A Certificate-Less Distributed Key Management Scheme for Space Networks

Abstract

The specificity and complexity of space networks render the traditional key management mechanism no longer applicable. The certificate-less-based distributed spatial network key management scheme proposed in this paper combines the characteristics of space networks, solving the problems regarding the difficulty of implementing centralized key management in space networks and the excessive overhead required for maintaining public key certificates by constructing a distributed key generation center and establishing strategies such as private key updates, master key component updates, and session key negotiation. This method also avoids the key escrow problem inherent in existing identity-based key management schemes. This scheme provides the DPKG construction method for space networks; designs the update strategy for the DPKG node’s master key sharing, providing a specific update algorithm; introduces the batch private key update mechanism; and uses the mapping function to evenly distribute the node’s update requests throughout the update time period, avoiding the problem of overly concentrated update requests. After analysis and simulation verification, it was proven that the scheme can meet the necessary security requirements, offering good stability and scalability.

1. Introduction

In the context of the global commercialization of 5G [1], traditional ground networks are facing exponential growth in terms of throughput, user access, and high-speed information transmission. However, due to their limited coverage and network capacity, an increasing number of communication tasks and sharp resource conflicts have made it more difficult to arrange tasks properly, which has led researchers to pay extensive attention to space information networks [2,3,4]. The connotation of space information networks changes with the development of space communication technology, and these networks have now evolved into integrated comprehensive information networks consisting of satellite networks, adjacent space networks, and related ground facilities [5]. In terms of functionality, the structure of space information networks mainly includes space-based information acquisition systems, space information links, and ground support and control systems, as shown in Figure 1. Among these, the space-based information acquisition system mainly consists of communication satellites, reconnaissance satellites, navigation satellites, near-space spacecraft, and some high-altitude reconnaissance aircraft and early warning aircraft, which form the dynamic node set of the space information network. The various information nodes are connected by relay systems and network devices to form space information links, connecting different levels of aircraft and ground systems in the space information network that perform different tasks. The ground support and control system consist of ground measurement and control systems, information processing systems, command and control systems, and other ground facilities. The ground control center is the only static node in the space information network, and it plays an important role in maintaining the normal operation of the network [6]. Space information networks are based on traditional ground networks, supplemented by air-based networks and space-based networks, and they provide information security infrastructure for various applications in wide-area space [7]. By integrating various resources, they promote the rapid development of applications such as the Internet of things and the Internet of vehicles. Space information networks are also seen as the most promising development direction for future 6G networks [8].

The high openness of space networks and the dynamic nature of network topology mean that the security concerns are extremely critical [9,10,11]. To build a secure space information network environment, it is necessary to provide security services such as confidentiality, authentication, availability, integrity, and non-repudiation, and providing nearly all of these security services requires a sound key management strategy. Therefore, conducting research on space information network key management and designing key management schemes suitable for the characteristics of space information networks is of vital importance, providing significance for the secure application of space information networks [12,13,14].

The PKI/CA-based key management model used in traditional networks is no longer applicable to space networks, as mainly manifested in the dynamic nature of network topology that can easily lead to centralized key management single-point failure; the high error rate of long-distance wireless channels makes it costly for nodes to update and maintain public key certificates [15]. In 1984, Shamir proposed a new public key cryptosystem at the CRYPTO 1984 conference held in North America [16]. In the new system, the user’s public key can be any bit string related to the user’s identity, and the user’s private key is generated by a trusted private key generation center PKG (private key generator). Therefore, this system is also called identity-based public key cryptography (IBC). Identity-based public key cryptography realizes the automatic binding of user public keys and identity information, and the system no longer needs to maintain a user public key directory, saving the overhead cost of issuing and storing user certificates, thereby simplifying the key management process inherent in traditional public key systems. In 2001, Boneh and Franklin proposed the first practical and efficient identity-based encryption mechanism using bilinear pairings (BF-IBE) [17]. In the literature [18,19,20,21], to solve similar problems in ad hoc networks, some key management schemes based on identity-based public key cryptography and distributed key management mechanisms have been proposed, providing references for research on space network key management. Luo [22] proposed an identity-based distributed key management scheme to resolve the problems of centralized key management and over-consumption in regards to certificate maintenance in space networks. However, these schemes still exhibit key escrow issues.

Certificate-less cryptography is a new type of public key cryptography proposed by Al-Riyami and Paterson at the 2003 ASIACRYPT conference [23]. Similar to identity-based cryptography, it does not require the use of certificates to associate users and public keys. Although it also relies on a private key generation center PKG with a master key to participate in the generation of users’ private keys, the PKG only generates partial private keys corresponding to the user’s identity. The final user’s private key is composed of partial private keys and a randomly chosen secret value. Therefore, the PKG does not have full control over the user’s private key, and there is no key escrow problem. In the same year that Al-Riyami proposed the certificate-less public key cryptography model, Chen et al. also proposed an identity-based signature scheme that does not require a trusted PKG [24]. Afterwards, Gorantla et al. proposed a more efficient certificate-less signature scheme based on Al-Riyami’s work [25]. Al-Riyami [26] proposed a certificate-less public key encryption scheme (CL-PKE), which is guaranteed by the difficulty of solving the computational Diffie–Hellman problem (CDHP), and Baek [27] provided security proofs under the random oracle model. The literature [28,29] also proposed two-party key agreement schemes, but these cannot resist attacks in which the keys are leaked and or when a temporary private key leaks. Liu [30] proposed a certificate-less key agreement protocol, which only performs the one-way authentication of nodes and does not achieve the mutual authentication of two-party nodes. Although it saves some computational overhead, it increases security risks. Chen [31] proposed an efficient authentication protocol that only requires hash and XOR operations to reduce user computational overhead, but it cannot resist man-in-the-middle attacks. To avoid key escrow, certificate-less public key cryptography (CL-PKC) has been introduced into anonymous communication authentication in the Internet of vehicles [32,33,34]. However, these schemes either do not give the specific construction method of the distributed private key center (DPKG), or the construction method given does not match the reality of space networks; secondly, these schemes assign DPKG nodes with long-term validity of their master key shares and lack the updating mechanism, which allows attackers to reconstruct the master key if the value of the master key shares they have accumulated reaches the threshold value; in addition, these schemes lack an efficient node private key update strategy, which can cause network congestion when a large number of nodes apply for updates at the same time.

