between trusted nodes OP, the second-layer routing is randomly selected by OP nodes and gateways in the initialization process, and realized through the layered loop of onion ring routing Mesh network anonymous secure communication. The present invention uses the layered onion ring communication protocol, and the OP node and the gateway of the anonymous set jointly participate in routing selection, effectively confusing paths and preventing intersection attacks. Reduce the amount of calculation and the burden on the gateway, speed up the ring building process, and better utilize network resources to reduce delays.

Figure 200910023640

Description

Method for hierarchichal onion rings routing
Technical field
The invention belongs to the network security technology field, relate to the safety method of Routing Protocol in the network, specifically is method for hierarchichal onion rings routing, and redundancy scheme come the protecting network privacy not to be subjected to of overall importance and invasive attack by accessing to your password.
Background technology
In wireless Mesh netword, some live-vertexs are arranged, they can carry out some secret business activities.In order not allow the external world perceive, these live-vertexs must carry out anonymous communication, and anonymous communication requires: 1) do not allow the external world know the content of session; 2) do not allow the external world know who initiates current session.This protection is very important for secure communication of network.But, present anonymous communication present situation or can't stop the cunning attack of means; Be to be that cost exchanges other anonymity of certain level for to waste a large amount of bandwidth.
Document " reaches secret protection " (Achieving Privacy in Mesh Networks ", Proc.of theSASN ' 06, pp.13-22, Oct., 2006) in the Mesh network.A kind of annular safety communication pattern based on ONION ROUTER has been proposed.The main thought of this scheme is: in a simple ring structure, in order to resist attack of overall importance, the onion Routing Protocol of an annular of design making communication start from gateway, also gateway finally.All communication modes all will be undertaken by same direction, or clockwise, or counterclockwise.Even if external attacker communicates component analysis like this, also can't analyze which node is start node and destination node.Even if secondly malicious node is arranged in the route ring and knows topological structure, also can't track out start node and destination node.Because it can only follow the tracks of out the path of an annular, in circular path, whom the opponent can't analyze is start node, and who is a destination node.But this scheme has caused a kind of novel attack again, and being called occurs simultaneously attacks.For example session that the Mesh node is connected with Internet by circular path, after a period of time, this Mesh node is visited same Internet address again, but it encircles by another and carries out session.If at this moment opponent's motoring gateway finds that this is a very special address, based on observation, the opponent can draw a conclusion, session initiator is start node just, is likely the common factor in these two rings, and the anonymity of this communication will be subjected to prestige association so.In addition, the circular path of this scheme can only be set up by gateway, and all communication processs can bring very big calculated load to gateway so all from gateway.
Summary of the invention
The technical problem to be solved in the present invention is: overcome the common factor attack problem that existing Mesh network exists, simultaneously in order to guarantee to encircle the validity of communication, a kind of method for hierarchichal onion rings routing is provided, it can effectively be resisted to occur simultaneously and attack, improve Network Communicate Security, and effectively alleviate the burden of gateway, reduce the routing table record amount of gateway, more the good utilisation Internet resources reduce delay.
The present invention is divided into three parts to whole communication process in order to carry out safe anonymous communication at the Mesh network: the initialization of ring, interannular communication and sign off.In wireless Mesh netword, node is divided three classes: gateway, trusted node, ordinary node, OP node (Onion Proxy) and gateway G induce node, and they send an induction information carrier (dummy bag) near the OP node it at set intervals.The OP node has played the selection of ground floor route and second layer route in the initialization procedure of ring, in the communication process afterwards, and its effect and ordinary node F iIdentical.For the ease of understanding, the notion of anonymity collection and layering route is done to introduce:
Anonymous collection: establish R and be the set that all OP nodes and gateway G are formed in the network, then claim to satisfy following condition:
A must comprise element G;
All elements in the b set is that the subclass that forms the R of hamiltonian circuit with topological structure in network is anonymous the collection.These anonymous collection are carried out label.In network, these numbered anonymous collection of gateway G and OP nodes sharing.
