KR101994146B1 - Key Management Method for IoT Data Security in Cloud Computing - Google Patents

Abstract

The present invention relates to a key management method for securely processing rapidly-growing object Internet data in a cloud computing, and a method for managing object Internet services using the same. More particularly, the present invention relates to a key management method using a proxy key based on a proxy key server The key management method for security of object Internet data in cloud computing and the object Internet service using the method are disclosed.

Description

{Key Management Method for IoT Data Security in Cloud Computing}

The present invention relates to a key management method for securely processing a rapidly growing object internet data in a cloud computing and a web service using the same.

Internet of Things (IoT) is an intelligent technology and service that connects all objects by attaching sensors to objects and sending and receiving data to the Internet in real time to communicate information between people, things, objects and things . IoT is more advanced than Internet or mobile Internet based on existing wired communication, and devices connected to the Internet communicate with each other without any human intervention. The concept of M2M (Machine to Machine) is similar to the conventional ubiquitous and M2M (Machine to Machine) in that things do not depend on humans. And it evolved into a concept that interacts with all information of reality and virtual world as well as objects. According to IoT technology, hyper-connected societies are built by interconnecting objects in various physical spaces and process and data contents in virtual space through the Internet.

The increase in the number of devices connected to the Internet requires IoT security technology due to the increased number of attackable targets and the expansion of threats. The nature of IoT technology increases the range of concerns about personal information leakage and privacy violation because everyday objects are connected, and the degree of infringement will be amplified to an extent not comparable to the present. Therefore, much attention has been focused on authentication, confidentiality and data integrity of IoT. In addition, IoT service is aimed at integration of people, objects, and services based on sensing information and data sharing, so privacy invasion is inevitable. If this privacy intrusion problem can not be solved, activation of IoT services such as electronic resident ID card and embedded radio frequency identification (RFID) is impossible. Therefore, it is no exaggeration to say that the extension of IoT service is determined by security.

The structure of IoT can be divided into recognition, network, and application. The recognition step is to acquire information from objects and environment by RFID, sensor, and two-dimensional code. The main functions include chip development, communication protocol research, smart node energy supply and segment by RFID technology, sensing and control technology. The main function of the network phase is to support objects to be connected to the Internet, and to transmit real-time information in both directions between data recognition and information control through network integration. After the sensor detects the information, it moves the background through the network to be used. The application stage is to process and process information suitable for various service fields and forms, or to converge various technologies. The application stage is to develop objects and software, and provides various applications of IoT to users with cloud computing technology.

Cloud computing can store all the information of users on a server on the Internet and can use this information anytime and anywhere through various information technology (IT) devices. It can be said that it is an on-demand outsourcing service of IT resources using the Internet. However, this is a disadvantage in that personal information can be leaked if the server is hacked, and data can not be used if a server failure occurs. Because of this security issue, cloud computing is not yet active.

Generally, when you know the location of the data, you encrypt it to protect your data. Encryption in the cloud environment does not know where the user wants the data, so it is difficult to manage the key to encrypt.

A traditional, centralized way to protect data with cryptographic techniques is to create a group key and then distribute it to each group member. These group keys are affected by the entire group if there is a problem with the key server, which is a centralized controller, and requires the operation of costly public keys. Kim, et al. Proposed a tree-based group Diffie-Hellman, which is the most efficient group key using tree-based group Diffie-Hellman (Proceedings of the 7th ACM Conference on Communications and Security (CCS'00), pp. 235-24, However, it is difficult to apply it to the cloud environment. Arijit Ukil et al. (IEEE International Conference on Emerging Trends and Applications in Computer Science (NCETACS), pp 1-6, Apr. 2011) presented a tool using traditional methods to solve low security service problems and threats of IoT devices , It is not suitable for the characteristics of IoT because it is a device used for monitoring such as a camera.

IoT requires application capabilities that require access to sensitive data anywhere in the cloud computing environment. To this end, there is a continuing need for an encryption key for securely maintaining and maintaining data in a cloud environment and an application method for obtaining a decryption key for obtaining usable data.