To address the above issues, the research motivation for this paper includes the following three main aspects:

(1)

Designing a DPKG construction strategy that is practically compatible with space networks;

(2)

Designing an update mechanism for DPKG node master key shares;

(3)

Designing a node private key phased update strategy to avoid the network congestion problem generated by centralized updates.

The certificate-less distributed key management scheme proposed in this paper for space networks uses threshold secret sharing mechanisms to reasonably distribute the functions of the PKG to multiple service nodes in the space information network to avoid the problem of PKG paralysis due to single-point failure and also solves the difficulties in maintaining certificates and key escrow.

The specific contributions of this paper include the following:

(1)

The concept of a secure field of view is proposed, and the construction method of the DPKG of space networks is given;

(2)

The problem of updating the master key shares of DPKG nodes is solved by introducing a 0-constant term polynomial of the same order as the master key share polynomial, and a specific update algorithm is designed;

(3)

A batchwise private key update mechanism is employed. The mapping function $f:ID\to T_{update}$ is used to distribute the update requests of the nodes evenly throughout the update time period, avoiding the problem of the over-concentration of update requests.

The content and arrangement of this paper are as follows: Section 2 introduces the preparatory knowledge. Section 3 describes the proposed certificate-less distributed key management scheme. Section 4 provides a detailed proof and analysis of the correctness and security of the scheme. Section 5 includes the simulation, verification and comparison. Finally, the paper concludes with a summary of the entire document.

2. Preparatory Knowledge

The threshold secret sharing mechanism is a secret information segmentation storage scheme proposed by Shamir in 1979. It is the main method used in the field of cryptography to solve the problem of the excessive concentration of security permissions, the dispersion of risks, and the tolerance of intrusion. An elliptic curve cryptosystem (ECC) is a system based on the elliptic curve over a finite field point group public key cryptography system. Compared with the traditional RSA public key cryptosystem, the elliptic curve public key system is able to use a shorter key length to achieve the same security strength; bilinear pair technology can realize the flexible transformation of input variable coefficients, and it is often used in cryptography to construct many protocols or schemes that are difficult to realize using other mathematical tools.

2.1. Threshold Secret Sharing Mechanism

Shamir’s threshold secret sharing mechanism generates secret shares through polynomials and reconstructs secrets using the Lagrange interpolation algorithm:

Parameter selection is achieved as follows: $Z_q$ is the field of integers of order $q$, $d\in Z_q$ is the number of secrets to be shared, $P=\left\{P_1,P_2,\dots \dots P_n\right\}$ is a secret share member collection with $n$ participants, randomly generating a $t-1$ degree secret-sharing polynomial on $Z_q$, as follows:

$$\mathrm{f}(x)=d+{\displaystyle {\sum }_{i=1}^{t-1}{c}_i{x}^i\mathrm{mod}q}$$

(1)

where $c_i$ is the random number on $Z_q$, $d$ and $c_i$ are kept secret, and the other parameters are disclosed to the public.

To achieve secret sharing, Select $n$ secret shares to generate the number $X_i$ $(X_i\in Z_q,1\le i\le n,X_i\ne 0)$, calculate and securely transmit the secret share $d_i=\mathrm{f}(X_i)$ for member $P_i$, and publicize $X_i$.

To achieve secret reconstruction, the polynomial can be reconstructed by the Lagrange interpolation theorem for any $t$ participants who want to recover the secret $d$, as follows:

$$\mathrm{f}(x)={\displaystyle {\sum }_{i=1}^t{\displaystyle {\prod }_{j=1,j\ne i}^t\frac{x-X_j}{X_i-X_j}}}, \mathrm{f}(X_i)={\displaystyle {\sum }_{i=1}^t{\displaystyle {\prod }_{j=1,j\ne i}^t\frac{x-X_j}{X_i-X_j}}}{d}_i$$

Obviously,

$$d=f(0)={\displaystyle {\sum }_{i=1}^t{\displaystyle {\prod }_{j=1,j\ne i}^t\frac{X_j}{X_j-X_i}}}{d}_i$$

(2)

Call ${\lambda }_i={\displaystyle {\prod }_{j=1,j\ne i}^t\frac{X_j}{X_j-X_i}}$ the interpolation factor, then

$$d={\displaystyle {\sum }_{i=1}^t{\lambda }_i}{d}_i$$

(3)

Since the time of f(x) is t − 1, then less than t participants cannot reconstruct the polynomial, and the secret d is not recovered.

2.2. Security Basis for Elliptic Curve Cryptosystems

Elliptic curve cryptosystems are based on the construction of elliptic curve point groups over finite fields. On a finite field $F_q$, denote the set of points of the elliptic curve as $E\left(F_q\right)$ (including the infinity points). Construct the cyclic addition group $G(P,+)$ on $E\left(F_q\right)$ under the defined rules of addition and multiplication operations, where $P\in E\left(F_q\right)$ is the generating element of $G$. All elements on $G$ are generated by multiplication by $P$, i.e., $G=\left\{aP|a\in Z_q\right\}$.