The layering route: the present invention is divided into route two-layer.Ground floor route: in the onion ring Routing Protocol, claim that the path of concentrating element to form by anonymity is the ground floor route, just the path of forming by trusted node and gateway.The ground floor route is mainly formed annular by non-conterminous trusted node.Second layer route:, be also referred to as down one deck route being called second layer route by the loop that constitutes after the ordinary node filling between the trusted node.Second layer route is selected at random by OP node and gateway in initialization procedure.It mainly is the filling of carrying out the path.
One, Huan initialization
The present invention is divided into following step to the initialization of ring:
The 1st step: encapsulation process
At first: OP node (promptly anonymous concentrated first element) is selected the ground floor route, and just labelled anonymous collection according to the order encapsulation Onion Loaf of anonymous centralized node, adds a dummy bag thereafter.
Packet format is as follows:
{build},E kpop1[(RI,k op1,OP2),E kpop2[(RI,k op2,G),E kpg(RI,t))]],dummy;
Build}: packet header, ring information is built in expression, tells the initialization that node will encircle;
E Kp: public key encryption is used to encapsulate Onion Loaf; The OP1 node PKI E of oneself Kpop1Encrypt the outermost layer bag, i.e. ring RI, the session key k of oneself Op1, next bar address OP2, and the anonymous second layer Onion Loaf of concentrating second node encapsulation.When the OP2 node is received this Onion Loaf, just can determine where next jumping mails to.By that analogy.
RI: ring number, in network, may there be a lot of rings to communicate simultaneously, in order to guarantee the not repeated of the number of ring, RI is by anonymity collection number and build the ring time and form.
k i: session key, the session key of node i and gateway G; Be the session key of each node when this ring communication, session key is to set up according to the foundation of ring, and when the ring sign off, this time the mission of session key has just been finished, and next communication will rebulid session key.
T: express time stabs, and is used for the real-time of detect-message;
Dummy: induction information, can form by any non-important information.
Then: the OP node is chosen the second layer route that anonymity focuses on second element again, in strict accordance with the order of second layer route encapsulation Onion Loaf, and distributes in this communication process the disposable session key (random number k of up link in the ring Op1, k 1, k 2..., k Op2).
These disposable session keys of distributing will be told gateway G, and gateway has just been known the concrete path of up link like this, and the one time key of down link is distributed by gateway.
As follows from the packet format that concentrated first node of anonymity sends to second node:
{build},E kp1[(RI,k 1,F 2),E kp2[(RI,k 2,F 3),…,E kpop2((RI,k 2,G),
E kpg(RI,k op1,k 1,k 2,…,k op2,t))]],dummy
F i: the ordinary node in the network.
k i: disposable session key
When ring information was built in the transmission of OP1 node, with regard to packaged Onion Loaf, Onion Loaf was from level to level.Dummy represents induction information, uses node F 1Public key encryption ground floor bag, comprise ring RI in the bag, session key k 1With next-hop node F 2The IP address.By that analogy.The innermost layer bag is encapsulated the session key k of the node of all up links by the PKI of gateway Op1, k 1, k 2..., k Op2, timestamp t and ring RI form.
Simplify above-mentioned packet format as follows:
{ build}, E Kpop1(E Kp1(E Kp2..., (E Kpop2(E Kpg(m 1)), dummy, wherein m 1={ RI, t, k Op1, k 1, k 2..., k Op2;
All OP nodes in the ring are not always the case and encapsulate Onion Loaf, for example OP2 and gateway G.
When second the node OP2 that concentrates when anonymity receives initialization information, it in like manner first element carry out Path selection and encapsulation Onion Loaf, wrap but directly transmit dummy.As follows:
{ build}, E Kpn(... (E Kpop3(E Kpg(m 2), E Kpg(m 1)))), E Kpop2 -1(... E Kp1 -1(dummy)), m wherein 2={ k Op2, k n, k N+1, t}
E Kp -1: the PKI deciphering.
The 2nd step: information repeating process
In the information repeating process, the common F that does not have data to send in the ring iNode only is decrypted this Onion Loaf and dummy bag, then the message after the deciphering is issued next node; As follows:
{build},E kp2(…(E kpop2(E kpg(m 1))),E kp1 -1(dummy);
The 3rd step: session inserts request process
As ordinary node F iWhen wanting to communicate, substitute the dummy bag of deciphering layer by layer with the access solicited message;
{build},E kp(i+1)(E kp(i+2)(…E kpg(m))),E kpi -1(request);
The 4th step: gateway processes process
When gateway G receives the bag that sends from the OP1 node, just determined session initiator.If gateway is agreed this request, it determines second half endless path according to ring number and anonymous collection.Onion Loaf of the strict encapsulation of gateway G sends to session initiator.This Onion Loaf has comprised from session initiator to all session keys apart from the up link of its nearest OP node or gateway.Agreement information so just can arrive session initiator from gateway and communicate.Packet format is as follows:
{build},E kpm(…E kpop(…(E kpg(k i,…,k op,grant))));
Follow erase mechanism in session access request, if there are two nodes to think to carry out simultaneously session in ring, the solicited message of a so back node will be wiped the solicited message of previous node.And previous node can not obtain agreement information in this ring, in the time of can only waiting for the carrier arrival of next ring, resends request.
