物联网场景下算力网络终端安全接入研究

物联网算力网络中终端节点泛在分布，大规模泛在异构终端面临多种安全威胁。为解决泛在异构终端的安全接入问题并构建物联网算力网络终端安全保障体系，本文基于IPK轻量级标识公钥体系和零信任动态访问控制，提出了一种物联网算力网络终端安全接入方案，实现终端轻量级标识身份认证，通过最小化业务权限动态访问控制，确保只有通过严格认证和授权的终端接入物联网算力网络，保证终端业务安全访问。该方案满足了物联网算力网络终端的安全可信接入需求，可应对海量终端节点泛在分布和业务场景复杂等挑战。     

一种3G环境中基于无线网关的内网接入技术方案

随着政府信息化建设工程的快速发展和通信运营商3G网络的建设加速,手持终端设备作为信息接入点安全接入内网信息系统的需求越来越多,尤其是在电子政务、企业应用等应用方面。该文主要介绍了一种在3G无线网络环境下利用无线网络安全接入网关中转,实现移动终端和应用服务器的异构公钥证书的认证、安全数据传输的技术方案。     

异构无线网络可证安全的接人认证和密钥交换协议

针对异构网络模型BRAIN（Broadband Radio Access for IP based Network）中的安全第一跳通信，提出一种新的基于Canetti-Krawczyk（CK）可证安全模型的双向认证和密钥交换协议．根据该模型方法，首先构造并证明了一种理想环境下的混合密钥交换协议HKE；然后利用现有安全的消息传输认证器构造一个适合BRAIN网络安全第一跳的认证器．最后利用该认证器自动编译理想的HKE协议，得到可证安全和实际可行的PHKE协议．分析比较表明，该协议更安全有效．     

基于流认证的IPv6接入子网主机源地址验证

提出了一种以密码学方法实现的IPv6接入子网主机高速源地址验证方案。把主机MAC地址作为身份同主机公钥相绑定,利用密码生成地址算法从主机公钥衍生出IPv6接入子网地址,通过数字签名提供主机真实性的验证,以消息认证码和流认证技术实现接入网关对数据分组流IPv6地址的快速安全的验证。原型系统实验表明,该方案能够以低开销实现数据分组源地址验证,是一种安全、可行的方案。     

基于身份的异构无线网络匿名漫游协议

分析了一种基于身份的认证模型的安全缺陷,指出该方案存在身份伪装攻击,无法实现用户身份认证.提出了一种改进方案用于实现异构无线网络匿名漫游.与原方案相比,改进之处主要体现在2方面:第一,弥补了原协议的安全缺陷,并且在CK模型下是可证明安全的;第二,简化了协议流程,提高了协议的效率.     

介质独立信息服务的匿名访问协议

针对异构网络环境下介质独立信息服务(MIIS)的匿名访问需求,提出了一种MIIS匿名访问协议.协议中用户和信息服务器在家乡网络服务器的辅助下,既能实现双向认证,也能保护用户的隐私性.提出的协议与已有协议相比具有较好的性能,并且在CK模型下是可证明安全的.     

异构网络接入认证技术研究

各种无线传输技术在覆盖面积、频谱带宽及时延方面都有一定的局限性,能有效解决上述局限性的＂异构网络高速无线接入＂概念日益受到广泛关注,但是,要对异构网络的接入认证技术进行一体化设计是一项具有挑战性的课题。重点分析如何利用动态安全关联技术改善移动认证架构,研究异构网络和移动终端的统一认证及安全接入,有效提升移动终端在不同网络间切换的安全性能。     

异构无线网络可控匿名漫游认证协议

分析传统的匿名漫游认证协议,指出其存在匿名不可控和通信时延较大的不足,针对上述问题,本文提出异构无线网络可控匿名漫游认证协议,远程网络认证服务器基于1轮消息交互即可完成对移动终端的身份合法性验证;并且当移动终端发生恶意操作时,家乡网络认证服务器可协助远程网络认证服务器撤销移动终端的身份匿名性.本文协议在实现匿名认证的同时,有效防止恶意行为的发生,且其通信时延较小.安全性证明表明本文协议在CK安全模型中是可证安全的.     