The security of elliptic curve cryptosystems relies on the following mathematical puzzle for elliptic curve point groups:

(a)

The elliptic curve discrete logarithm problem (ECDLP) is used as follows: $G(P,+)$ is the group defining the group over $E\left(F_q\right)$; if $Q\in G$, compute the smallest nonnegative integer $x\in Z_q$ such that $Q=xP$.

(b)

The elliptic curve computational Diffie–Hellman problem (ECCDH) is used as follows: $G(P,+)$ is the group defining the group over $E\left(F_q\right)$; if $xP,yP\in G$, compute $xyP$ without mastering $x,y\in Z_q$.

(c)

The elliptic curve decisional Diffie-Hellman problem (ECDDH) is used as follows: $G(P,+)$ is the group defining the group over $E\left(F_q\right)$; if $xP,yP,zP\in G$, without mastering $x,y,z\in Z_q$ distinguish between $xyP$ and $e(aP,bR)=e{(P,R)}^{ab}$.

2.3. Bilinear Pairings

Bilinear pairs are also called bilinear maps. Bilinear pairs based on elliptic curves are defined as follows:

Definition 1.

Let $q$ be a large prime, $G(P,+)$ be an additive group on $E\left(F_q\right)$, and $e(aP,bR)=e{(P,R)}^{ab}$ be a generator; $G_2\left(1_{G_2},\cdot \right)$ is a multiplicative group on $F_q$, where $1_{G_2}$ is the identity of $G_2$. Bilinear pairs $e:G_1\times G_1\to G_2$ satisfy the following conditions:

(a)

Bilinear: For any $P,Q,R\in G_1$ and $a,b\in Z_q$, we have: $e\left(P+Q,R\right)=e(P,R)\cdot e(Q,R)$ or $e\left(aP,bR\right)=e{\left(P,R\right)}^{ab}$ holds.

(b)

Non-degenerative: $e(P,P)\ne 1_{G_2}$.

(c)

Computability: for any $P,Q\in G_1$, there exists an efficient algorithm to compute $e(P,Q)$.

2.4. Adversary Model

In certificate-less public key cryptosystems (CL-PKC), the adversary model mainly considers the following situations:

Adversary I: This type of adversary can replace the public key of a user and obtain the system master key but cannot obtain the secret value of the user.

Adversary II: This type of adversary cannot obtain the system master key but can obtain the secret value of the user and can replace the public key of the user.

3. Certificate-Less Distributed Key Management Scheme

In the space network, the ground control center is the only static node in the network; other space communication platforms (including various types of satellites and proximity space vehicles, etc.) constitute a collection of dynamic nodes. All dynamic nodes need to go through the ground control center to access the network. With the different spatial locations of the dynamic nodes, the communication quality and security of the wireless links between them and the ground centers exhibit large differences. For example, when nodes are far away from the ground center, the link BER is higher, and the communication delay is longer; when nodes roam into non-friendly space regions, the threats of interference and eavesdropping on the link are also higher. For ease of description, we refer to the area of space that is relatively close to the ground center, displays good communication links, and exhibits a low security threat as the ground center’s security field of view. In dynamic nodes, the trajectories of satellite nodes are periodic and predictable. They are more evenly distributed in the space region, and some of the satellite nodes periodically operate within the security field of view of the ground center, as shown in the Figure 2. Based on these characteristics of the space network, the design ideas presented in this paper are described as follows:

(1)

A centralized private key generation center PKG with the system master key is set up at the ground control center. The PKG generates the distribution of the initial portion of the private key for the node when it enters the network via the ground center.

(2)

A number of satellite nodes that can appear at least once in the PKG’s secure field of view within a specified time interval is selected to form distributed private key generation center distributed private key generators (DPKGs). A master key component is assigned to the DPKGs node by the PKG using the threshold secret sharing mechanism when it enters the network via the ground center. Threshold individual DPKGs nodes are federated to provide private key update service to the network nodes.

(3)

During the network operation phase, the PKG is responsible for providing the master key component update service to the DPKGs nodes when they are operating within the security horizon of the ground center.

3.1. Initialization

Consider a spatial network containing $N$ nodes, with a set of nodes $\Psi (|\Psi |=N)$, with the number of network nodes $N$ dynamically variable as nodes join or leave. Let $ID$ be the node identity space; node $A\in \Psi$ has a network-wide unique identification $I{D}_A\in ID$. The initialization process is as follows:

(1)

System parameter selection: The PKG chooses a finite field $Z_q^{*}$ of upper order $q$, a cyclic additive group $G_1$ generated by $P$, and a cyclic multiplicative group $G_2$ with the same order $q$, as well as the bilinear mapping $e:G_1\times G_1\to G_2$. Define two secure hash functions: $h_1:{\{0,1\}}^{*}\to G_1$, and $h_2:G_2\to {\{0,1\}}^{*}$; randomly select $s\in Z_q^{*}$ as the system master key and compute $P_{pub}=sP\in G_1$ as the system public key.

(2)

DPKGs setup: The PKG selects $n$ satellite nodes to form the set of DPKGs nodes $\Omega (|\Omega |=n)$ and generates the initial master key sharing polynomial

$$F(x)=(s+{\displaystyle {\sum }_{i=1}^{t-1}{a}_i}{x}^i)\mathrm{mod}q$$

(4)

For any DPKGs node $V\in \Omega (|\Omega |=n)$, the initial master key component is computed using the above equation, as follows:

$$s_V=F(h_1(I{D}_V))\mathrm{mod}q$$

(5)

The public master key component authentication parameters array is $W=\left\{s_{V}P\left|V\in \Omega \right.\right\}$. Clearly, $t$ number of DPKGs nodes can jointly reconstruct $F(x)$ and then recover the master key by computing $F(0)=s$.