Two, interannular communication
After the ring initialization, gateway G has just determined session initiator, and the session key in part path has been sent to it.Receive the bag that gateway G is sended over if at this moment session initiator is correct, still communicate by letter with gateway G with the layering conversational mode.In the interannular communication process, OP node or gateway G session key Onion Loaf can significantly reduce amount of calculation like this, and encryption/decryption speed are fast.Each foundation when encircling all will be redistributed session key, so also can reduce the chance that the opponent distorts Onion Loaf.Because if the opponent has known the path of full annular, it just can encapsulate Onion Loaf with PKI and pretend to be node in the ring.Node F iArrive apart from its nearest OP node or gateway G Onion Loaf with one of session key encapsulation, carry out session with it.When receiving bag, in like manner select second layer route to concentrate next element to communicate with anonymous apart from its nearest OP node.Except gateway G and session initiator, each node in the ring is all only transmitted the Onion Loaf after the deciphering.
Session initiator is as follows to the communication process of gateway G:
F i→F i+1:{RI},E k(i+1)(E k(i+2)(…(E kop(E kg(E si(data,ack)))));
F i+1→F i+2:{RI},E k(i+2)(…(E kop(E kg(E si(data,ack)))));
……:……
F OP-1→OP:{RI},E kop(E kg(E si(data,ack)))));
OP→F OP+1:{RI},E k(op+1)(E k(op2)(…(E kg(E si(data,ack)))));
……:……
F G-1→G:{RI},E kg(E si(data,ack));
RI} is packet header, and it just represented the ring set up, begin to communicate.E sThe expression encrypted private key.E SiExpression node F iEncrypted private key.Data sends the information content.Ack represents correctly to receive the message authentication code that the bag back sends, and is used for proving that communicating pair received bag really.
After gateway G received this carrier bag, it used oneself private key and node F iPKI decipher this bag, determine this bag be issue oneself with this bag be node F iSend over.G receives message when gateway, and its calculates ack value, if the value of both sides ack is the same, proves their correct bags of receiving, carries out later communication then; If different is exactly correctly not receive bag so.
Gateway G according to one of ring number and anonymous collection encapsulation to node F iBag, packet format is as follows:
{RI},E kg(E kop1(E ki(E sg(data))))。
Gateway G is to node F iCommunication process is as follows:
G?→F m:{RI},E km(E k(m+1)(…(E op1(E ki(E sg(data))))));
F m→F m+1:{RI},E k(m+1)(…(E ki(E sg(data))));
……:……
OP1→F 1:{RI},E k1(…(E ki(E sg(data))));
……:……
F i-1→F i:{RI},E ki(E sg(data));
Three, sign off
After communication a period of time, if when both sides do not have data to send, gateway G just encapsulates an Onion Loaf to the empty content of OP node so, has proved sign off.
But also having a kind of situation is exactly that gateway G does not have data to give session initiator, and session initiator also has data will send to gateway.The present invention has guaranteed that the information that gateway G sends in communication process necessarily arrives session initiator.So session initiator can send data to gateway by ring always.Because session starts from the OP node, end in the OP node.So when session initiator does not have information to send, at this moment session initiator just send an empty content bag to gateway G, at this moment gateway is just known that information sends and is over, and at this moment encapsulates an Onion Loaf to the empty content of OP node again, proves sign off.After that is to say initialization, when the OP node is received one during to own bag, or when netting G and receiving the bag of empty content, just prove sign off.
But also a kind of situation may take place, in a ring two session initiator be arranged exactly.If run into this situation, a back session initiator always can be encrypted the dummy information of having been encrypted by previous start node, comes to carry out session with gateway G.And the session initiator in front can only wait for that next ring converses.Though this can cause time delay, have other rings in the network simultaneously and communicate.
The present invention has following beneficial effect compared with prior art:
1. the present invention is by use layering onion ring communication protocol, and the OP node of anonymous collection and gateway fellowship can effectively be obscured the path and stop the attack of occuring simultaneously in routing procedure.
2. OP node or gateway session key Onion Loaf can significantly reduce amount of calculation like this, and encryption/decryption speed is fast.Each foundation when encircling all will be redistributed session key, so also can reduce the chance that the opponent distorts Onion Loaf.
3. adopt layering onion routing algorithm to realize the route pooling function, greatly reduce the record amount of gateway, effectively alleviate the burden of gateway, and can add run-up ring process, utilize Internet resources better, reduce delay routing table.
4. fail safe aspect reduce from onion number of routes directly perceived, but security intensity is based upon on the public key safety basis, with how much haveing nothing to do of node number.So security intensity does not reduce, hide the better effects if of route on the contrary.
Description of drawings
Fig. 1. layering onion ring topology of the present invention
Fig. 2. the simple network topological structure of the preferred embodiment of the present invention