一种提高WLAN网络AC认证成功率的方法

本文介绍一种通过分析接入端、传输端和认证服务器网络异常情况进而提高认证成功率的办法,其中需要进行大量的抓包分析。     

一种基于文件共享的P2P节点认证方案

身份认证是P2P（peertopeer）网络安全的重要组成部分,但传统的PKI（金钥基础设施）认证方式因为具有静态的集中化控制和固定的证书内容等特点,不能很好地满足P2P网络安全认证的需要,且在公钥的分发过程中容易遭受中间人攻击。为此,提出了一种新型的公钥管理架构和身份认证方案,每个节点可以自己产生并分发公私钥,认证服务器仅在节点加入网络时参与完成公钥的分发。超级节点负责管理本组内全部节点的公钥,节点在相互认证时无需认证服务器的参与,仅通过超级节点来完成。分析结果表明,这种认证方案可以有效地抵抗中间人攻击,在保持高效率的基础上又保证了认证的安全性。     

Towards generalized ID‐based user authentication for mobile multi‐server environment

With the popularity of Internet and wireless networks, more and more network architectures are used in multi‐server environment, in which mobile users remotely access servers through open networks. In the past, many schemes have been proposed to solve the issue of user authentication for multi‐server environment and low‐power mobile devices. However, most of these schemes have suffered from many attacks because these schemes did not provide the formal security analysis. In this paper, we first give a security model for multi‐server environment. We then propose an ID‐based mutual authentication and key agreement scheme based on bilinear maps for mobile multi‐server environment. Our scheme can be used for both general users with a long validity period and anonymous users with a short validity period. Under the presented security model, we show that our scheme is secure against all known attacks. We demonstrate that the proposed scheme is well suitable for low‐power mobile devices. Copyright © 2011 John Wiley & Sons, Ltd.     

可证明安全的异构无线网络认证协议

异构无线网络中互连的安全问题是当前研究的关注点，针对3G网络和WLAN（无线局域网）所构成的异构互连网络中认证协议的安全和效率问题，提出了一种基于离线计费方法的认证协议。该协议通过对WLAN服务网络身份进行验证，抵御了重定向攻击的行为；采用局部化重认证过程，减少了认证消息的传输延时，提高了认证协议的效率。仿真结果表明，该协议的平均消息传输延时相对于EAP—AKA协议缩短了大约一半。通过Canetti—Krawczyk（CK）安全模型对新协议进行了安全性证明，证明该协议具有SK—secure安全属性。     

异构无线网络可信接入设计及实现

异构无线网络互连后的安全问题是当前网络安全研究的一个热点问题,为了解决异构网络互连后产生的接入安全问题,提出了一种基于信任模型的可信接入框架,该框架建立了异构无线网络间的信任评价体系,对接入异构无线网络用户除了进行身份验证,还必须进行用户信任度的验证,既拒绝了恶意节点接入,又确保了合法节点的安全接入,从而保证异构无线网络互连接入的安全和可信。     

A novel universal authentication protocol based on combined public key in heterogeneous networks

Based on combined public key (CPK), a novel universal authentication protocol which conforms extensible authentication protocol (EAP) specification in heterogeneous networks was presented, so called EAP-CPK. Subsequently, detailed authentication process and related delay analysis of EAP-CPK in the 3rd Generation Partnership Project wireless local area network (3GPP-WLAN) interworking network were also given. In this paper, parameters from client and server related with mutual authentication process are classified systematically, and detailed verification process by using BurrowsAbadiNeedham89 (BAN) logic analysis is proposed. Security analysis results show that the proposed protocol is secure, and it not only can prevent man-in-the-middle attack and replay attack, but also can make lower system cost.     

无线网络中基于量子隐形传态的鲁棒安全通信协议

该文在深入研究无线网络802.11i鲁棒安全通信的基础上,提出基于量子隐形传态的无线网络鲁棒安全通信协议,利用量子纠缠对的非定域关联性保证数据链路层的安全。首先,对量子隐形传态理论进行描述,并着重分析临时密钥完整性协议和计数器模式及密码块链消息认证协议的成对密钥、组密钥的层次结构;其次,给出了嵌入量子隐形传态的成对密钥、组密钥的层次结构方案;最后,在理论上给出安全证明。该协议不需要变动用户、接入点、认证服务器等基础网络设备,只需增加产生和处理纠缠对的设备,即可进行量子化的密钥认证工作,网络整体框架变动较小。     

A pairing‐free identity‐based handover AKE protocol with anonymity in the heterogeneous wireless networks