(3)

In a spatial network with distributed key generation centers, a node updating its private key once needs to broadcast a request message to at least $t$ number of DPKGs nodes. Since the space network uses wireless channels as communication links, a large number of nodes requesting key updates too centrally will inevitably cause network congestion and will greatly increase the computational delay of the DPKGs nodes. To avoid this, a batch update strategy is introduced: define the security usage period of a node’s private key as $T$, set a discrete set of time points $T_{update}=\left\{{\displaystyle \frac{iT}{m}}\left|i=1,2\cdots m\right.\right\}$, where $m$ is the number of batches, and construct a mapping function from $ID$ to update $T_{update}$:

$$f:ID\to T_{update}$$

(6)

For node $M$, the first key update is requested at the system clock $\tau =t_M=f(I{D}_M)$, and thereafter key updates are requested every $T$ time. As long as the mapping function $f$ can map all nodes uniformly to $T_{update}$, the private key update requests of all nodes can be spread evenly throughout the update time period. In real networks, the node identification $ID$ is usually a set of serial and continuous number, such as IP, MAC address, etc., so it is easy to construct a mapping function $f$ that satisfies the conditions.

After initialization is complete, the parameters disclosed by the system include:

$$\{P,G_1,G_2,e,p,h_1,h_2,F,W,phas{e}_0,f,T_{update},T\}$$

(7)

3.2. Node Private Key Generation

Set a non-zero string related to the number of node updates $phase$. Take $phase=phas{e}_0$ at the initial moment and $phase=phase+1$ before each update of the node. Generate an initial public-private key pair for the node using $phase(=phas{e}_0)$ and the node identity. For node $A$, the initial public-private key pair is generated as follows:

①

PKG generates a partial private key $D_A=s{H}_1(I{D}_A||phase)$ for node $A$, where $\left|\right|$ denotes a string concatenation operation;

②

Node $A$ picks a secret value $x_A\in Z_q^{*}$ that makes up its full private key, $S_A=<D_A,X_A>=<D_A,x_{A}P>$;

3.3. Node Public Key Generation

While generating the private key, node $A$ computes $Q_A=h_1(i{d}_A||phase)$ and generates its public key, $P_A=<Q_A,x_{A}P>=<Q_A,Y_A>$.

3.4. Node Public-Private Key Update

In a spatial network with distributed key generation centers, a node updating its private key once needs to broadcast a request message to at least $t$ number of DPKGs nodes. Since the space network uses wireless channels as communication links, a large number of nodes requesting key updates too centrally will inevitably cause network congestion and will greatly increase the computational delay of DPKGs nodes. To avoid this, a batch update strategy is introduced, as follows: define the security usage period of a node’s private key as $T$; set a discrete set of time points $T_{update}=\left\{{\displaystyle \frac{iT}{m}}\left|i=1,2\cdots m\right.\right\}$, where $m$ is the number of batches; and construct a mapping function from $ID$ to update $T_{update}$ mapping function

$$f:ID\to T_{update}$$

(8)

For node $M$, the first key update is requested at the system clock $\tau =t_M=f(I{D}_M)$, and thereafter, key updates are requested every $T$ time. As long as the mapping function $f$ can map all nodes uniformly to $T_{update}$, the private key update requests of all nodes can be spread evenly throughout the update time period. In real networks, the node identification $ID$ is usually a set of serial and continuous numbers, such as the IP, the MAC address, etc., so it is easy to construct a mapping function $f$ that satisfies the conditions. Expose $\{f,T_{update},T\}$ to all nodes.

At the system time $\tau$, node $A$ needs to perform the following steps if it wants to request an update of its private key, $S_A=<D_A,X_A>$:

Step 1: Node $A$ calculates the $phase$ value associated with this update as follows (where $t_A$ denotes the time of the first update of node, $A$ and $N$ denote the number of completed updates):

$$\begin{array}{c}{t}_A=f(I{D}_A),\\ N=\left(\tau -t_A+T\right)/T,\\ phase=phas{e}_0+N;\\ Q_{A\_new}=H_1(I{D}_A||phase)\end{array}$$

(9)

Step 2: Node $A$ picks a random number $r_A\in Z_q^{*}$; computes $R=r_{A}P$, and $S=r_A{x}_A$, and broadcasts a private key update request message to at least $t$ DPKGs nodes

$$RE{Q}_{update}=\{Q_{A\_new},R,S,I{D}_A\}$$

(10)

Step 3: The DPKGs node $V$ that receives the request message verifies whether the requesting node is a revoked node. If yes, the algorithm ends; otherwise it continues.

Step 4: Node $V$ takes $x_{A}P$ from $A$’s public key $P_A=<Q_A,x_{A}P>$ and utilizes bilinear pairwise qualities to verify whether $e(R,x_{A}P)=e(SP,P)$ is valid. If it is not valid, the update of a private key for it if refused; if it is valid, a partial private key message for node $A$, $M_V=s_V{Q}_{A\_new}$ is computed, where $s_V$ is the primary key component of node $V$.

Step 5: Node $V$ picks a random number $r_V\in Z_q^{*}$, computes $U=r_{V}P$, and encrypts part of the private key information $X=M_V+r_{V}R$. Return the private key update answer message to $A$:

$$RE{S}_{update}=<U,X,I{D}_V>$$

(11)

Step 6: After node $A$ receives the update answer cipher message, it decrypts the message to get part of the private key information issued by $V$:

$$M_V=X-r_{A}U=s_V{Q}_{A\_new}$$

(12)

Read the validation parameter $W_V$ of $V$ from the validation array to verify that $e(M_V,P)=e(Q_{A\_new},W_V)$ are equal. If unequal, discard; if equal, save $M_V$.