Embodiment
Layering onion ring of the present invention as shown in Figure 1.When network built up, gateway G had just write down the trusted node in the network (the OP node in the network).Shown in Fig. 1 dotted line, gateway G and OP have just formed annular path.
As shown in Figure 1, the OP1 node is a start node, and it selects anonymous collection, and { G} is called the ground floor route for OP1, OP2.When Onion Loaf began to transmit, because the next node pointed out is the OP2 node in the bag, and OP2 node and OP1 node be not adjacent node, and then the OP1 node is just set up new connection, be assumed to be OP1, F1 ... OP2} claims that this route is a second layer route, promptly is equivalent to one deck route down.When Onion Loaf passed to the OP2 node, second layer route stopped, and turns back to the last layer route, promptly reenters the ground floor route.
Below in conjunction with the preferred embodiment of accompanying drawing 2 a complete layering onion ring communication process will be described.
As shown in Figure 2, suppose that the ground floor route that the OP3 node is selected is ring RI:{OP3, OP2, G}, second layer path be OP3, F4, F5, OP2}, the OP3 node just is packaged into Onion Loaf in strict accordance with the order of second layer route so.
The 1st step: encapsulation process
The OP3 node is selected the ground floor route earlier, and just labelled anonymous collection according to the packaged Onion Loaf of the order of anonymous centralized node, adds a dummy bag thereafter. and packet format is as follows:
{build},E kpop3[(RI,k op2),E kpop2[(RI,kg),E kpg(RI,t))]],dummy;
Then, the OP3 node is chosen anonymous second layer route { OP3, the F that concentrates second node 4, F 5, OP2} in strict accordance with the order of second layer route encapsulation Onion Loaf, and is distributed in this communication process the disposable session key (k of up link in the ring Op1, k 4, k 5, k Op2).
As follows from the packet format that concentrated first element of anonymity sends to second element:
{build},E kpop3[(RI,k op2),E kp4[(RI,k 4,F 5),E kp5[(RI,k 5,F op2),…,;
E kpop2((RI,k g),E kpg(RI,t,k op1,k 4,k 5,k op2))]]],dummy
It is as follows to simplify packet format:
{ build}, E Kpop3(E Kp4(E Kp5(E Kop2(E Kg(m)))), dummy, wherein m 1={ RI, t, k Op1, k 4, k 5, k Op2.
The 2nd step: information repeating process
In transmission course, the node that does not have data to send in the ring only is decrypted this Onion Loaf and dummy bag, then the message after the deciphering is issued next node; As follows:
F op3→F 4:{build},E kp4(E kp5(E kop2(E kg(m 1)))),dummy;
F 4→F 5:{build},E kp5(E kop2(E kg(m 1))),E kp4(dummy)。
The 3rd step: session inserts request process
As node F 5When wanting to communicate, with inserting the dummy bag that solicited message request substitutes deciphering layer by layer;
F 5→F op2:{build},E kop2(E kg(m 1)),E kp5(request);
F op2→F 6:{build},E k6(E k7(E kg(m 1))),E kpop2(E kp5(request));
F 6→F 7:{build},E k7(E kg(m 1)),E k6(E kpop2(E kp5(request)));
F 7→F G:{build},E kg(m 1),E kp7(E kp6(E kpop2(E kp5(request))。
The 4th step: gateway processes process
When gateway G receives the bag that is sended over by the OP2 node, and know node F 5Want to converse.If agreed this request, it also in like manner is determined to second half endless path of OP3 node according to ring number and anonymous collection, suppose that selected path is { G, F 3, OP3}.Gateway is node F 5Session key (k to gateway node that up link is passed through Op2, k 6, k 7) send to node F 5It gives node F with Onion Loaf of strictness encapsulation 5At this moment agree that information just can be from gateway by node F 3, OP3, F 4Arrive node F 5Communicate.The simplification form of gateway wrapper is as follows:
{ build}, E Kg(E Kop3(E Kg4(E Kp5(E Sg(m 2))))), m wherein 2={ k Op2, k 6, k 7, grant}.
F G→F 3:{build},E kp3(E kop3(E kp4(E kp5(E sg(m 2)))));
F 3→F op3:{build},E kop3(E kp4(E kp5(E sg(m 2))));
F op3→F 4:{build},E kp4(E kp5(E sg(m 2)));
F 4→F 5:{build},E kp5(E sg(m 2))。
After the ring initialization, gateway has just determined that session initiator is node F 5, and the session key in part path has been sent to it.If F at this moment 5Correct receive the bag that gateway sends over, still carry out session and gateway communicates with layer mode.Node F 5With Onion Loaf of session key encapsulation, carry out session with it to the OP2 node.When the OP2 node is received from node F 5The bag that sends, it concentrates next node gateway G to communicate according to ring number affirmation second layer route and with anonymity.
Onion ring communication process following (using disposable session key):
F 5→F op2:{RI},E kop2(E kg(E s4(data,ack)));
F op2→F 6:{RI},E k6(E k7(E kg(E s4(data,ack))));
F 6→F 7:{RI},E k7(E kg(E s4(data,ack)));
F 7→F G:{RI},E kg(E s4(data,ack));
After gateway was received this carrier bag, it used oneself private key and node F 5PKI decipher this bag, determine this bag be issue oneself with this bag be node F 5Send over.Receive when bag when gateway, its calculates ack value, if the value of both sides ack is the same, proves their correct bags of receiving, carries out later communication then; If different is exactly correctly not receive bag.
Node F is arrived in one of gateway encapsulation 5Bag, form is as follows: { RI}, E Kp3(E Kop3(E Kp4(E Kp5(E Sg(data))))).
F G→F 3:{RI},E kp3(E kop3(E kp4(E kp5(E sg(data)))));
F 3→F op3:{RI},E kop3(E kp4(E kp5(E sg(data))));
F op3→F 4:{RI},E kp4(E kp5(E sg(data)));
F 4→F 5:{RI},E kp5(E sg(data))。

