基于密钥超图和身份密码的多域光网络密钥管理方案

A Key Management Scheme Based on Key Hypergraph and Identity-based Cryptography in Multi-domain Optical Networks

针对分层PCE架构下多域光网络的特点及其密钥管理需求,提出一种新型的基于密钥超图和身份密码的密钥管理方案(简称为KMS-KI)。与基于逻辑密钥树的经典分散式密钥管理方案不同,该方案首先将多域光网络的密钥关系建模成两层密钥超图,即用点表示顶点,用超边描述各层级密钥关系,使网络的密钥层次关系能够更好地反映在密钥超图模型中;然后使用基于分层的身份密码系统和改进的私钥生成策略分别完成主密钥、公私钥、会话密钥、层组密钥、域间密钥的生成和动态管理,较好地解决了私钥的安全保护和私钥生成中心存在的单点失效问题。同时,通过融合成员特征值思想,当群组成员加入或离开时,剩余群组成员利用pPCE或者cPCE传递的密钥特征值自行计算和更新组密钥,大大降低了新的组密钥被敌手破获的风险。通过分析表明,KMS-KI方案具备前向安全性、后向安全性、私钥保密性和抗共谋攻击能力,与典型的基于逻辑密钥树的分散式方案相比,不但支持分层身份密码系统,且在密钥存储量、cPCE通信量和加解密次数等方面取得了综合较优的性能。

In view of the characteristics of multi-domain optical networks under hierarchical PCE architecture,a novel key management scheme （referred to as KMS-KI） based on key hypergraph and identity-based cryptography was proposed in this paper.Differing from the classic decentralized key managements based on logic key tree,the key relationship of multi-domain optical networks was firstly modeled into key hypergraph with two layers,namely the vertices represented by points and the key relation at all levels described with hyperedge.In this way,the key layered relation of network can be better reflected in the model of key hypergraph.And then,the master keys,the public keys and private keys,the session keys,the layer group keys and the inter-domain keys were generated respectively and dynamically managed by using hierarchical identity-based cryptography and improved private key generation strategies.By the way,the security protection of private keys and the problem of single point＇s failure of private key generation center were better solved.Meanwhile,by fusing the idea of member characteristic value,when the members join or leave the group,the remaining group members automatically used the key value of the pPCE or cPCE to calculate and update the group key.So,the risk that the new group key was uncovered by adversary was greatly reduced.The analytical results showed that,KMS-KI scheme has the forward and backward security,confidentiality of private keys and the ability of resisting collusive attack.Meanwhile,it not only supported hierarchical identity-based cryptography,but also had achieved better comprehensive performance than typical decentralized schemes in terms of numbers of the key storage,numbers of cPCE commtmication,encryption and decryption times.