Step 7: After node $A$ receives $t$ verified partial private key messages, it reconstructs the partial private key by using Lagrange interpolation, as follows:

$$D_{A\_new}={\displaystyle {\sum }_{V\in \Delta }{\lambda }_V(0)M_V}={\displaystyle {\sum }_{V\in \Delta }{\lambda }_V(0)s_V}{Q}_{A\_new}=s{Q}_{A\_new}$$

(13)

where ${\lambda }_V(0)$ is the interpolation coefficient, and $\Lambda$ is the set of $t$ verified DPKGs nodes.

Step 8: For node $A$ $X_A=x_A{D}_{A\_new}$, the new private key is $S_A=<D_{A\_new},X_A>$, and the public key is $P_A=<Q_{A\_new},Y_A>$.

3.5. DPKGs Master Key Component Update

In order to prevent the master key from being leaked by an attacker who has accumulated threshold key components, the system needs to update the master key components of each DPKGs node periodically. The updating principle is as follows:

Let the current cycle system master key sharing polynomial be $F(x)$. The PKG randomly selects the polynomial with the number of times $t-1$, as follow:

$$\xi (x)=({\displaystyle {\sum }_{i=1}^{t-1}{b}_i}{x}^i)\mathrm{mod}q$$

(14)

Generate the master key sharing polynomial in the next cycle, as follows: $F(x)=F(x)+\xi (x)$. Since $\xi (0)=0$, the new polynomial still satisfies $F(0)=s$; the polynomial form is changed, but the master key remains the same. To shorten the update elapsed time, the PKG can calculate the master key component $s_V$ and the array of authentication parameters $W$ for the next cycle of each DPKGs node in advance.

The specific update steps are as follows:

Step 1: When the DPKGs node $V$ runs into the safe field of view of the PKG, pick the random number $r_V\in Z_q^{*}$ and compute $R=r_{V}P$ and $S=r_V{x}_V$; this sends an update request message to the PKG, as follows:

$$RE{Q}_{update}=\{R,S,I{D}_V\}$$

(15)

Step 2: After receiving the request message, PKG checks whether node $V$ is a revoked node or not. If yes, the algorithm ends. Otherwise, continue with Step 3.

Step 3: The PKG verifies whether $e(SP,P)=e(R,x_{V}P)$ holds using the bilinear pair property. If it does not hold, the algorithm ends; if it holds, the message is considered to come from a legitimate node $V$, and the execution continues to Step 4.

Step 4: The PKG picks the random number $r_P\in Z_q^{*}$ and the master key component $s_V$, pre-generated from the new shared polynomial, and computes $Q=r_{P}P$, $U=r_{P}R+s_V$, and $Z=sR$. Return an update answer message to node $V$, as follows:

$$RE{S}_{update}=\{U,Q,Z\}$$

(16)

Step 5: PKG broadcasts $Q_{Broadcast}=\left\{W,T_{update}\right\}$ to the whole network, where $W$ is the new authentication parameter array, and $T_{update}$ is the new master key component enable time.

Step 6: After node $V$ receives the update answer message, verify whether $e(R,p)=e(Z,P)$ is valid; if not, discard the answer message; if it is valid, prove that the answer is from the PKG, accept the answer message, and obtain the new master key component by calculating $s_V=U-r_{V}Q$ and get the new master key component.

Step 7: When the system clock $\tau =T_{update}$, each DPKGs node updates the master key component; all nodes update the authentication parameter array $W$.

3.6. Session Key Negotiation

If node $A$ and node $B$ need to negotiate the session key at the time of the system time $\tau$, where $A$’s full private key $S_A=<D_A,x_A>$ and public key $P_A=<{\mathrm{X}}_{\mathrm{A}},{\mathrm{Y}}_{\mathrm{A}}>$, and $B$’s full private key $S_B=<D_B,x_B>$ and public key $P_B=<{\mathrm{X}}_{\mathrm{B}},{\mathrm{Y}}_{\mathrm{B}}>$, the node $A$ and $B$ session key negotiation process is as follows:

Step 1: $A$ picks a random number $a\in Z_q^{*}$, computes $T_A=aP$, and sends $T_A$, ${\mathrm{X}}_A$ to $B$.

Step 2: $B$ picks a random number $b\in Z_q^{*}$, computes $T_B=bP$, and sends $T_B$, ${\mathrm{X}}_B$ to $A$.

Step 3: $A$ calculates $K_A=H_2(e(a{Q}_B,P_{pub}+Y_{\mathrm{B}}))\oplus H_2(e(S_A^{\prime },T_B))$.

Step 4: $B$ calculates $K_B=H_2(e(b{Q}_A,P_{pub}+Y_A))\oplus H_2(e(S_B^{\prime },T_A))$, where $S_A^{\prime }=D_A+x_A{Q}_A=(s+x_A)Q_A$, $Q_A$ is obtained as follows (where $⌊*⌋$ denotes taking the integer part):

$$t_A=f(I{D}_A)$$

(17)

$$N=⌊\left(\tau -t_{update}+w\right)/w⌋$$

(18)

$$Q_A=h_1(I{D}_A||phas{e}_0+N)$$

(19)

$S_B^{\prime }$, $Q_B$ are calculated in a similar way.

This can be proved using the bilinear pair property, as follows:

$$\begin{array}{cc}\hfill K_A& =H_2(e(a{Q}_B,P_{pub}+Y_{\mathrm{B}}))\oplus H_2(e(S_A^{\prime },T_B))\hfill \\ & =H_2(e(a{Q}_B,sP+x_{B}P))\oplus H_2(e((s+x_A)Q_A,bP))\hfill \\ & =H_2(e{(Q_B,P)}^{a(x_B+s)})\oplus H_2(e{(Q_A,P)}^{b(x_A+s)})\hfill \\ & =H_2(e((x_B+s)Q_B,aP))\oplus H_2(e(b{Q}_A,(x_A+s)P))\hfill \\ & =H_2(e(S_B^{\prime },T_A))\oplus H_2(e(b{Q}_A,P_{pub}+X_A))\hfill \\ & =K_B\hfill \end{array}$$

(20)

Thus, $K_A(=K_B)$ is the session key negotiated between point $A$ and node $B$. The negotiation of the session key can be completed after one interaction.