Claims (6)

1, a kind of method for hierarchichal onion rings routing is characterized in that: the node in the wireless Mesh netword is divided three classes: gateway G, trusted node OP and ordinary node F i, OP node and gateway G induce node, OP node to play a part to select route, the set of all OP nodes and gateway G to constitute anonymous collection in the initialization procedure of ring; The onion route of network is divided into two layer loops, the ground floor route: the circular path of forming by the non-conterminous trusted node OP and the gateway G of anonymity collection; Second layer route: between trusted node OP by ordinary node F iFill the loop that constitutes, be also referred to as down one deck route; Second layer route is selected at random by OP node and gateway in initialization procedure, realizes the network anonymous secure communication of Mesh by the branch layer loop of onion ring route.
2, method for hierarchichal onion rings routing according to claim 1 is characterized in that: adopt layering onion ring route to carry out the initialization that anonymous communication at first encircles, the initialization procedure of described ring comprises the steps:
The 1st step: encapsulation process
At first: the OP node is selected the ground floor route, just labelled anonymous collection, and according to the order encapsulation Onion Loaf of anonymous centralized node, and at additional dummy bag thereafter, the Onion Loaf form of encapsulation is as follows:
{build},E kpop1[(RI,k op1,OP2),E kpop2[(RI,k op2,G),E kpg(RI,t))]],dummy;
Build}: packet header, ring information is built in expression, tells the initialization that node will encircle;
E Kp: public key encryption is used to encapsulate Onion Loaf; The OP1 node PKI E of oneself Kpop1Encrypt the outermost layer bag, i.e. ring RI, the session key k of oneself Op1, next bar address OP2, and the anonymous second layer Onion Loaf of concentrating second node encapsulation like this when the OP2 node is received this Onion Loaf, just can determine that next jumping mails to the address, by that analogy;
RI: ring number, by anonymity collection number with build the ring time and constitute;
k i: the session key of node i and gateway;
T: express time stabs, and is used for the real-time of detect-message;
Dummy: induction information;
Then: the OP node is chosen the anonymous second layer route of concentrating second element again, according to the order encapsulation Onion Loaf of second layer route, and distributes in this communication process the disposable session key k of up link in the ring Op1, k 1, k 2..., k Op2
Tell gateway with the disposable session key of distributing, allow gateway know uplink path, and the one time key of down link is distributed by gateway;
As follows from the packet format that concentrated first node of anonymity sends to second node:
{build},E kp1[(RI,k 1,F 2),E kp2[(RI,k 2,F 3),…,E kpop2((RI,k 2,G),
E kpg(RI,k op1,k 1,k 2,…,k op2,t))]],dummy
F i: the ordinary node in the network,
The simplification form of bag is as follows:
{ build}, E Kpop1(E Kp1(E Kp2..., (E Kpop2(E Kpg(m1)), dummy, wherein m 1={ RI, t, k Op1, k 1, k 2..., k Op2;
All OP nodes in the ring are not always the case and encapsulate Onion Loaf, for example OP2 and gateway G.
When second the node OP2 that concentrates when anonymity receives initialization information, it in like manner first element carry out Path selection and encapsulation Onion Loaf, wrap as follows but directly transmit dummy:
{build},E kpn(…(E kpop3(E kpg(m 2),E kpg(m 1)))),E kpop2 -1(…F kp1 -1(dummy)),
M wherein 2={ k Op2, k n, k N+1..., t}, E Kp -1: the PKI deciphering;
The 2nd step: information repeating process
In the information repeating process, the common F that does not have data to send in the route ring iNode is only deciphered Onion Loaf and the dummy bag of receiving, it is as follows then the message after the deciphering to be issued next node:
{build},E kp2(…(E kpop2(E kpg(m 1))),E kp1 -1(dummy);
The 3rd step: session inserts request process
As ordinary node F iWhen wanting to communicate, as follows with the dummy bag that inserts the alternative deciphering layer by layer of solicited message:
{build},E kp(i+1)(E kp(i+2)(…E kpg(m))),E kpi -1(request);
The 4th step: gateway processes process
