A sensor network is a technique with which a large number of sensor terminals including sensors (e.g., for sensing temperature, atmospheric pressure, oscillation, acceleration, position, video, audio, radio wave, and the like) are put into a network and the state of a specific range is to be judged comprehensively based on the information from each of the sensors. It is expected to be able to apply the sensor network in various fields.
FIG. 10 is an explanatory chart showing the outline of the structure of a typical sensor network 901. The sensor network 901 is constituted with; a large number of sensor terminals 920a, 920b, - - - (generally referred to as sensor terminals 920) disposed within living environments; and a sensor management server 910 which receives information from those sensor terminals 920. Normally, the sensor management server 910 and the sensor terminals 920 are mutually connected via wireless communication.
The sensor network 910 needs to form a network by disposing an enormous number of sensor terminals 920 within living environments, and information must not leak to devices other than the sensor network. Thus, the sensor management server 910 transmits an encryption key 930 to each of the sensor terminals 920, encrypts the information collected by the own sensor provided thereto by the encryption key 930, and transmits it to the sensor management server 910.
However, each of the sensor terminals 920 is extremely small, so that ample calculator resources cannot be provided. Only a limited amount can be provided to each of the sensor terminals 920 regarding the calculation capacity of the processor, the storage capacity of the storage device, and the capacity of the battery. Thus, it is not possible to use a method which requires a large scale of calculations on the sensor terminal 920 side when transmitting/receiving the encryption key 930. Further, since the sensor management server 910 and the sensor terminals 920 communicate via wireless communication, it is difficult to transmit the encryption key 930 only to a specific terminal sensor.
Thus, it is common for the sensor network 901 to use a method which requires relatively a small calculation amount, such as a symmetric key (common key) encryption scheme, one-way hash function, or the like. For using the symmetric key encryption scheme, it is required to overcome the management regarding distribution and sharing of the key information that is the basis for the security of the encryption and authentication. In Non-Patent Documents 1 to 2, disclosed is an updating method of the encryption key 930 based on such symmetric key encryption scheme.
The technique disclosed in Non-Patent Document 1 is structured to hold the master key on one-on-one basis between each sensor terminal and the management server, and the management server encrypts an intrinsic key for each of the sensor terminals and distributes it individually by utilizing the master key. With this method, the number of keys to be updated and the number of communications required for updating the keys depend on the number of the sensor terminals. As described above, under the environment with a large number of sensor terminals, the communication volume required for distributing the keys also becomes tremendous.
Meanwhile, the technique disclosed in Non-Patent Document 2 generates a key an element key) for each attribute value such as the type and disposed place of each sensor terminal by paying an attention to the fact that the sensor terminal can be identified uniquely according to the combination of the attribute values. Further, arithmetic operations (concatenation, hash) are performed on the element key to generate the intrinsic key for each of the sensor terminals. Thereby, the number of the keys to be managed by the entire sensor network is reduced.
Update of the key provided to each of the sensor terminals is performed by repeatedly broadcasting a key update message that is generated by encrypting the information (salt) required for updating the key by using the element key related to the attribute value to a sensor terminal group which shares each attribute. With this method, the number of distribution times of the key update message becomes equivalent to the total number of attribute values. Under the environment with a great number of sensor terminals, the number of attributes is smaller than the number of sensor terminals. Thus, with the use of the method depicted in Non-Patent Document 2, the communication volume required for delivering the key update messages can be reduced greatly compared to the case of the method depicted in Non-Patent Document 1.
As other related techniques thereof, there are following technical documents. Among those, Patent Document 1 describes an autonomous distribution network of a lighting device. Patent Document 2 describes a technique which delivers an encryption key of a subject key encryption scheme securely, Patent Document 3 describes a data totalization method which encrypts and transfers data in a sensor network.    Patent Document 1: Japanese Unexamined Patent Publication 2002-135318    Patent Document 2: Japanese Unexamined Patent Publication Hei 11-196801    Patent Document 3: Japanese Patent Publication Application 2010-524413    Non-Patent Document 1: B. C. Neuman and Ts'o, Kerberos: “An authentication service for computer networks”, IEEE Communications Magazine, Vol. 32, No, 9, pp. 33-38, 1994, Non-Patent Document A.: Jun Noda, Yuichi Kaji, Toshiyasu Nakao, “A Group Key Management Scheme for Sensor Nodes Belonging to Multiple Large-scale Groups”, “Multimedia, Distributed, Cooperative and Mobile System” Information Processing Society of Japan, Journal 52(3), 2011 However, with the method depicted in Non-Patent Document 2, each sensor terminal normally has a plurality of attributes (e.g., the type of each terminal sensor, disposed place, and the like). Thus, multiple key update messages are delivered to a single sensor terminal. In the current Description, the lower limit value of the number of key update messages delivered to each sensor terminal is referred to as a multiplicity.
FIG. 11 is an explanatory chart showing an example of the relation between the communication volume and the multiplicity in a case where the technique depicted in Non-Patent Document 2 is applied to the sensor network 901 shown in FIG. 10. The relation shown in FIG. 11 is acquired empirically based on experiments done by the inventors. In a case where the multiplicity is large, the reception success rate is improved and it becomes robust for omission of key data. However, useless delivery is to occur when the communication environment is good. Inversely, when the multiplicity is small, the reception success rate is decreased and many retransmissions are to occur.
That is, the communication volume is increased whether the multiplicity is too large or too small. When the communication volume is increased, the power consumption of each terminal sensor is increased, which is particularly an issue for a sensor terminal that can carry only a small battery.
Non-Patent Document 1 and Patent Documents 1 to 3 do not disclose the technique that can overcome such issue. Non-Patent Document 1 is described above. Further, none of Patent Documents 1 to 3 is directed to decrease the communication volume when delivering the key update messages, and no technique that can be used for such object is disclosed therein.
An object of the present invention to provide a sensor network, a sensor management server, a key updating method, and a key updating program capable of efficiently delivering encryption keys to each sensor terminal by suppressing the communication volume.