4. Security Analysis

4.1. Master Key Security

In the scheme of this paper, the attacker can compute $P$, $p$, and $W_V$ from the public parameters:

$$e(P,p)=e(P,sP)=e{(P,P)}^s$$

(21)

$$e(P,W_V)=e(P,s_{V}P)=e{(P,P)}^{s_V}$$

(22)

If one uses $e{(P,P)}^s$ to invert $s$ or $e{(P,P)}^{s_V}$ to invert $s_V$, both will require the solving of discrete logarithms over a finite field. Solving this problem is difficult. Therefore, the attacker cannot obtain the system master key through the public parameters.

Attackers can also attempt to reconstruct the master key by accumulatively obtaining the threshold number of master key components by means of spoofing interference or listening to the failures of the DPKGs nodes. However, the periodic master key component update mechanism provided by the scheme in this paper can greatly reduce the possibility of the success of this attack. For a single DPKGs node, let the probability that an attacker is able to obtain its master key component in an update cycle be $p_s$. Obviously, the length of the update period of the master key component affects the size of $p_s$. The shorter the update period, the smaller $p_s$ will be. Let $n$ be the number of DPKGs nodes and $t$ be the threshold value; then, the probability that no less than the threshold number of the master key components are in the possession of the attacker (i.e., the probability that the attacker can reconstruct the master key) is calculated as follows:

$$p_k={\displaystyle \sum _{i=t}^n{C}_n^i{p_s}^i{\left(1-p_s\right)}^{n-i}}$$

(23)

when $n=20$, and $t=8,10,12,15$, the variation of $p_k$ with $p_s$ is shown in Figure 3.

Properly setting the update period and the threshold value can make $p_k$ take a value that falls on the lower horizontal line on the left side of the graph, where the probability that the attacker can reconstruct the master key is close to 0.

4.2. Private and Master Key Component Update Security

During the private key update process, the DPKGs node utilizes the random number $r_V$ and $R$ in the request message to encrypt the new private key component $M_V$ and transmit it to the requesting node. The only messages an attacker can listen to are $R=r_{A}P$, $r_{V}P$, and $r_{V}R+M_V$. The inverse of $r_V$ from $r_{V}P$, $P$ is difficult. The attacker cannot decrypt $r_{V}R+M_V$ because he cannot solve for $r_{V}R$.

The parameters $S=r_A{x}_A$ and $R=r_{A}P$ in the private key update request message provide the DPKGs node with the ability to authenticate itself to the requesting node $A$. This is because

$$e(R,x_{A}P)=e(r_{A}P,x_{A}P)=e{(P,P)}^{r_A{x}_A}=e(r_A{x}_{A}P,P)=e(SP,P)$$

(24)

although the attacker can randomly select $r_A^{\prime }$ and forge $R^{\prime }=r_A^{\prime }P$. However, the forged $S^{\prime }=r_A^{\prime }{K}^{\prime }$ cannot be verified by the DPKGs node because it cannot obtain part of the private key $x_A$ of the requesting node.

The authentication of the requesting node $A$ to the DPKGs node is realized by means of an authentication array, as follows:

$$e(M_V,P)=e(s_V{Q}_A,P)=e{(Q_A,P)}^{s_V}=e(Q_A,s_{V}P)=e(Q_A,W_V)$$

(25)

The attacker, not having access to the master key component $s_V$, similarly does not forge a false private key parameter that can be verified.

The same security mechanisms described above are provided during the master key component update process and will not be repeated here.

4.3. Session Key Negotiation Security

The session key negotiation mechanism security satisfies the following security properties.

(1)

Known session key security: During each negotiation of the session key, the interacting parties temporarily choose different random numbers to participate in generating the key for this session. If a session key $K_{AB}$ between node $A$ and node $B$ is compromised, the attacker can only impersonate $A$ to communicate with $B$ or $B$ to communicate with $A$ in this session, but this will not affect the security of the other sessions between $A$ and $B$;

(2)

Perfect forward security: The long-term private key leakage of one of the parties in the scheme will not affect the confidentiality of the old session key. For an attacker who knows the private key $S_A$ of node $A$, he is able to compute $H_2(e(S_A^{\prime },T_B))$, but since he does not know $a$ with the private key $S_B$ of node $B$, as well as $b$, the attacker is not able to compute $H_2(e(a{Q}_B,p+X_B))$. For an attacker who knows the system’s master key $s$, $D_{\mathrm{A}}$ and $D_{\mathrm{B}}$ can be computed, but without knowing $x_{\mathrm{A}}$ and $x_{\mathrm{B}}$, the attacker cannot compute $H_2(e(S_A^{\prime },T_B))$ with $H_2(e(a{Q}_B,P_0+P_B))$. If the attacker knows the long-term private keys $S_A$, $S_B$ of both parties, but cannot get any information about $a$ and $b$, he cannot compute $H_2(e(a{Q}_B,P_0+P_B))$. Therefore, the negotiation mechanism provides perfect forward security.

(3)

Key disclosure plays security: For the known long-term private key of node $A$$S_A$ attacker, although he can intercept $T_B$ by using $S_A$ and calculate $H_2(e(S_A^{\prime },T_B^{\prime }))$ by sending $T_{\mathrm{B}}^{\prime }$ to $A$, he cannot impersonate $B$ because he cannot calculate $H_2(e(a{Q}_B,p+X_B))$. For an attacker who knows the system master key s, although he can compute $D_{\mathrm{A}}$ and $D_{\mathrm{B}}$, he is similarly unable to impersonate $B$ because he cannot compute $H_2(e(a{Q}_B,p+X_B))$.

