异构无线网络可证安全的接人认证和密钥交换协议

针对异构网络模型BRAIN（Broadband Radio Access for IP based Network）中的安全第一跳通信，提出一种新的基于Canetti-Krawczyk（CK）可证安全模型的双向认证和密钥交换协议．根据该模型方法，首先构造并证明了一种理想环境下的混合密钥交换协议HKE；然后利用现有安全的消息传输认证器构造一个适合BRAIN网络安全第一跳的认证器．最后利用该认证器自动编译理想的HKE协议，得到可证安全和实际可行的PHKE协议．分析比较表明，该协议更安全有效．     

无线局域网密钥协商协议安全性分析与改进

分析了中国无线局域网标准中无线鉴别基础设施WAI（WLAN Authentication Infrastructure），指出其中密钥协商协议缺乏密钥确认、易遭受拒绝服务攻击等安全问题。提出了一种采用三次握手和带消息认证的密钥协商协议，以及周期密钥更新协议．使用BAN逻辑对提出的改进密钥协商协议进行形式化分析，验证了其正确性．与WAI比较，提出的协议具有较少的交互性，提供了消息鉴别并具有抗拒绝服务攻击能力。     

通用可组合安全的WLAN Mesh网络可信接入认证协议

现有的WLAN Mesh网络接入协议和可信网络接入协议在性能和安全性方面不能很好的满足WLAN Mesh网络可信接入的要求.针对这一情况,提出了一种高效的可证明安全的WLAN Mesh网络可信接入协议MN-TAP,该协议仅需4轮交互就能实现访问请求者,策略执行点和策略决策点三者之间的用户认证和密钥确认,同时在第一轮交互中就实现了策略决策点对访问请求者平台身份的认证和平台完整性的校验,提高了协议执行的效率,降低了服务器端的负载.利用通用可组合安全模型对新协议进行了安全性证明,并对协议性能进行了对比分析.结果表明:新协议达到通用可组合安全,且与现有协议相比性能优势明显.     

基于SIP的WWANs和WLANs之间的垂直切换

基于应用层的会话发起协议（SIP）对底层的透明性、部署的简易性及可缩放性,已经被确定为异构无线网络中处理移动性的最合适协议。但是,SIP需要应用层传输和处理消息．这会引入相当大的时延。文章分析了WLAN—UMTS互联网中使用SIP的垂直切换有关的时延。分析结果表明．对支持实时多媒体业务来说,WLAN到UMTS切换导致不可接受的时延．并且主要是由于SIP信令消息在易出错且带宽受限的无线链路上的传输引起的。而UMTS到WLAN的切换建立的时延很少,该时延的主要部分是WLAN网关和服务器信令消息的处理时延。     

一种基于WLANMESH网络中的EAP-TLS接入认证方案

MESH是一种新型的无线网络,安全的认证机制是确保WLAN MESH网络安全问题的前提条件。研究了WLAN MESH网络的结构特点,提出一种基于IEEE802.1x标准下的EAP-TLS协议认证方案,利用EAP-TLS双向认证机制来实现WLAN MESH网络中安全接入认证。并对该协议的认证流程及安全性进行了描述与分析。     

一种WLAN Mesh网络漫游接入认证协议

针对WLAN Mesh网络节点漫游接入过程中现有协议的不足,通过利用EMSA(efficient mesh security association)初始认证过程中所建立的安全链路和消息认证码技术,并引入修改后的DH(Diffie Hellman)密钥交换过程,提出了一种能有效满足漫游接入性能和安全性需求的接入认证协议。该协议不仅具有基本的SK(session key,会话密钥)安全属性,还具有较小的接入时延,能够适应Mesh网络拓扑变化的特性,在完成双向接入认证过程的同时,完成了密钥的生成,并能较好地隐藏终端节点的身份信息。     

无线传感器网络中的群密钥协商协议研究

无线传感器网络由大量随机分布的传感器节点组成,这些节点在各自的环境进行信息采集、数据处理,并将信息传输至数据终端。文章提出了一个健壮的、可证明安全的可认证群密钥协商协议,该协议满足实用性、简单性和强安全性的要求。本文提出的可认证群密钥协商协议是基于椭圆曲线、双线性映射和Burmester和Desmedt协议实现。该协议通过两轮广播完成群会话密钥协商,比以前可认证群密钥协商协议需要更低的计算和通信开销。     