10-1701052 [0011]

7th ACM Conference on Computer and Communications Security (CCS'00), pp. 235-24, Nov. 2004. IEEE International Conference on Emerging Trends and Applications in Computer Science (NCETACS), pp 1-6, Apr. 2011.

An object of the present invention is to provide a key management method for security of object Internet data in cloud computing.

It is another object of the present invention to provide a method for providing object Internet services using the key management method.

According to an aspect of the present invention, there is provided a key management method for security of object Internet data in cloud computing, wherein key information is shared using a proxy key based on a proxy key server set for each cloud.

The present invention relates to a cloud IoT service method using the key management method, and more particularly, to a cloud IoT service method using a key management method based on a proxy key server based on a proxy key server configured for each cloud in a clouding computer environment, An authentication step of performing party authentication of data; (B) when the authentication is completed, the cloud proxy key server transmits the authenticated sensor data between the object devices by sharing the associated key information with another proxy key server; And (C) conducting the core service using the authenticated sensor data.

As described above, the key management method of the present invention is based on a proxy key server that not only facilitates addition and removal of a large amount of sensor data, but also reduces key generation and reduces communication overhead, You can reduce the server and management required for monitoring. In addition, the recovery and integration of the most recent key for security can be updated without any additional key-related information.

Therefore, the key management method of the present invention can securely process the rapidly growing IoT data in the cloud computing in the future, and can be efficiently used for security of the object Internet data in the cloud computing.

1 is a conceptual diagram illustrating a point-to-point method and a many-to-many method, which is a data communication method.
2 is a schematic diagram of a key association according to the present invention in the cloud;
3 is a conceptual diagram showing movement of sensor data from a device to a device by a web service;

BRIEF DESCRIPTION OF THE DRAWINGS FIG. It should be understood, however, that the description is intended to be illustrative of the spirit and scope of the present invention, and the technical scope of the present invention is not limited thereto. It will be apparent to those skilled in the art that various changes and modifications can be made within the scope of the technical idea of the present invention based on these examples.

As described above, the present invention relates to a key management method for security of object Internet data in cloud computing, in which key information is shared using a proxy key based on a proxy key server set for each cloud.

Cloud IoT Key Management

Federated key management is mentioned when other computer systems work together, including how other applications can obtain keys from the same key server. This is an important aspect of key management that needs to be secured before it can be encrypted to protect sensitive data in the cloud, and lack of key federation limits the usefulness of many passwords and key management.

The encryption key always has additional information associated with the key for unique identification. For example, when a tape drive obtains a key for encrypting stored data, it obtains a unique key identifier that is stored with the encrypted data. To decrypt the encrypted data, the tape drive requires a key that matches the key identifier found with the encrypted data. However, encryption in a cloud environment does not know where the desired data is located, so it is difficult to manage the key to be encrypted, and therefore, the current system can not execute the federated key management. The present invention uses a proxy key based on a proxy key server in cloud computing instead of a key identifier including information on a key server from which an accurate key can be obtained.

1 is a conceptual diagram illustrating a point-to-point method and a multipoint method, which are data communication methods. In the cloud environment, the point-to-point method is complex in that authentication procedures are required to secure who transmits what data is desired in various places and securely transmit desired data to a desired location, and key management is inefficient because of the many keys used. The many-to-many scheme is a grid of virtual supercomputers that combines the existing Internet and the next-generation Internet into a single network, It is a model. The present invention relates to key design for secure sensor data support of cloud computing for service activation of IoT application level based on many-to-many method. Many-to-many method for sensor data party authentication introduces a Proxy Key Server (PKS) in the cloud environment and starts the process of authenticating the sensor data per party as a key of these servers.

In the present invention, the federated key considering the IoT characteristic is processed in a proxy key server which not only facilitates key addition and removal of sensor data, but also reduces key generation and reduces communication overhead. A proxy key server that can adapt in a cloud computing environment shares a key information as a federated key by placing one server in each cloud. The federated key shares the secret key s in the following process.