Nowadays, seamless roaming service in heterogeneous wireless networks attracts more and more attention. When a mobile user roams into a foreign domain, the process of secure handover authentication and key exchange (AKE) plays an important role to verify the authenticity and establish a secure communication between the user and the access point. Meanwhile, to prevent the user's current location and moving history information from being tracked, privacy preservation should be also considered. However, existing handover AKE schemes have more or less defects in security aspects or efficiency. In this paper, a secure pairing‐free identity‐based handover AKE protocol with privacy preservation is proposed. In our scheme, users' temporary identities will be used to conceal their real identities during the handover process, and the foreign server can verify the legitimacy of the user with the home server's assistance. Besides, to resist ephemeral private key leakage attack, the session key is generated from the static private keys and the ephemeral private keys together. Security analysis shows that our protocol is provably secure in extended Canetti‐Krawczyk (eCK) model under the computational Diffie‐Hellman (CDH) assumption and can capture desirable security properties including key‐compromise impersonation resistance, ephemeral secrets reveal resistance, strong anonymity, etc. Furthermore, the efficiency of our identity‐based protocol is improved by removing pairings, which not only simplifies the complex management of public key infrastructure (PKI) but also reduces the computation overhead of ID‐based cryptosystem with pairings. It is shown that our proposed handover AKE protocol provides better security assurance and higher computational efficiency for roaming authentication in heterogeneous wireless networks.     

Remote access virtual private network architecture for high‐speed wireless internet users

The new emerging broadband wireless network (BWN) technologies with high‐speed wireless internet access promotes corporations to provide their roaming employees with high‐speed wireless access to the computing resources on their corporate networks. Thus, a value added service to broadband wireless network is the remote access virtual private network (VPN), where the corporate legitimate users can connect to their offices wirelessly from different locations and get secure services as if they were connected to the corporate local area network (LAN). One of the most important challenges is to block out illegitimate user requests, which are wirelessly received, to protect corporate privacy. Registration (adding new users) and authentication (accepting current users) functions should be implemented with highly secured wireless connection. These functions are accomplished by encapsulating (i.e. tunneling) the user information in a secured form to the corporate authentication server through the internet traffic. The corporate authentication server then grants or denies the user access. In this paper, we propose a new operational design algorithm for remote access wireless VPN authentication and registration protocols that depends on modifying tunnel establishment as compared to existing dial‐in VPN mechanisms. The modifications proposed in this paper are made to support successful deployment of the remote access VPN services over high‐speed wireless network. The paper presents an overview of two tunneling approaches using Layer 3 and Layer 2 separately for implementing these functions. Then we propose how we establish the tunnel in both approaches, and compare it to similar operation steps previously reported for the dial‐in VPN protocols. The proposed algorithms are distinguished from previously developed dial‐in VPN protocols by using L2TP and IPSEC instead of mobile IP. It is also shown that the steps involved in the establishment of the tunnel are functionally different and more appropriate to our applications using communication environment of the BWN. Finally, a qualitative analysis of the added functions, and a comparison between L2TP‐based and IPSec‐based approaches are established. Copyright © 2004 John Wiley & Sons, Ltd.     

A provable and secure mobile user authentication scheme for mobile cloud computing services

The mobile cloud computing (MCC) has enriched the quality of services that the clients access from remote cloud‐based servers. The growth in the number of wireless users for MCC has further augmented the requirement for a robust and efficient authenticated key agreement mechanism. Formerly, the users would access cloud services from various cloud‐based service providers and authenticate one another only after communicating with the trusted third party (TTP). This requirement for the clients to access the TTP during each mutual authentication session, in earlier schemes, contributes to the redundant latency overheads for the protocol. Recently, Tsai et al have presented a bilinear pairing based multi‐server authentication (MSA) protocol, to bypass the TTP, at least during mutual authentication. The scheme construction works fine, as far as the elimination of TTP involvement for authentication has been concerned. However, Tsai et al scheme has been found vulnerable to server spoofing attack and desynchronization attack, and lacks smart card‐based user verification, which renders the protocol inapt for practical implementation in different access networks. Hence, we have proposed an improved model designed with bilinear pairing operations, countering the identified threats as posed to Tsai scheme. Additionally, the proposed scheme is backed up by performance evaluation and formal security analysis.     

An Intra-domain Mobility Handling Scheme Across All-IP Wireless Networks

The rapid growth of wireless network technology such as HSDPA and WiMAX, has lead to greater demand for access to Internet via mobile hosts. Supporting mobile connection with fast and smooth roaming across heterogeneous wireless technologies has been an important challenge over past years. In this paper, a novel multilayer scheme for QoS-aware intra-domain mobility management is proposed. The mobility support capability is embedded in key components for the domain access network, namely, the Paging Access Routers and the Mobility-support Anchor Servers (MASs). The MASs are organized in three layers; starting from the top layer Superior-MASs, Middle-MASs and Inferior-MASs, respectively. The proposed scheme identified mobility support functionality, includes intra-domain anchor specification, route optimization algorithm, intra/inter-anchor mobility support, paging and authentication management. Simulation results of the proposed scheme show fair performance especially in the presence of QoS sensitive services.