IMS接入认证及密钥分配机制优化方法

用户终端通过通用移动通信系统（UMTS）分组域接入到IP多媒体子系统（IMS）时,UMTS分组域和IMS会分别对用户终端独立地进行两次认证和密钥分配,两次操作过程具有较大的相似性,造成了重复的通信开销,缺乏效率。通过分析IMS认证与密钥分配协议（IMS AKA）过程,发现协议中存在安全漏洞,容易受到伪装攻击。文章提出了一种优化与改进方法ESAKA（Efficient and Security AKA）,在提高IMSAKA效率的同时,可以解决用户终端对S-CSCF的认证及网络端信息传输的安全性。     

基于融合网络的WLAN漫游认证方式研究

在网络融合的趋势下,通过电信网络为WLAN网络提供终端认证将是未来WLAN业务认证的主要方式。为高效、安全地实现网间漫游状态下WLAN的鉴权认证,本研究分析了在网间漫游状态下WLAN的鉴权需求,讨论了鉴权模式、流程和存在的问题,提出了基于EAP SIM/AKA协议的、非中转方式的WLAN漫游认证方案,并进行了验证。实验结果证明该非中转认证方案可以满足终端在漫游状态下实现EAP SIM/AKA认证的需要,同时增强了系统的安全性,降低了投资成本,实现了实时计费。     

七号信令网中基于MTP3层的安全机制研究

七号信令系统作为电信网络的神经系统,其安全问题日益严重.给出了SS7网络面临的主要安全威胁,分析了攻击者利用网络缺乏认证机制,通过MTP3层的网络管理消息对七号信令网实施攻击.提出用密钥交换协议和认证头协议对MTP3层进行安全保护,增强SS7网络的安全性.     

一种泛在网络的安全认证协议

泛在网络是标准的异质异构网络,保证用户在网络间的切换安全是当前泛在网的一个研究热点。该文对适用于异构网络间切换的认证协议EAP-AKA进行分析,指出该协议有着高认证时延,且面临着用户身份泄露、中间人攻击、DoS攻击等安全威胁,此外接入网络接入点的有效性在EAP-AKA协议中也没有得到验证,使得用户终端即使经过了复杂的认证过程也不能避免多种攻击。针对以上安全漏洞,该文提出一种改进的安全认证协议,将传统EAP-AKA的适用性从3G系统扩展到泛在网络中。新协议对传播时延和效率进行完善,为用户和接入点的身份信息提供有效性保护,避免主会话密钥泄露,采用椭圆曲线Diffie Hellman算法生成对称密钥,在每次认证会话时生成随机的共享密钥,并实现用户终端与家乡域网络的相互认证。通过开展实验,对协议进行比较分析,验证了新协议的有效性及高效率。     

异构无线网络可控匿名漫游认证协议

分析传统的匿名漫游认证协议,指出其存在匿名不可控和通信时延较大的不足,针对上述问题,本文提出异构无线网络可控匿名漫游认证协议,远程网络认证服务器基于1轮消息交互即可完成对移动终端的身份合法性验证;并且当移动终端发生恶意操作时,家乡网络认证服务器可协助远程网络认证服务器撤销移动终端的身份匿名性.本文协议在实现匿名认证的同时,有效防止恶意行为的发生,且其通信时延较小.安全性证明表明本文协议在CK安全模型中是可证安全的.     

A secure enhanced privacy-preserving key agreement protocol for wireless mobile networks

The rapid proliferation of mobile networks has made security an important issue, particularly for transaction oriented applications. Recently, Jo et al. presented an efficient authentication protocol for wireless mobile networks and asserted that their proposed approach provides all known security functionalities including session key (SK) security under the assumption of the widely-accepted Canetti–Krawczyk (CK) model. We reviewed Jo et al.’s proposed roaming protocol and we demonstrate that it fails to provide the SK-security under the CK-adversary setting. We then propose an enhancement to Jo et al.’s roaming protocol to address the security drawback found in Jo et al.’s protocol. In the enhanced roaming protocol, we achieve the SK-security along with reduced computation, communication and storage costs. We also simulate the enhanced roaming protocol using NS2 for end-to-end delay and network throughput, and the simulation results obtained demonstrate the efficiency of our protocol.     

一个可证安全的基于身份多密钥认证协商协议

An authentication multiple key agreement protocol allows the users to compute more than one session keys in an authentication way. In the paper, an identity-based authentication multiple key agreement protocol is proposed. Its authentication part is proven secure against existential forgery on adaptively chosen message and ID attacks under the random oracle model upon the CDH assumptions. The session keys are proven secure in a formal CK security model under the random oracle model upon the CBDH assumptions. Compared with the previous multiple key agreement protocols, it requires less communication cost.     