(4)

Key control security: the session key is jointly generated by random numbers selected by each party; there is no question of one party controlling the result of generating the session key.

(5)

Unknown key sharing security: Even though the attacker obtains the private key of node $A$ or $B$ and can intercept the key negotiation parameters $T_A$ and $T_B$, the attacker cannot obtain the information about $a$ and $b$ from node $A$ or $B$ and thus, cannot launch a man-in-the-middle attack.

4.4. Security Proof

In the scheme of this paper, the session key of A and B, $K_A=K_B=H_2(e(a{Q}_B,P_{pub}+Y_{\mathrm{B}}))\oplus H_2(e({S_A}^{\prime },T_B))$, where $Q_B,P_{pub},Y_{\mathrm{B}}$ are the public parameters, $T_B$ is the temporary session parameter provided by B, and ${S_A}^{\prime }$ is the secret parameter of A. If an attacker attempts to impersonate A and communicate with B, he needs to perform a round of communication interaction with A (exchange session parameters), and then output the correct $S_A^{\prime }$ and compute the correct session key. If the attacker is able to output the correct $S_A^{\prime }$, we claim that his attack on this paper’s scheme is successful. From the previous section, $S_A^{\prime }=D_A+x_A{Q}_A=s{Q}_A+x_A{Q}_A$, for Adversary I, who is able to make use of the master key $s$ in its possession, computationally obtains $s{Q}_A$, but must guess $x_A{Q}_A$; Adversary II must guess the whole $S_A^{\prime }$. In summary, for both types of adversary in this paper’s scheme to output the correct $S_A^{\prime }$ requires effort.

Theorem 1.

If an attacker is able to attack the scheme of this paper with a non-negligible advantage $\mu (\lambda )$ in polynomial time using a bounded number of random predicate queries (assuming $q_k$ public key queries and private key component $X_i$ queries and session key queries), then there exists an algorithm M_B that can attack the scheme of this paper using the advantage of ${\displaystyle \frac{2q_k}{e^2{(q_k-1)}^3}}\mu (\lambda )$ to solve the ECCDH problem, where $e$ is a natural constant, and $\lambda$ is a system security parameter.

Proof. 

M_B first builds the scheme of this paper, publishes the public parameters $params$, and securely stores $s$ Adversary I. M_A is an attacker of the scheme of this paper (which can be that M_B is the challenger of M_A—either Adversary I or Adversary II—whose goal is to crack the authentication scheme of this paper by asking a bounded number of random questions). M_B trains M_A through a simulation process and tries to solve the ECCDH problem. □

M_C defeats the ECCDH problem challenger for M_B. Before the simulation starts, M_C selects $m,n\in Z_q$, computes $P_{1}mP$, $P_2=nP$, and sends $<P_1{P}_2>$ to M_B. M_B tries to solve the ECCDH problem by obtaining $mnP$, without having $m,n\in Z_q$.

In addition, M_B needs to maintain an initially empty list $L=<I{D}_i,Q_i,Y_i,x_i,X_i>$ for keeping track of the M_A’s public key queries and private key components $X_i$ query; alternatively, $j\in (1,2\dots q_K)$, $j$ denotes the guess of the attack on the M_A, and the M_A will impersonate $I{D}_j$ to negotiate for the key with other node members.

• Stage 1: Interrogation Stage

Public key query: M_A asks M_B for the public key of $I{D}_i$. For the $i$th query, if $i\ne j$, M_B randomly selects $x_i\in Z_q$, $Q_i\in G_1$, he computes $Y_i=x_{i}P$ and adds $<I{D}_i,Q_i,Y_i,x_i,null>$ to $L$; if he selects $i=j_1$, he calculates $Q_i=P_1$, $Y_i=P_2$ and adds $<I{D}_{j_1},P_1,P_2,null,null>$ to $L$. After completing the above, M_B returns $<Q_i,Y_i>$ to M_A.

Private key component $X_i$ query: M_A sends $I{D}_i$ to M_B, querying $I{D}_i$’s private key component $X_i$. If $i\ne j$, M_B uses $I{D}_i$ to fetch $<I{D}_i,Q_i,Y_i,x_i,null>$ from $L$, calculates $X_i=x_i{Q}_i$, updates the table entry of $I{D_i}_1$ in $L$ to $<I{D}_i,Q_i,Y_i,x_i,X_i>$, and sends $X_i$ to M_A; otherwise, the simulation is interrupted.

Session key interrogation: M_A randomly selects ${x_i}_1\in Z_q$, $T_{i_1}=a_{i_1}P$ and sends $<T_{i_1},I{D}_{i_1},I{D}_{i_2}>$ to M_B to ask as $I{D}_{i_1}$ for the same information as the $I{D}_{i_2}$’s session key $K_{i_1}$. If $i_1\ne j$, M_B uses $I{D_i}_1$ take out ${Q_i}_1,{Y_i}_1,{x_i}_1,{X_i}_1$ from $L$, uses $I{D_i}_2$ take out ${Q_i}_2,{Y_i}_2$ from $L$, and randomly selects ${T_i}_1\in G_1$. He performs the calculation as follows: $K_{i_1}=H_2(e({a_i}_1{Q_i}_2,P_{pub}+{Y_i}_2))\oplus H_2(e(s{Q_i}_1+{X_i}_1,{T_i}_2))$, sets $<T_{i_2},K_{i_1}>$, and returns it to M_A; otherwise, the simulation is interrupted.

