共查询到20条相似文献,搜索用时 31 毫秒
1.
在 IP组播中当前使用的组管理协议 IGMP不提供接入控制 ,任何端点用户可自由地加入组播组 ;此外 ,IGMP报文在传输时没有加密措施 ,无法保证其安全性 .因此 ,对 IGMP报文的认证和接入控制策略便成为亟待解决的重要课题 .在 IGMP报文后附加接入令牌的方法虽然可以解决 IGMP协议存在的一些安全问题 ,但其仍存在一些缺陷 .在此基础上 ,提出了一种加密接入令牌的方法 ,阐述了如何申请、产生、传输和使用令牌 .加密接入令牌可以安全的传输认证和接入控制信息 ,并且可以多次使用 ,不需要在用户和组播路由器之间建立安全关联 SA,提高了令牌的使用效率 相似文献
2.
The classical IP multicast model makes it impossible to restrict the forwarded data to that originated by an authorized sender. Without effective sender access control, an adversary may exploit the existing IP multicast model, where a sender can send multicast data without prior authentication and authorization. Even a group key management protocol that efficiently distributes the encryption and the authentication keys to the receivers will not be able to prevent an adversary from spoofing the sender address or replaying any previously sent data and hence, flooding the Data Distribution Tree. This can create an efficient Denial of Service attack.In this paper, we propose an architecture for sender access control and data distribution control in inter-domain multicast groups. For sender access control, the Protocol for Carrying Authentication for Network Access, encapsulating Extensible Authentication Protocol packets, is used to authenticate a sender and to establish an IPsec Security Association between the sender and the Access Router to cryptographically authenticate each packet. This access control architecture is then extended to support inter-domain multicast groups by making use of Diameter agents. An inter-domain Data Distribution Tree (DDT) is distributed over different domains. Hence, sender access control will be meaningless without protecting the whole DDT. We have protected the DDT from several attacks generated by a compromised network entity by carrying the multicast data in one or a series of Multicast Security Associations (MSA). Two alternate solutions have been developed that detect and stop forwarding of any forged packet by utilizing multiple checkpoints in the DDT. The first method uses a centralized MSA for the whole DDT while the second method uses a number of small-sized MSAs. Next, the two methods have been compared with respect to different features, such as establishment and maintenance costs, delivery time, etc. The MSA method has been compared with Keyed HIP (KHIP), and we have established that MSA-based methods reasonably outperform KHIP. Finally, the security properties of MSA construction using the GDOI protocol have been validated using the AVISPA tool. Two attacks have been detected by AVISPA, which we have fixed by modifying the GDOI protocol. The security properties of the data transmission method through MSAs using the Authentication Header (AH) protocol have also been analyzed. 相似文献
3.
认证是无线局域网的一种最重要的服务。EAP-IKEv2是一个新的基于EAP协议的认证和密钥分配协议。该文详细分析了EAP-IKEv2协议的流程和安全性,并使用协议分析工具AVISPA验证了EAP-IKEv2安全性,结果说明EAP-IKEv2能够保证EAP客户端和认证服务器的双向认证。 相似文献
4.
5.
6.
7.
Amandeep Singh Gaston Ormazábal Henning Schulzrinne 《Datenschutz und Datensicherheit - DuD》2014,38(1):25-30
In this article, security challenges related to a mobile heterogeneous networking environment, and the general access patterns are discussed. A novel, unified networking architecture that enables secure heterogeneous networking, both in terms of networks and user devices is discussed. A comprehensive security framework providing a generalized authentication scheme using the Extensible Authentication Protocol (EAP) is then presented, by taking into account existing methods for secure network and device access. 相似文献
8.
9.
IP多点广播技术及应用 总被引:3,自引:1,他引:2
IP多点广播是一种新兴技术,它以传统的TCP/IP网络为载体,具有一对多和多对多的数据交付能力,为网络实时多嫖体和批量数据传输提供了解决手段,该6文简要介绍了IP多点广播技术的产生、发展和应用,重点分析了它的工作机制,包括多点广播的地址构造,Internet组管理协议和路由技术。 相似文献
10.
