通用可组合安全的WLAN Mesh网络可信接入认证协议

现有的WLAN Mesh网络接入协议和可信网络接入协议在性能和安全性方面不能很好的满足WLAN Mesh网络可信接入的要求.针对这一情况,提出了一种高效的可证明安全的WLAN Mesh网络可信接入协议MN-TAP,该协议仅需4轮交互就能实现访问请求者,策略执行点和策略决策点三者之间的用户认证和密钥确认,同时在第一轮交互中就实现了策略决策点对访问请求者平台身份的认证和平台完整性的校验,提高了协议执行的效率,降低了服务器端的负载.利用通用可组合安全模型对新协议进行了安全性证明,并对协议性能进行了对比分析.结果表明:新协议达到通用可组合安全,且与现有协议相比性能优势明显.     

无线局域网密钥协商协议安全性分析与改进

分析了中国无线局域网标准中无线鉴别基础设施WAI（WLAN Authentication Infrastructure），指出其中密钥协商协议缺乏密钥确认、易遭受拒绝服务攻击等安全问题。提出了一种采用三次握手和带消息认证的密钥协商协议，以及周期密钥更新协议．使用BAN逻辑对提出的改进密钥协商协议进行形式化分析，验证了其正确性．与WAI比较，提出的协议具有较少的交互性，提供了消息鉴别并具有抗拒绝服务攻击能力。     

基于串空间模型的WAI密钥协商协议分析

WAPI实施方案中采用WAI(WLAN Authentication Infrastructure)协议来进行密钥协商,运用串空间模型分析验证了WAI协议中的单播密钥协商协议的实施方案,指出该实施方案较之原方案,安全性有了较大的提高.同时,利用该协议STA以及AP能够实现双向身份认证,并能安全地协商到会话密钥.     

一种可信计算环境下DAA协议实现方案

证明是可信计算从体系结构上保障网络服务安全的重要功能。文中介绍了TCG可信计算环境下的认证策略和以TPM为基础的直接匿名认证协议（Direct Anonymous Attestation,DAA）,分析了其特点,提出为了获得更好的应用性,对DAA协议进行基于ECC算法的扩展方案。经安全性分析证明,该方案在可信计算环境下只需有限的系统资源,可以有效提高可信网络接入的安全性与可管可控性。     

基于动态群签名的802.11s Mesh网络接入认证

802.11s Mesh网络作为新一代的无线局域网（WLAN）标准能有效弥补802.11b协议在易布署性和安全性方面中存在的不足。由于802.11s Mesh网络原有接入认证协议时间复杂性较高,针对性地提出了一种基于动态群签名技术的接入认证协议,在认证服务器、密钥分发者和接入点之间通过四轮交互即可实现所有接入点之间的相互认证。通过论证,该接入认证协议能有效提高接入认证过程的计算性能和通信性能,并保证接入认证过程的安全性。     

无线Mesh网络路由协议研究

无线Mesh网络WMN（wireless mesh networks）是一种新型的无线网络,它融合了无线局域网（WLAN）和Ad Hoc网络的优势,成为宽带接入的一种有效手段。首先介绍了无线Mesh网的网络结构和特点．并在此基础上讨论了无线Mesh网络对路由协议的要求。无线Mesh网络的路由算法是Mesh领域的研究难点,通过分析比较4种针对WMN的路由协议,总结了现有的路由协议的优缺点,并对今后的研究方向做出了展望。     

MSA在WLAN Mesh网络安全中的应用

随着无线局域网的快速普及,基于IEEE 802.11s的无线Mesh网络也在悄然兴起.然而,针对802.11sMesh网络的安全问题还没有被很好地解决,特别是Mesh节点之间的相互认证和安全链路的建立还没有确定一个适合的安全标准.论文中,作者结合IEEE802.11s的一些草案标准,提出了一种主要基于Mesh安全关联(Mesh Security Association)协议的Mesh网络安全体系架构,并对这种方案进行了安全可行性分析.     

一种WLAN Mesh网络漫游接入认证协议

针对WLAN Mesh网络节点漫游接入过程中现有协议的不足,通过利用EMSA(efficient mesh security association)初始认证过程中所建立的安全链路和消息认证码技术,并引入修改后的DH(Diffie Hellman)密钥交换过程,提出了一种能有效满足漫游接入性能和安全性需求的接入认证协议。该协议不仅具有基本的SK(session key,会话密钥)安全属性,还具有较小的接入时延,能够适应Mesh网络拓扑变化的特性,在完成双向接入认证过程的同时,完成了密钥的生成,并能较好地隐藏终端节点的身份信息。     

基于WLAN的Mesh网络和PMP网络性能比较

无线Mesh网络是一种高速率、高容量的分布式网络，是一种新型的可以解决“最后一英里”瓶颈问题的网络。介绍了无线Mesh网络的结构、特点和应用，分析了DSR路由协议，研完了在DSR路由协议下，基于WLAN的无线Mesh网络的性能，比较了在负栽相同的情况下，基于DSR的Mesh网络和与其具有可比性的PMP网络的性能，得到在同等负载的情况下，Mesh网络的性能优于PMP网络的结论。     

一种基于WLANMESH网络中的EAP-TLS接入认证方案

MESH是一种新型的无线网络,安全的认证机制是确保WLAN MESH网络安全问题的前提条件。研究了WLAN MESH网络的结构特点,提出一种基于IEEE802.1x标准下的EAP-TLS协议认证方案,利用EAP-TLS双向认证机制来实现WLAN MESH网络中安全接入认证。并对该协议的认证流程及安全性进行了描述与分析。     

