移动IPv6网络安全接入认证方案

对于移动IPv6网络,身份认证是网络安全的关键问题之一.针对移动IPv6网络的接入认证,提出了一种基于移动互联网双向认证方案.在移动切换过程中的接入认证和家乡注册,采用对家乡注册消息进行基于双私钥签名的方式,实现了家乡代理和移动节点分别对注册消息的签名,实现了接入认证与家乡注册的并发执行,移动用户和接入网络的一次交互实现了用户和接入域的有效双向认证.理论分析和数据结果表明,方案的认证总延时和切换延时要优于传统方法,有效地降低了系统认证的延时.安全性分析表明,框架中的基于双私钥的CPK方案满足双向接入认证安全,有效地解决了密钥托管问题.     

An optimized authentication protocol for mobile networks

Practical secure communication of mobile systems with low communication cost has become one of the major research directions. An established public key infrastructure (PKI) provides key management and key distribution mechanisms, which can lead to authentication and secure communication. Adding public key cryptography to Kerberos provides a nice congruence to public key protocols, which can obviate the human users’ burden to manage strong passwords. This paper emphasizes on authentication as a considerable issue related to security. Additionally, an efficient and secure hybrid authentication protocol for large mobile network is proposed. Its infrastructure accommodates explosive growth of the large mobile network. It reduces the communication cost for providing secure network access in inter-domain communication. This method is based on symmetric cryptosystem, PKI, challenge–response and hash chaining.     

TEASE: A novel Tunnel-based sEcure Authentication SchemE to support smooth handoff in IEEE 802.11 wireless networks

With the growing popularity of WiFi-based devices, WiFi-based wireless networks have received a great deal of interest in the wireless networks community. However, due to the limited transmission range of WiFi-based networks, mobile users have to switch their associated access points constantly to maintain continuing communications during their movement. The process of switching access points is called handoff. Handoff management is a key service in mobile networks, because providing seamless roaming in wireless networks is mandatory for supporting real-time applications in a mobile environment, such as VoIP, online games, and eConference. Security is another important issue in network communications, and to prevent possible attacks, authentication is required during the handoff process to guarantee the reliability of mobile clients and access points. In this paper, we propose a novel authentication scheme to achieve a smooth handoff in WiFi-based networks, which we refer to as TEASE. A tunnel is introduced to forward data packets between the new access point and the original reliable access point. The processing of a complete secure authentication and the transmitting of data between mobile terminals and their correspondence nodes can go on simultaneously. The security of handoff is achieved without increasing overhead to authentication servers, and handoff latency can be minimized to support seamless roaming. Simulation results show that our proposed scheme reduces significantly the communication interruption time and generates low packet loss ratio, and our method is suitable to be used for secure handoff in real-time applications.     

基于tPUF的物联网设备安全接入方案

针对现有的物联网设备安全接入方案不适用于资源受限的物联网设备的问题,提出一种基于tPUF的物联网设备安全接入方案。利用物理不可克隆函数技术（Physical Unclonable Function,PUF）,物联网设备不需要存储任何秘密信息,实现设备与认证端的双向认证以及协商会话秘钥;利用可信网络连接技术（Trusted Network Connect,TNC）,完成认证端对物联网设备的身份认证、平台身份认证、完整性认证。安全性分析表明,方案能够有效抵抗篡改、复制、物理攻击等。实验结果表明,相较于其他方案,该方案明显降低了设备的资源开销。     

基于分离机制网络的可信域内快速认证协议

分离机制网络明确地分离了主机身份与位置信息,将互联网体系划分为接入网与核心网两大类,很好地解决了互联网的扩展性和移动性等问题.基于分离机制网络,结合可信计算技术,提出一种终端域内切换时的快速认证方案,在对终端用户身份进行认证的同时,对终端平台进行身份认证和完整性校验.在本方案中,终端进行域内切换时不需要本域的认证中心再次参与,仅由接入交换路由器通过Token即可完成认证.认证过程可以保持用户身份和平台信息的匿名性,减轻了认证中心的负担.与其他方案相比,本方案在认证开销、认证延迟以及安全性等方面均有明显优势.安全性分析结果表明本方案是安全高效的.     

