1. Field of the Invention
The present invention relates to a communication system, and more particularly to a communication system applicable to, for example, a sensor network system including a server for managing and controlling the entire system and a plurality of sensor nodes. The present invention also relates to a communication device for use in such a communication system.
2. Description of the Background Art
A sensor network system includes sensor nodes serving as communication devices. Such communication devices may often be developed with cost reduction prioritized, thus requiring the following restrictions to be satisfied.
The first restriction is that sensor nodes may not always be equipped with a CPU (Central Processing Unit) having high capacity of processing. The second restriction is that sensor nodes may not always be equipped with a tamper-resistant memory.
Additionally, sensor network systems may generally take a multihop communication in which data are transmitted via, or relayed by, plural sensor nodes.
Now, consider an exemplified case where a server in a sensor network system transmits data for updating software to plural sensor nodes. In this case, it is assumed that the server multicasts the update data toward a group of subject nodes in which the software is to be updated, and causes the nodes to accept the received update data as data authenticated by the server. A conventional solution for implementing such authentication for multicast data may be exemplified by a digital signature technique using public key encryption.
However, under the first restriction described above, applying a public key encryption system may lead to an increase in processing load. Therefore, preferably applied may be a common key encryption system which can reduce the processing load. A preferably applicable common key encryption system may be, for example, a procedure for providing both the server and the group of nodes with a group key common thereto such as to authenticate the data provided from the server. Under the second restriction, however, it is difficult to ensure that the group common key owned by the nodes is prevented from leaking out or that the nodes are prevented from being modified so as to fraudulently operate. Therefore, it is required to consider the possibility that even such update data as successfully accepted by the nodes could be offensive software spread by an attacker with bad intention, or could have been falsified by a fraudulent router node relaying the multihop communication.
Under the situations described above, some conventional solutions for attaining resistance to attacks by an attacker masquerading as a server, when supplying nodes with software update data authenticated, are presented by Adrian Perrig, et al., “Secure Broadcast Communication in Wired and Wireless Networks”, Kluwer Academic Publishers, (2003), pp. 161-165, Japanese Patent Laid-Open Publication No. 2006-157856, US Patent Application Publication Nos. 2006/0282675 and 2008/0133921 both to Yao.
Perrig, et al., discloses that nodes are temporally synchronized with a server, which changes in every time interval a message authentication key to be used for generating an authentication code of a message. The nodes of this disclosed solution regard message authentication keys as valid only during time intervals in which the keys are respectively allocated. Then, when the server transmits a message, it generates an authentication code and adds the generated authentication code to the message to transmit the message while making a secret of a message authentication key thus regarded as valid during a corresponding time interval from the nodes. Then, after the time interval has elapsed during which the message authentication key is regarded as valid, the server makes the message authentication key open to the nodes.
In turn, the nodes accept the message authentication key thus made open as a key the server has authenticated. Further, the node uses the message authentication key thus successfully accepted to verify an authentication code of the message received in the time interval during which the message authentication key is regarded as valid, thus accomplishing resistance to attacks by an attacker masquerading as the server.
Perrig, et al., also teaches that a solution disclosed in the Japanese '856 Publication is used instead of temporal synchronization for a server to request a node to confirm transmission of a message by means of number-of-authentication synchronization, thereby accomplishing resistance to attacks by an attacker masquerading as the server. In that case, the server confirms that a message intended to be accepted by the group of nodes surely arrives at all the nodes in the group, and thereafter makes the message authentication key open to the public. The releasing of the key to the public represents that the correct message arrives at all the nodes to which the message is intended to be transmitted. Therefore, if an attacker masquerading as the server spreads a message after the message authentication key is released to the public, each of the nodes can regard this masquerading message as a message delayed in the order of reception, thus discarding it.
When a message contains a large size of data such as software update data authenticated, the procedure taught by Perrig, et al., cannot start message authentication until a message authentication key is released to the public, thereby burdening a memory for holding the message with an increased load. In view of the difficulty, both Yao indicated above disclose a procedure for transmitting only an authentication code prior to an authenticated message, and then transmitting the message.
The number-of-authentication synchronization for confirming transmission, as is significant in the conventional solution described above, is presented in order to overcome the difficulty that a node having already known a message authentication key can masquerade as the server to spread a message to other nodes which will be aware of the message authentication key later on.
However, the four conventional solutions described above may be unsuitable, when considering various scenarios of transmitting software update data, for situations where confirmation of transmission by means of number-of-authentication synchronization would not be preferable but could be made imperfect.
The above may be the case with a sensor network which has a node or nodes incommunicable due to, for example, electric power saving and in which the server intends to transmit update data in the order with preference given to adjacent nodes successful in acceptance of authentication on update data, for example, by preferentially causing communicable nodes to accept authentication on update data, or by causing nodes hop-by-hop in multihop communication to accept authentication and receive update data authenticated.
However, such an imperfect synchronization of authentication in a group of nodes may lead to existence of nodes notified of a message authentication key prior to other nodes. Thus, there could be a possibility that a node preferentially notified of a message authentication key can masquerade as the server to spread a message toward other nodes that will know the message authentication key later on. That problem is involved in those four solutions.