Receive the bag that sends from the OP1 node when gateway, just determined session initiator, if gateway is agreed this request, it determines second half endless path down link from gateway to the session promoter just according to ring number and anonymous collection, Onion Loaf of gateway encapsulation sends to session initiator, this Onion Loaf comprises from session initiator to all session keys apart from the up link of its nearest OP node or gateway, agree that like this solicited message just arrives session initiator from gateway and communicates, packet format is as follows:
{build},E kpm(…E kpop(…(E kpg(k i,…,k op,grant))))。
3, method for hierarchichal onion rings routing according to claim 2, it is characterized in that: insert request process in session, if two nodes queued session is at the same time arranged in the route ring, the solicited message of the node in back will be wiped the solicited message of previous node, previous node can only be waited for when the carrier of next ring arrives, resend request.
4, method for hierarchichal onion rings routing according to claim 1 is characterized in that: adopt layering onion ring route to carry out interannular communication and comprise that session initiator arrives the communication process of gateway and gateway to node F iCommunication process, OP node or gateway session key Onion Loaf, each foundation when encircling all will be redistributed session key, node F iArrive apart from its nearest OP node or gateway Onion Loaf with one of session key encapsulation, carry out session with it.When receiving bag apart from its nearest OP node, in like manner select second layer route to concentrate next element to communicate with anonymous, except gateway and session initiator, each node in the ring is all only transmitted the Onion Loaf after the deciphering, and session initiator is as follows to the communication process of gateway:
F i→F i+1:{RI},E k(i+1)(E k(i+2)(…(E kop(E kg(E si(data,ack)))));
F i+1→F i+2:{RI},E k(i+2)(…(E kop(E kg(E si(data,ack)))));
……:……
F OP-1→OP:{RI},E kop(E kg(E si(data,ack)))));
OP→F OP+1:{RI},E k(op+1)(E k(op+2)(…(E kg(E si(data,ack)))));
……:……
F G-1→G:{RI},E kg(E si(data,ack));
Wherein, { RI} is packet header, and its representative ring is set up, and begins to communicate E SiExpression node F iEncrypted private key, data sends the information content, ack represents the message authentication code of receiving that correctly the bag back sends, is used for proving that communicating pair received bag really;
After gateway is received this carrier bag, with private key and the node F of oneself iPKI decipher this bag, determine this bag be issue oneself with this bag be node F iSend over, and calculate the ack value,, prove that they correctly do not receive bag if the value of both sides ack is inequality; Otherwise if the value of both sides ack is identical, gateway just can communicate with session initiator, at this moment gateway according to one of ring number and anonymous collection encapsulation to node F iBag { RI}, E Kg(E Kop1(E Ki(E Sg(data)))); Gateway is to node F iCommunication process is as follows:
G?→F m:{RI},E km(E k(m+1)(…(E op1(E ki(E sg(data))))));
F m→F m+1:{RI},E k(m+1)(…(E ki(E sg(data))));
……:……
OP1→F 1:{RI},E k1(…(E ki(E sg(data))));
……:……
F i-1→F i:{RI},E ki(E sg(data))。
5, method for hierarchichal onion rings routing according to claim 4, it is characterized in that: when in the ring two session initiator being arranged, the session initiator in back can be encrypted the dummy information of having been encrypted by previous start node, come to carry out session with gateway, and the session initiator in front can only wait for that next ring converses, though this can cause time delay, have other rings in the network simultaneously and communicate.
6, method for hierarchichal onion rings routing according to claim 1, it is characterized in that: if both sides do not have data to send in communication process, session initiator just sends the Onion Loaf of an empty content to gateway, gateway just encapsulates an Onion Loaf to the empty content of OP node, finishes communication.
CN2009100236403A 2009-08-19 2009-08-19 Method for hierarchichal onion rings routing Expired - Fee Related CN101635918B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100236403A CN101635918B (en) 2009-08-19 2009-08-19 Method for hierarchichal onion rings routing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100236403A CN101635918B (en) 2009-08-19 2009-08-19 Method for hierarchichal onion rings routing