一种无线局域网多安全域间的密钥共识协议

在无线局域网中，不同管理机构下移动用户和认证服务器构成的安全域不同，如果一个安全域的用户需要访问其他安全域时，用户与异地安全域的密钥共识是一个有待解决的安全问题。提出了一种多安全域间的密钥共识协议MKAP，该协议可以解决跨安全域访问时本地安全域的认证服务器与异地安全域认证服务器间的密钥共识以及移动用户与异地安全域的密钥共识，MKAP将跨安全域访问按基于本地的跨域访问和基于移动IP跨域访问两种情形分别提出了解决方案。     

MIPv6快速层次化切换的高效认证机制研究

针对移动IPv6（MIPv6）层次化切换中各节点之间的身份认证问题,提出一种新的基于MIPv6快速层次化切换的认证机制。利用改进的IBS签名方案和层次化的网络结构,从域间切换和域内切换两个角度分别论述了移动节点和新访问域之间的双向认证和切换性能的问题。分析结果表明基于MIPv6快速层次化切换的认证机制效率高,安全性好,仅需来回一次消息交互就能实现切换与接入认证和绑定更新的同步。     

Go anywhere: user-verifiable authentication over distance-free channel for mobile devices

Current mobile technology gives us ubiquitous services with personal mobile devices such as smart phones, tablet PCs, and laptops. With these mobile devices, the human users may wish to exchange sensitive data with others (e.g., their friends or their colleagues) over a secure channel. Public key cryptography is a good solution for establishing this secure channel. However, it is vulnerable to man-in-the-middle attack, if the entities have no shared information. A number of techniques based on human-assisted out-of-band channels have been proposed to solve this problem. Unfortunately, these works have a common shortcoming: The human users must be colocated in close proximity. In this paper, we focus on how to construct a distance-free channel, which is not location-limited for establishing a secure channel between two users (devices). The proposed distance-free channel provides identification and authentication of the devices at the different locations using taken pictures or pre-stored images. The human user participates in the authentication process by sending and verifying an image. We describe the prototype implementation operated on a smart phone and show the experimental results when actually two smart phones share a common key using Diffie–Hellman key agreement over the proposed distance-free channel.     

移动IPv6网络基于身份签名的快速认证方法

接入认证对移动IPv6网络的部署和应用至关重要,在切换过程中加入认证过程会影响移动IPv6网络的切换性能.当前,对移动IP网络中接入认证的研究大多没有考虑对切换性能的影响.另外,目前许多双向认证机制都是基于证书的方式来实现,无线移动环境的特殊性使得这种方式并不适合无线移动网络.一种适用于移动IPv6网络的基于身份签名的快速双向认证方法被提了出来.该方法使用NAI(network access identifier)作为公钥,简化了无线移动环境中的密钥管理问题,有效地解决了基于PKI(private key     

IEEE802.1x认证在校园网中的应用

IEEE802.1x是基于端口的访问控制协议,由客户端系统、认证系统和认证服务器系统三个部分组成。利用802.1x协议可以实现联网用户的身份认证、授权、计费等功能,全面提高了校园网的安全性和可管理性。     

移动IPv6网络基于身份的层次化接入认证机制

设计了一种基于身份的层次化签名方案,并在该方案基础上提出了一种适用于移动IPv6网络环境的层次化接入认证方法.该方法使用分级NAI(Network Access Identifier)作为公钥,简化了无线移动环境中的密钥管理;利用层次化思想对接入认证和移动注册进行层次化管理,减少了切换认证处理流程;基于签名机制实现了用户与接入网络的双向认证.作者用设计的切换延时分析模型,对该方法和几种传统方法进行了比较,证明当移动节点远离家乡域及在一定范围内频繁微移动时,该方法比传统方法的效率更高.通过安全性分析证明了该方法在一定程度上实现了私钥的保密性、签名的不可伪造性等功能.最后还讨论了该方法的一种可扩展变形,用于实现多级层次化移动IPv6框架下的接入认证.     