• Stage 2: Challenge Stage

M_A randomly selects $a_s\in Z_q$, counts $T_s=a_{s}P$, sends $<I{D}_s,I{D}_t,T_s>$ to M_B, and tries to impersonate $I{D}_s$ to negotiate the session key with $I{D}_t$. If $s\ne j$, M_B interrupts the simulation; otherwise, M_B picks $a_t\in Z_q$, selects $T_t=a_{t}P$, and sends $T_s$ to M_A, which outputs ${S_s}^{\prime }$ as an attack result. M_B verifies that $e({S_s}^{\prime }-s{P}_1,P)=e(P_1,P_2)$ holds. If it does not hold, the M_A challenge fails; if it does, then $e({S_s}^{\prime }-s{P}_1,P)=e(P_1,P_2)=e{(P,P)}^{mn}=e(mnP,P)$, so $S_s\prime -s{P}_1=mnP$, i.e., ${S_s}^{\prime }=mnP+s{P}_1=m(n+s)P$. At this point, the session key obtained by the M_A through calculation is as follows:

$$\begin{array}{cc}\hfill K_s& =H_2(e(a_s{Q}_t,P_{pub}+Y_t))\oplus H_2(e({S_s}^{\prime },T_t))\hfill \\ & =H_2(e(a_s{Q}_t,sP+x_{t}P))\oplus H_2(e(a(b+s)P,a_{t}P))\hfill \\ & =H_2(e{(Q_t,P)}^{a_s(s+x_t)})\oplus H_2(e{(aP,P)}^{a_t(b+s)})\hfill \\ & =H_2(e{(aP,P)}^{a_t(b+s)})\oplus H_2(e{(Q_t,P)}^{a_s(s+x_t)})\hfill \\ & =H_2(e(a_{t}aP,(b+s)P))\oplus H_2(e((s+x_t)Q_t,a_{s}P))\hfill \\ & =H_2(e(a_t{Q}_s,P_{pub}+Y_s))\oplus H_2(e({S_t}^{\prime },T_s))=K_t\hfill \end{array}$$

(26)

M_A’s challenge is successful. M_B outputs ${S_s}^{\prime }-s{P}_1=abP$ to M_C to successfully resolve the ECCDH problem.

In the above reduction process, the M_B always replies to the M_A’s query with a random value, i.e., the M_A’s simulated view is co-distributed with the real attack, and thus the simulation process is complete. M_B is able to solve the ECCDH problem, depending on the following three events:

${\epsilon }_1$: private key component $X_i$ query; no interruptions.

${\epsilon }_2$: The session key enquiry was not interrupted.

${\epsilon }_3$: $s=j$ when the M_A initiates the challenge.

${\epsilon }_4$: M_A challenge successful.

It is easy to observe the following: $\mathrm{Pr}[{\epsilon }_1]=\mathrm{Pr}[{\epsilon }_2]={\left(1-{\displaystyle \frac{1}{q_K}}\right)}^{q_k-1}$, $\mathrm{Pr}[{\epsilon }_3]={\displaystyle \frac{2}{q_K(q_k-1)}}$, $\mathrm{Pr}[{\epsilon }_4]=\mu (\lambda )$; therefore, the advantages for M_B to solve the ECCDH problem are as follows: ${\left[{(1-{\displaystyle \frac{1}{q_K}})}^{q_K}\right]}^2{\displaystyle \frac{{q_K}^2}{{(q_K-1)}^2}}{\displaystyle \frac{2}{q_K(q_k-1)}}\mu (\lambda )\approx {\displaystyle \frac{2q_k}{e^2{(q_k-1)}^3}}\mu (\lambda )$ Q.E.D.

In summary, these two types of adversary attacks on the scheme of this paper are difficult to complete.

5. Simulation Verification

A network environment is modeled using NS2 to simulate and analyze the scheme of this paper. The simulation scenarios are generated using setdest, a scenario generation tool provided by CMU, in which the nodes’ mobility model adopts the random point model, the link layer protocol adopts the Mac/802.11 protocol, the routing protocol adopts the AODV protocol, and the bandwidth of data transmission is 2 Mbps. Additional parameter settings are shown in

Table 1. Analog parameter settings.

Analog Parameter	Description	Default Value
NODE_NUM	Number of mobile nodes (network size)	50
DPKGs_NUM	Number of DPKGs nodes	20
t	Threshold value	5
MAX_TIME	Analog maximum time	1500 s
MAX_SPEED	Maximum movement speed	15 m/s
LENGTH	Area length	1000
WIDTH	Area width	1000
FAILURE RATIO	Link Reliability	90%

below:

Keeping the network size unchanged, the impact of node movement speed changes as the performance of the scheme is examined. During the network operation phase, the variation of node private key update delay and the average number of re-transmissions of update requests are shown in Figure 4 and Figure 5, respectively. It can be seen that in the low-speed case, the update delay is larger, and the number of re-transmissions is slightly higher, which is caused by the nodes not being able to find the threshold DPKGs node in time at low speed. With the increase in mobile speed, the delay is gradually stabilized, and the average delay is about 300 s, which shows that the scheme in this paper exhibits stability.

The node private update success rate is shown in Figure 6, which indicates that the change of speed has little effect on the node private key update success rate, which is close to 100%. The variation of session key negotiation delay is shown in Figure 7, from which it can be seen that the key negotiation delay basically converges around 1.5 s. The above also shows the feasibility and stability of the scheme.

6. Conclusions

Because of the particularity and complexity of space networks, the key management schemes based on PKI/CA are no longer been applicable, and the identity-based cryptography used by existent schemes includes the inherent problem of key escrow. In order to resolve these problems, a certificate-less distributed key management scheme is proposed. On the basis of the properties of space networks, the method for constructing distributed private key generators is put forward. Using the identity-based cryptography proposed by Bonehg and Franklin, this scheme designs the methods of updating private keys, updating host-key shares, and negotiating session keys. Finally, the scheme is analyzed for security and simulated for correctness.