随着安全认证技术的发展,网络认证已成为保障网络安全的重要环节。当前被广泛使用的IEEE802.1X是建立在可扩展认证协议(EAP)基础上的一种认证框架。EAP提供了许多认证协议,每个认证协议都有自身的优缺点。有些没有提供用户名的保护,有些没有提供双向认证;有些部署较困难等。针对上述缺陷,提出了一种基于哈希函数的认证协议。阐述了该协议的具体认证过程,并对其进行了安全性分析,最后与当前一些认证协议作了比较。 相似文献
11.
为了克服IP组播模型的开放性,使得在现有互联网条件下能够为组播管理者提供用户对频道的访问控制,在原有安全组播模型的基础上,提出了一种基于IPv6网络环境的组播用户安全管理系统模型的设计方案。该方案采用钩子(hook)机制在接入路由器上挂载了认证与访问控制模块,任何想要监听组播流的用户,都要通过该模块进行身份认证与频道访问权限的判定,从而实现了基于频道的组播用户安全管理。并在教育科研骨干网中实验验证了该系统的身份认证和访问控制功能。 相似文献
12.
13.
Rafael Marín-LópezAuthor Vitae Fernando Pereñíguez Author VitaeGabriel López Author Vitae Alejandro Pérez-Méndez Author Vitae 《Computer Standards & Interfaces》2011,33(5):494-504
Kerberos is a well-known standard protocol which is becoming one of the most widely deployed for authentication and key distribution in application services. However, whereas service providers use the protocol to control their own subscribers, they do not widely deploy Kerberos infrastructures to handle subscribers coming from foreign domains, as happens in network federations. Instead, the deployment of Authentication, Authorization and Accounting (AAA) infrastructures has been preferred for that operation. Thus, the lack of a correct integration between these infrastructures and Kerberos limits the service access only to service provider's subscribers. To avoid this limitation, we design an architecture which integrates a Kerberos pre-authentication mechanism, based on the use of the Extensible Authentication Protocol (EAP), and advanced authorization, based on the standards SAML and XACML, to link the end user authentication and authorization performed through an AAA infrastructure with the delivery of Kerberos tickets in the service provider's domain. We detail the interfaces, protocols, operation and extensions required for our solution. Moreover, we discuss important aspects such as the implications on existing standards. 相似文献
14.
15.
16.
17.
Alejandro Pérez-Méndez Fernando Pereñíguez-García Rafael Marín-López Gabriel López-Millán 《Computer Communications》2013
Nowadays, network operators and educational and research communities are extending the access to their Internet application services to external end users by deploying, with other domains, the so-called identity federations. In these federations, end users use the identity and authentication credentials registered in their home organizations for accessing resources managed by a remote service provider. However, current identity federation solutions focus mainly on assisting network access and web services, while a significant number of services are left aside (e.g., SSH, FTP, Jabber, etc.). Taking advantage of the widespread adoption of Kerberos by current application services, this paper presents a solution to provide federated access to any kind of application service by using existing Authentication, Authorization and Accounting (AAA) infrastructures. The solution bootstraps a security association, in the service provider which enables the acquisition of a Kerberos credential to access the service. To link the end user authentication with the AAA infrastructure and the bootstrapping of the security association the solution uses the so-called Protocol for Carrying Authentication for Network Access (PANA). 相似文献
18.
《Journal of Network and Computer Applications》2007,30(3):900-919
Network access control mechanisms constitute an increasingly needed service, when communications are becoming more and more ubiquitous thanks to some technologies such as wireless networks or Mobile IP. This paper presents a particular scenario where access rules are based not only on the identity of the different users but also on authorization data related to those users. In order to accomplish this general goal, it will be necessary to add to the traditional system-specific services for authentication and authorization, and also some entities able to manage the information related to identity, roles and permissions. Network access will be based on the 802.1X framework and the Authentication, Authorization, and Accounting (AAA) architecture, as they constitute the basis for most of the existing proposals for limiting the access to a restricted network. These proposals will be extended making use of an authorization infrastructure based on SAML statements, the RBAC model, and XACML as the main language for expressing authorization policies. The solution that we present in this paper is a consequence of an exhaustive and non-trivial analysis of the different mechanisms that could be used to provide this kind of service. As we will see, the correct integration of these different mechanisms leads to the definition of a scalable and versatile network access control system which conforms to the guidelines outlined by the AAA initiative. 相似文献
19.