(1) The trusted intermediary selects any of the following polynomial a (X).

a (X) ∈ Fq [X], order t = a (0) = s

(2) The secret key s is shared between the parties p ₁ , ..., p _n .

At this time, the party with t <n / 2 has no information about s, and the group of t + 1 party can recover the secret key s.

(3) We share s _i = a (i) for pi.

(4) t + 1 of a given set U shares and restores the secret key s = a (0) = Σj ∈ Uλjaj.

Here,? I is the Lagrangian coefficient for U.

2 is a schematic diagram of a key association according to the present invention in the cloud. As shown in FIG. 2, when a cloud service provider (CSP) of the cloud A requests the proxy key server A for the sensor data party authentication, the proxy key server A communicates with the proxy key server B of the cloud B, As a result, the sensor data party is authenticated.

When the authentication process is completed, the web service starts moving the sensor data from the device to the device as shown in FIG. Since sensor nodes are randomly placed, it is difficult to acquire network topology information in advance. Therefore, the service broker collects sensor data of necessary services and requests the proxy key generation from the proxy key server. The proxy key server A receiving the request for generating the combined key generates the associated key and then shares the associated key information with the other cloud proxy key server B. According to the sensor data request of the cloud service provider, the proxy key result is transmitted to the cloud service provider through the service interface through the mutual communication between the proxy key server A and the proxy key server B. The cloud service provider checks the authenticated sensor data and then proceeds with the core service.

Federated key management in cloud computing

The proxy key server performs two important key distributions for secure data communication between two entities (object devices) A and B. One is the variance of the new key to be used by entity A and entity A only known to the proxy key server. And the other is the variance of the session key that the proxy key server will use by entities A and B. This key distribution is based on the use of exclusive ORs and hash functions. The distribution of the new key to entity A is based on the master key used for this purpose only. Hereinafter, the key distribution for the object device and the distribution of the session key will be described in detail. Table 1 below shows the abbreviations used for key distribution.

1) Key distribution for object devices

The following is a new key distribution process for application services to entity A.

1. O _A → PKS: _{A n}

H(MK, A_n, K_t), H(A_k, K_t), K_{n 2. PKS → O A: K t} , A k

_{H (MK, A n, K} t), H (A k, K t), K n

_{3. O A → PKS: H (} A k, K n)

_{4. PKS → O A: H (} A k, A n)

(A_k

H(MK, A_n, K_t))로부터 A_k를 복구하기 위해 이를 사용한다. 개체 A는 A_k

H(MK, A_n, K_t)를 위해 대체된 무효한 영역이 메시지가 가로채지 않았는지 체크하기 위해 H(A_k, K_t)를 사용한다. 즉 A_k가 프락시 키 서버가 보내려는 키인지를 체크하기 위해서이다. 두 개 장치의 응용 서비스를 위한 메시지 암호화에 필요한 새로운 키 K_t는 두 가지 목적을 제공한다. 첫째는 응용 서비스를 위한 개체 A의 메시지는 K_t없이 A_k

H(MK)를 읽을 수 있고, H(MK)은 나중에 키들을 복구하기 위해 사용되므로 H(MK)을 발견하는 것은 마스터 키를 발견하는 만큼 유용하다. 서로 다른 K_t는 H(MK, K_t)를 생성할 때마다 하나의 값을 가지기 때문에 그가 H(MK, K_t)를 발견하는 것은 유용하지 않다. 둘째, K_t는 데이터 전송 동안 데이터가 분리되거나 다른 데이터로 대체되지 않게 보호하기 위한 메시지 요소들을 결합하는데 그 목표가 있다. First, if object A passes a temporary value A _n , The proxy key server generates new keys A _k and K _t necessary for message encryption for the application services of the two devices with the master key MK for delivery to entity A, K _n . Entity A can generate x = H (MK, A _n , K _t ) because it knows the master key and the temporary value A _n and is given a new key K _t ,