MASHED: Security and privacy-aware mutual authentication scheme for heterogeneous and distributed mobile cloud computing services

ABSTRACT

Rapid development in mobile devices and cloud computing technologies has increased the number of mobile services from different vendors on the cloud platform. However, users of these services are facing different security and access control challenges due to the nonexistence of security solutions capable of providing secure access to these services, which are from different vendors, using a single key. An effective security solution for heterogeneous Mobile Cloud Computing (MCC) services should be able to guarantee confidentiality and integrity through single key-based authentication scheme. Meanwhile, a few of the existing authentication schemes for MCC services require different keys to access different services from different vendors on a cloud platform, thus increases complexity and overhead incurred through generation and storage of different keys for different services.

In this paper, an efficient mutual authentication scheme for accessing heterogeneous MCC services is proposed. The proposed scheme combines the user’s voice signature with cryptography operations to evolve efficient mutual authentication scheme devoid of key escrow problem and allows authorized users to use single key to access the heterogeneous MCC services at a reduced cost.     

物联网环境下移动节点可信接入认证协议

无线传感器网络（WSN）中的移动节点缺乏可信性验证,提出一种物联网（IoT）环境下移动节点可信接入认证协议。传感器网络中移动汇聚节点（Sink节点）同传感器节点在进行认证时,传感器节点和移动节点之间完成相互身份验证和密钥协商。传感器节点同时完成对移动节点的平台可信性验证。认证机制基于可信计算技术,给出了接入认证的具体步骤,整个过程中无需基站的参与。在认证时利用移动节点的预存的假名和对应公私钥实现移动节点的匿名性,并在CK（Canetti-Krawczyk）模型下给出了安全证明。在计算开销方面与同类移动节点认证接入方案相比,该协议快速认证的特点更适合物联网环境。     

IKEv2 authentication exchange model and performance analysis in mobile IPv6 networks

Internet Key Exchange version 2 (IKEv2) is taking the responsibility for distribution and management of reliable authentication key. IKEv2 can secure fast hand off, confidentiality of data, safe transmission, and multihoming to transmission node. In this paper, we designed and constructed the network based on real mobile node and experimented the modeling of IKEv2 protocol through the simulation. We analyzed the resetting of authentication key and re-exchange problem. And we experimented the effect that key exchange is affected by a limited bandwidth based on data analysis. To overcome delay time, we proposed multi-interface of node and analyzed performance and latency for authentication setting and exchange process. The simulation results show that re-authentication of key is impossible to reset because of limited bandwidth of network. Also, the use of proposed multi-interface can minimize key exchange latency that happened by hand off for IPSec transmission.     

移动通信中的密钥托管方案

本文以文献[5]中移动通信网的安全密钥分配协议为基础，提出了一种适用于数字移动通信网的密钥托管方案，该方案可以任意指定托管方数量，能够保证移动用户问的安全通信，实现网络中心与通信双方的相互认证，并提供给法律执行机构实时监听无线通信的能力．     

Providing EAP-based Kerberos pre-authentication and advanced authorization for network federations

Kerberos is a well-known standard protocol which is becoming one of the most widely deployed for authentication and key distribution in application services. However, whereas service providers use the protocol to control their own subscribers, they do not widely deploy Kerberos infrastructures to handle subscribers coming from foreign domains, as happens in network federations. Instead, the deployment of Authentication, Authorization and Accounting (AAA) infrastructures has been preferred for that operation. Thus, the lack of a correct integration between these infrastructures and Kerberos limits the service access only to service provider's subscribers. To avoid this limitation, we design an architecture which integrates a Kerberos pre-authentication mechanism, based on the use of the Extensible Authentication Protocol (EAP), and advanced authorization, based on the standards SAML and XACML, to link the end user authentication and authorization performed through an AAA infrastructure with the delivery of Kerberos tickets in the service provider's domain. We detail the interfaces, protocols, operation and extensions required for our solution. Moreover, we discuss important aspects such as the implications on existing standards.     