Publications (2)

Publication Number Publication Date
CN101635918A true CN101635918A (en) 2010-01-27
CN101635918B CN101635918B (en) 2012-01-04

Family

ID=41594933

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100236403A Expired - Fee Related CN101635918B (en) 2009-08-19 2009-08-19 Method for hierarchichal onion rings routing

Country Status (1)

Country Link
CN (1) CN101635918B (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102238090A (en) * 2011-07-08 2011-11-09 清华大学 Grouping rerouting method for anonymous communication system
CN104486810A (en) * 2015-01-06 2015-04-01 无锡儒安科技有限公司 Wireless sensor network routing loop prediction method based on multi-dimensional states
CN105553827A (en) * 2015-12-10 2016-05-04 北京理工大学 Message forwarding method for giving consideration to both anonymity and communication delay in anonymous network
CN106416184A (en) * 2014-05-16 2017-02-15 高通股份有限公司 Build reliable routes without costly grid peering
CN109413089A (en) * 2018-11-20 2019-03-01 中国电子科技集团公司电子科学研究院 Distributed network anonymous communication method, device and storage medium
CN109471834A (en) * 2018-11-15 2019-03-15 上海联影医疗科技有限公司 Synchronous ring structure, synchronous method, medical image system, equipment and storage medium
CN109787896A (en) * 2018-12-05 2019-05-21 北京邮电大学 A kind of node selecting method and equipment for communication link building
CN111314336A (en) * 2020-02-11 2020-06-19 中国科学院信息工程研究所 Dynamic transmission path construction method and system for anti-tracking network
CN111970243A (en) * 2020-07-20 2020-11-20 北京邮电大学 Message forwarding method of multistage routing in anonymous communication network
CN111970245A (en) * 2020-07-20 2020-11-20 北京邮电大学 Heterogeneous layered anonymous communication network construction method and device
CN111970247A (en) * 2020-07-20 2020-11-20 北京邮电大学 Method for sending confusion messages of peer-to-peer ring in anonymous communication network
CN112019502A (en) * 2020-07-20 2020-12-01 北京邮电大学 Anonymous protection method for user nodes of ring guard network and electronic equipment
CN112019501A (en) * 2020-07-20 2020-12-01 北京邮电大学 A kind of user node anonymous communication method and device
CN113572727A (en) * 2021-06-08 2021-10-29 深圳市国电科技通信有限公司 Data security concealed transmission method and system based on P2P network routing node
CN117811834A (en) * 2024-02-27 2024-04-02 苏州大学 Obfs4 confusion flow detection method, system, equipment and medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105357113B (en) * 2015-10-26 2018-08-21 南京邮电大学 A kind of construction method based on heavy-route anonymous communication path

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI108832B (en) * 1999-03-09 2002-03-28 Nokia Corp IP routing optimization in an access network
CN101132351A (en) * 2006-08-21 2008-02-27 北京邮电大学 Wireless sensor network routing establishment method and device