车载网中可证安全的无证书聚合签名算法

为了实现车载自组织网络中车辆节点之间信息传输的安全认证,该文设计了一种无证书聚合签名方案。提出的方案采用无证书密码体制,消除了复杂的证书维护成本,同时也解决了密钥托管问题。通过路侧单元生成的假名与周围节点进行通信,实现了车辆用户的条件隐私保护。在随机预言模型下,证明了方案满足自适应选择消息攻击下的存在性不可伪造。然后,分析了方案的实现效率,并模拟实现了车载自组网(VANET)环境中车流密度与消息验证的时间延迟之间的关系。结果表明,该方案满足消息的认证性、匿名性、不可伪造性和可追踪性等性质,并且通信效率高、消息验证的时延短,更适合于动态的车载自组织网络环境。     

Bidirectional authentication key agreement protocol supporting identity’s privacy preservation based on RLWE

In order to solve the problem of identity privacy preservation between two participants involved when implementing authenticated key agreement protocol,a bidirectional authenticated key agreement protocol against quantum attack based on C commitment scheme was proposed.Through the design of C commitment function,the real identity information of two participants involved was hidden.Based on RLWE difficult problem,under the premise to ensure identity anonymity,this protocol not only completed two-way identity authentication,but also ensured the integrity of the transmitted message,furthermore,the shared session key was negotiated.After been analyzed,in terms of protocol’s execution efficiency,only two rounds of message transmission were needed to complete anonymous two-way authentication and key agreement in the proposed scheme.Compared with Ding’s protocol,the length of public key was reduced by nearly 50%.With regard to security,the protocol could resist forgery,replay,key-copy,and man-in-the-middle attacks.It is proved that the proposed protocol satisfies the provable security under the eCK model.At the same time,the protocol is based on the RLWE problem of lattices,and can resist quantum computing attacks.     

caTBUA: Context‐aware ticket‐based binding update authentication protocol for trust‐enabled mobile networks

Existing binding update (BU) authentication protocols do not consider context information, such as trust, location, and current time, when verifying a mobile node's care‐of address (CoA). Instead, the correspondent node executes its own CoA validation in spite of facing a highly trusted situation or simply bypasses the CoA validation, making it difficult to maintain a reasonable trade‐off between security and efficiency. This paper applies the context‐aware concept to the BU process and proposes a new context‐aware ticket‐based binding update authentication (caTBUA) protocol. The proposed protocol dynamically performs an appropriate CoA validation based on the context information to achieve a good balance between security and efficiency. Utilizing numerical analysis to compare the performance of the proposed protocol to that of existing authentication protocols in terms of authentication cost and authentication message transmission latency confirmed that the proposed caTBUA protocol yields a better performance than the existing BU authentication protocols. Copyright © 2010 John Wiley & Sons, Ltd.     

Efficient communication protocol of group negotiation in VANET

An efficient communication protocol of group negotiation was proposed.The protocol adopted self-checking authentication in group to avoid the nodes sending certificates to the authentication center which improved the efficiency of identification.At the same time,the group establishment among nodes which through negotiation ensured the communication confidentiality and prevented the phenomenon of single-point failure.Besides,a group key transmission scheme was proposed to reduce the frequency of authentication for legal vehicles and improve the speed of joining in the group.At the end,theoretical analysis and simulation results demonstrate that the proposed protocol not only meets the security requirements of communication in VANET,but also shows much better performance than previous reported schemes on verification delay,transmission overhead and average delay.     

Conditional privacy protection authentication scheme based on bilinear pairings for VANET

To solve the problem of security and efficiency of anonymous authentication in the vehicle Ad-hoc network（VANET）, a conditional privacy protection authentication scheme for vehicular networks is proposed based on bilinear pairings. In this scheme, the tamper-proof device in the roadside unit (RSU) is used to complete the message signature and authentication process together with the vehicle, which makes it more secure to communicate between RSU and trusted authority (TA) and faster to update system parameters and revoke the vehicle. And this is also cheaper than installing tamper-proof devices in each vehicle unit. Moreover, the scheme provide provable security proof under random oracle model (ROM), which shows that the proposed scheme can meet the security requirements such as conditional privacy, unforgeability, traceability etc. And the results of simulation experiment demonstrate that this scheme not only of achieves high efficiency, but also has low message loss rate.