GSM移动通信用户鉴权算法的分析与实现

首先分析研究了ＧＳＭ（Ｇｌｏｂａｌｓｙｓｔｅｍ ｆｏｒ ｍ ｏｂｉｌｅ）数字移动通信系统的安全技术,特别是有关用户鉴权与密钥分配的协议,然后以改进的ＦＥＡＬ算法为核心,构造了一个２Ｍ 比特并联杂凑ＦＥＡＬ－４（Ｘ）Ｓ加密算法,实现了ＧＳＭ 数字移动通信系统的身份认证与密钥分配的Ａ３／Ａ８ 算法。本文对该组加密算法及其性能进行了详细分析,并给出了在计算机上模拟的结果。     

物联网移动节点直接匿名漫游认证协议

无线网络下传统匿名漫游协议中远程域认证服务器无法直接完成对移动节点的身份合法性验证,必须在家乡域认证服务器的协助下才能完成,导致漫游通信时延较大,无法满足物联网感知子网的快速漫游需求.针对上述不足,提出可证安全的物联网移动节点直接匿名漫游认证协议,远程域认证服务器通过与移动节点间的1轮消息交互,可直接完成对移动节点的身份合法性验证.该协议在实现移动节点身份合法性验证的同时,具有更小的通信时延、良好的抗攻击能力和较高的执行效率.相较于传统匿名漫游协议而言,该协议快速漫游的特点更适用于物联网环境.安全性证明表明,该协议在CK安全模型下是可证安全的.     

5G异构网络中基于群组的切换认证方案

随着5G网络的发展,各类网络服务质量极大提升的同时网络环境也愈加复杂,从而带来了一系列安全挑战。切换认证可以解决用户在不同类型网络间的接入认证问题,但现存方案仍存在一些不足,还需要解决如全局切换认证、密钥协商、隐私保护、抵抗伪装攻击、抵抗中间人攻击、抵抗重放攻击以及群组用户切换效率等问题。针对这些问题,提出了一个5G异构网络中基于群组的切换认证方案。在所提出的方案中,注册域服务器在区块链上为每个用户存入一个通行证,任何实体都可以利用该通行证对用户进行认证,从而实现全局切换认证。对于群组用户,各用户分别设置可聚合的认证参数,验证者通过验证聚合签名实现对群组用户的批量验证。新方案不仅提升了群组用户切换时的效率,同时还满足上述安全性要求。基于形式化分析软件AVISPA的分析结果表明,所提出的方案是安全的。性能分析表明,所提出的方案执行批量验证时的效率比现存方案至少提升了89.8％。     

Wireless Handheld Devices Become Trusted Network Devices

ABSTRACT

In the world of information technology, a security model is only as secure as its weakest link. There are several layers of security and different measures that can currently be implemented. However, they lack coordination, and therefore potential security breaches might compromise the network. With wireless access becoming the norm, and users requiring “on the move communication” even within a campus, networks are expanding past the traditional wired networks by adding wireless access points. This gives customers the flexibility they require but leaves a net threat vector to the network. There have been various encryption and security steps taken to validate the communication and authentication of the devices and end users connecting. This project addresses the critical problem of secure authentication using the 802.1x standard, which will be implemented using Microsoft's Radius server elements. It will involve the enrollment of secure certificates on Windows mobile devices, thus securing mobile devices from physical attacks. To ensure that all steps are adhered to, that all necessary applications have been installed, and to handle Web service communication, an application will be created that will provide an automated solution.