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102238090A (en) * 2011-07-08 2011-11-09 清华大学 Grouping rerouting method for anonymous communication system
CN102238090B (en) * 2011-07-08 2014-02-19 清华大学 Packet Rerouting Method for Anonymous Communication System
CN106416184A (en) * 2014-05-16 2017-02-15 高通股份有限公司 Build reliable routes without costly grid peering
CN104486810A (en) * 2015-01-06 2015-04-01 无锡儒安科技有限公司 Wireless sensor network routing loop prediction method based on multi-dimensional states
CN105553827A (en) * 2015-12-10 2016-05-04 北京理工大学 Message forwarding method for giving consideration to both anonymity and communication delay in anonymous network
CN105553827B (en) * 2015-12-10 2019-02-22 北京理工大学 A message forwarding method considering both anonymity and communication delay in anonymous network
CN109471834A (en) * 2018-11-15 2019-03-15 上海联影医疗科技有限公司 Synchronous ring structure, synchronous method, medical image system, equipment and storage medium
CN109471834B (en) * 2018-11-15 2022-04-15 上海联影医疗科技股份有限公司 Synchronization ring structure, synchronization method, medical imaging system, device and storage medium
CN109413089A (en) * 2018-11-20 2019-03-01 中国电子科技集团公司电子科学研究院 Distributed network anonymous communication method, device and storage medium
CN109787896B (en) * 2018-12-05 2020-08-14 北京邮电大学 A node selection method and device for communication link construction
CN109787896A (en) * 2018-12-05 2019-05-21 北京邮电大学 A kind of node selecting method and equipment for communication link building
CN111314336A (en) * 2020-02-11 2020-06-19 中国科学院信息工程研究所 Dynamic transmission path construction method and system for anti-tracking network
CN112019502B (en) * 2020-07-20 2021-06-29 北京邮电大学 A kind of ring guard network user node anonymous protection method and electronic device
CN111970247A (en) * 2020-07-20 2020-11-20 北京邮电大学 Method for sending confusion messages of peer-to-peer ring in anonymous communication network
CN112019502A (en) * 2020-07-20 2020-12-01 北京邮电大学 Anonymous protection method for user nodes of ring guard network and electronic equipment
CN112019501A (en) * 2020-07-20 2020-12-01 北京邮电大学 A kind of user node anonymous communication method and device
CN111970245A (en) * 2020-07-20 2020-11-20 北京邮电大学 Heterogeneous layered anonymous communication network construction method and device
CN112019501B (en) * 2020-07-20 2021-06-29 北京邮电大学 A kind of user node anonymous communication method and device
CN111970245B (en) * 2020-07-20 2021-07-20 北京邮电大学 A heterogeneous layered anonymous communication network construction method and device
CN111970243A (en) * 2020-07-20 2020-11-20 北京邮电大学 Message forwarding method of multistage routing in anonymous communication network
CN111970247B (en) * 2020-07-20 2022-06-03 北京邮电大学 Method for sending confusion messages of peer-to-peer ring in anonymous communication network
CN113572727A (en) * 2021-06-08 2021-10-29 深圳市国电科技通信有限公司 Data security concealed transmission method and system based on P2P network routing node
CN117811834A (en) * 2024-02-27 2024-04-02 苏州大学 Obfs4 confusion flow detection method, system, equipment and medium

Also Published As

Publication number Publication date
CN101635918B (en) 2012-01-04

Similar Documents

Publication Publication Date Title
CN101635918A (en) Method for hierarchichal onion rings routing
CN107071774B (en) A kind of VANET access authentication methods of the short group ranking of identity-based
Lazar et al. Yodel: strong metadata security for voice calls
JP3890398B2 (en) Verification and construction of highly secure anonymous communication path in peer-to-peer anonymous proxy
Saha et al. Consortium blockchain‐enabled access control mechanism in edge computing based generic Internet of Things environment
US8954727B2 (en) Security control in a communication system
Tahir et al. Lightweight and secure multi-factor authentication scheme in VANETs
CN112468490B (en) Authentication method for access of power grid terminal layer equipment
CN102594569B (en) Certificateless key agreement method adopted during Tor anonymous channel building
CN101610510A (en) Multi-Authentication Method of Node Legitimacy in Layer-Cluster Wireless Ad Hoc Networks
CN111970699B (en) Terminal WIFI login authentication method and system based on IPK
CN102075931A (en) Information theoretical security-based key agreement method in satellite network
Mäurer et al. Advancing the Security of LDACS
CN117641354A (en) Railway vehicle-air-ground authentication method based on unmanned aerial vehicle layered chain network
CN101715187B (en) Safety communication method based on dynamic gateway
Mäurer et al. PMAKE: Physical unclonable function-based mutual authentication key exchange scheme for digital aeronautical communications
CN109714362A (en) A kind of industry wireless network secure data fusion method of lightweight
Barriga et al. Securing end-node to gateway communication in lorawan with a lightweight security protocol
Tata et al. Secure multipath routing algorithm for device-to-device communications for public safety over LTE heterogeneous networks
Chakrabarty et al. Black routing and node obscuring in IoT
CN114980037B (en) Group communication method and system based on hierarchical asymmetric key pool
Hei et al. Railway key exchange scheme for improving communication efficiency of RSSP-II protocol
Raheem et al. A secure authentication protocol for IP-based wireless sensor communications using the Location/ID Split Protocol (LISP)
Zubair et al. Design, implement, and evaluate the performance of an IPsec inspired security framework for HIP-VPLS environments
CN114244499A (en) Group communication method and system based on tree structure symmetric key pool

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120104

Termination date: 20150819

EXPY Termination of patent right or utility model
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载