(A _k

From _{H (MK, A n, K} t)) and use it to recover from A _k. Object A is A _k

H (A _k , K _t ) is used to check whether the invalid field replaced for H (MK, A _n , K _t ) is not intercepted by the message. That is, A _k is to check if the proxy key server is the key to send. The new key K _t required for message encryption for the application services of two devices provides two purposes. First, the object A message for application service without K _t A _k

Since H (MK) can be read and H (MK) is used later to recover the keys, finding H (MK) is as useful as discovering the master key. Different K _t is not useful to he discovered H (MK, K _t) because it has the value of one each time to generate H (MK, K _t). Second, K _t has its goal to combine message elements to protect data from being separated or replaced by other data during data transmission.

2) Distribution of session key

Object A and the proxy key server require a message response for the application service before using the new key, and H (A _k , K _t ) may be excluded. The acknowledgment function for A _k may be implicit in the next message for the application service.

IoT authentication verifies how the proxy key server distributes the session key used for communication between two entities. To provide confidentiality between two entities of IoT, the proxy key server generates a temporary value and a session key for each entity, and proceeds as follows.

_{1. O A → O B: A} , H (A k, B), A n

_{2. O B → PKS: A,} B, H (B k, A, K, H (A k, B), A n), A n, B n

SK, H(B_k, A, B_n, SK), H(A_k, B, K)

SK, H(A_k, B, A_n, SK) 3. PKS → O _B : H (B _k , A, B _n )

SK, H ( _Bk , A, _Bn , SK), H ( _Ak , B, K)

SK, H (A _k , B, A _n , SK)

SK, H(A_k, B, A_n, SK)4. O _B → O _A : H (A _k , B, A _n )

SK, H (A _k , B, A _n , SK)

For data confidentiality between the two devices, the key sequence proceeds from entity A to entity B, from entity B to the proxy key server. The proxy key server must send the session key SK to entities A and B, and new keys A _k and B _k for the application service are generated from the proxy key server. Entities A and B can encode H (A _k , B, A _n ) and H (B _k , A, B _n ) to find the session key. H (A _k , B, A _n , SK) and H (B _k , A, B _n , SK) can be verified by objects A and B to verify that the message is unobstructed, have. By this process, entities A and B can recover the same session key and thus have a general session key.

analysis

The possibility of the role of the key of the cloud proxy key server is analyzed as shown in Table 2. Table 2 shows the results of this study (example) and J. Park (The Journal of the Korean Institute of Communications and Information Sciences) at the cloud foundry [https://www.cloudfoundry.org/future-network-security-cloud-foundry/] , 38 (9), pp. 707-714, Sept. 2013; Comparative Example 1) and R. Hummen et al. (WISEC'13 Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 37-42, Apr. 2013; Comparative Example 2) in terms of space complexity, scalability of key management, scheduling, key revocation resistance, and network security.

In the spatial complexity, r is the number of neighboring sensor nodes, and t is the time required to perform the requested sensor node revocation. In Comparative Example 1, symmetric key authentication and session key agreement agreement systems are required for mutual authentication between Internet devices. O (r ² × t ² ) is proportional to the number of sensor nodes and the time required to retract the sensor node, and Comparative Example 2 requires the authentication of the gateway for authentication, the session recovery, and the handshake delegation. ). It can be seen that the embodiment has low spatial complexity as O (r) due to the key of the cloud proxy key server.

The scheduling according to the present invention using the proxy key server was superior to the comparative examples 1 and 2 in the cloud environment. In Comparative Example 1, since the authenticated device needs to perform a session key line calculation in order to improve the performance, the key management scalability is low. In Comparative Example 2, the pre-authentication at the gateway and the session key While the management scalability is low, the embodiment has high key management scalability due to the combined key management of the cloud computing proxy key server.

In the case of the key withdrawal resistance, the embodiment is highly resistant to the key management of the autonomous proxy key server. In Comparative Example 1, since the new random number is generated and used for authentication each time authentication is attempted, the resistance is low. Shake delegation allows you to authenticate with fewer resources, but there is a burden on session recovery.

In the network security, it is assumed that Comparative Example 1 provides mutual authentication and session key agreement between devices, but it is required that the participating devices of the authentication securely share the secret key. Comparative Example 2 requires pre-authentication at the gateway for authentication, session However, the stability of handshake delegation is insufficient. However, the embodiment is secured by the active key recovery and update of the proxy key server in the network connection of the cloud computing.

The present invention also relates to a cloud IoT service method using the above-described key management method, and more particularly, to a cloud IoT service method in which (A) object devices included in an object internet environment use a proxy key based on a proxy key server set for each cloud in a cloud computing environment An authentication step of performing a party authentication of sensor data; (B) when the authentication is completed, the cloud proxy key server transmits the authenticated sensor data between the object devices by sharing the associated key information with another proxy key server; And (C) proceeding with the core service using the authenticated sensor data.

Claims (6)

A key management method for security of object Internet data in cloud computing, characterized in that key information is shared using a proxy key base based on a proxy key server set for each cloud,
Wherein the combined key comprises a new key between the object device and the proxy key server and a session key to be used for communication between the object devices,
A new key distribution process between the object device and the proxy key server for the application service to the object device A,
_{1. O A → PKS: A n} ;
_{2. PKS → O A: K t} , A k

H (MK, A _n , K _t ), H (A _k , K _t ), K _n ;
_{3. O A → PKS: H (} A k, K n);
_{4. PKS → O A: H (} A k, A n)
And shows the relationship between the In this case, O _A is things device A, PKS is the proxy key server, A _n is a temporary value for the object device A, K _t is a new key for the proxy key server, A _k is a new key of the object device A , MK is a key method for managing the security of the master key, K _n data from the Internet of things cloud computing, characterized in that the temporary key value for the proxy server.
The method according to claim 1,
The co-
(1) The trusted intermediary selects an arbitrary polynomial a (X) as follows,
a (X) ∈ Fq [X], order t = a (0) = s
(2) sharing the secret key s between the parties p ₁ , ..., p _n .
At this time, the party with t <n / 2 has no information about s, and the group of t + 1 party can recover the secret key s.
(3) We share s _i = a (i) for pi.
(4) t + 1 of a given set U shares and restores the secret key s = a (0) = Σj ∈ Uλjaj, where λi is the secret key s shared by the process of Lagrangian coefficients on U A key management method for securing Internet data of objects in cloud computing.
delete delete 3. The method according to claim 1 or 2,
The session key to be used for communication between the object apparatuses A and B,
_{1. O A → O B: A} , H (A k, B), A n
_{2. O B → PKS: A,} B, H (B k, A, K, H (A k, B), A n), A n, B n
3. PKS → O _B : H (B _k , A, B _n )

SK, H ( _Bk , A, _Bn , SK), H ( _Ak , B, K)

SK, H (A _k , B, A _n , SK)
4. O _B → O _A : H (A _k , B, A _n )

SK, H (A _k , B, A _n , SK)
A is dispersed by a process, where, O _A and O _B, respectively Objects devices A and B, A _k and B _k is the new key, A and B are each object unit message of A and B of the respective object the device A and B, A _n and B _n are temporary values for object devices A and B, PKS is a proxy key server, K is a message of a proxy key server, and SK is a session key. In the cloud computing, Key management method.
A cloud IoT service method using the key management method of claim 1,
(A) an authentication step in which object devices included in an object Internet environment perform a party authentication of sensor data using a proxy key based on a proxy key server set for each cloud in a cloud computing computer environment;
(B) when the authentication is completed, the cloud proxy key server transmits the authenticated sensor data between the object devices by sharing the associated key information with another proxy key server; And
(C) advancing a core service using authenticated sensor data;
The method comprising the steps of:

Images