UCAP:a PCL secure user authentication protocol in cloud computing

As the combine of cloud computing and Internet breeds many flexible IT services,cloud computing becomes more and more significant.In cloud computing,a user should be authenticated by a trusted third party or a certification authority before using cloud applications and services.Based on this,a protocol composition logic (PCL) secure user authentication protocol named UCAP for cloud computing was proposed.The protocol used a symmetric encryption symmetric encryption based on a trusted third party to achieve the authentication and confidentiality of the protocol session,which comprised the initial authentication phase and the re-authentication phase.In the initial authentication phase,the trusted third party generated a root communication session key.In the re-authentication phase,communication users negotiated a sub session key without the trusted third party.To verify the security properties of the protocol,a sequential compositional proof method was used under the protocol composition logic model.Compared with certain related works,the proposed protocol satisfies the PCL security.The performance of the initial authentication phase in the proposed scheme is slightly better than that of the existing schemes,while the performance of the re-authentication phase is better than that of other protocols due to the absence of the trusted third party.Through the analysis results,the proposed protocol is suitable for the mutual authentication in cloud computing.     

一种有效的WLAN可信匿名认证协议

选取扩展认证-安全传输层(EAP-TLS,Extensible Authentication Protocol-transport Layer Security)协议与直接匿名认证(DAA,Direct Anonymous Attestation)结合,简化了EAP-TLS中用户与服务器间相互证书的交换和认证,去掉冗余步骤,合并EAP-TLS中握手过程和DAA中匿名认证过程。将可信平台模块(TPM,Trusted Platform Module)引入无线局域网(WLAN,Wireless Local Area Networks),实现用户身份的匿名认证,减轻了EAP-TLS协议证书管理压力,不存在效率瓶颈,安全程度比EAP-TLS有所提高,能有效抵抗重放攻击、中间人攻击、拒绝服务(DoS,Denial of Services)攻击等安全威胁。     

基于国家标准GB15629．11的无线局域网鉴别技术

文章主要研究了无线局域网国家标准GB15629.11中的安全接入技术,并介绍了其中的一种重要的鉴别协议——证书鉴别。该标准包含全新的WAPI(WLANAuthenticationandPrivacyInfrastructure)安全机制,这种安全机制由WAI(WLANAuthenticationInfras-tructure)和WPI(WLANPrivacyInfrastructure)两部分组成。WAI和WPI分别实现用户身份的鉴别和传输数据的加密。WAI的证书鉴别过程,实现了BSS中的STA与AP的双向鉴别,对于采用"假"AP的攻击方式具有很强的抵御能力。WPI中的会话密钥没有在信道上进行传输,而且在通信一段时间或者交换一定数量的数据之后,STA和AP之间可以重新协商会话密钥。从而验证了WAPI能为用户的WLAN系统提供全面的安全保护。     

改进的移动计算平台直接匿名证明方案

分析了Ge等人提出的直接匿名证明方案的安全缺陷,指出该方案的认证协议在用于远程证明时不能抵抗重放攻击和平台伪装攻击。提出一种改进的直接匿名证明的认证协议,引入会话密钥协商机制,增强互认证功能。分析表明,改进方案在正确进行直接匿名证明的前提下,满足不可伪造性和匿名性,能够抵抗重放攻击和平台伪装攻击,协议性能满足移动计算平台的可信验证需求。     

一种新颖的基于零知识证明的跨域DAA协议

In order to solve the issue that existing direct anonymous attestation (DAA) scheme can not operate effectively in different domains, based on the original DAA scheme, a novel direct anonymous attestation protocol used in multi domains environment is proposed and designed, in which, the certificate issuer located in outside of domain can be considered as a proxy server to issue the DAA certificate for valid member nodes directly. Our designed mechanism accords with present trusted computing group (TCG) international specification, and can solve the problems of practical authentication and privacy information protection between different trusted domains efficiently. Compared with present DAA scheme, in our protocol, the anonymity, unforgeability can be guaranteed, and the replay-attack also can be avoided. It has important referenced and practical application value in trusted computing field.     

基于融合网络的WLAN漫游认证方式研究

在网络融合的趋势下,通过电信网络为WLAN网络提供终端认证将是未来WLAN业务认证的主要方式。为高效、安全地实现网间漫游状态下WLAN的鉴权认证,本研究分析了在网间漫游状态下WLAN的鉴权需求,讨论了鉴权模式、流程和存在的问题,提出了基于EAP SIM/AKA协议的、非中转方式的WLAN漫游认证方案,并进行了验证。实验结果证明该非中转认证方案可以满足终端在漫游状态下实现EAP SIM/AKA认证的需要,同时增强了系统的安全性,降低了投资成本,实现了实时计费。     

A provable and secure mobile user authentication scheme for mobile cloud computing services

The mobile cloud computing (MCC) has enriched the quality of services that the clients access from remote cloud‐based servers. The growth in the number of wireless users for MCC has further augmented the requirement for a robust and efficient authenticated key agreement mechanism. Formerly, the users would access cloud services from various cloud‐based service providers and authenticate one another only after communicating with the trusted third party (TTP). This requirement for the clients to access the TTP during each mutual authentication session, in earlier schemes, contributes to the redundant latency overheads for the protocol. Recently, Tsai et al have presented a bilinear pairing based multi‐server authentication (MSA) protocol, to bypass the TTP, at least during mutual authentication. The scheme construction works fine, as far as the elimination of TTP involvement for authentication has been concerned. However, Tsai et al scheme has been found vulnerable to server spoofing attack and desynchronization attack, and lacks smart card‐based user verification, which renders the protocol inapt for practical implementation in different access networks. Hence, we have proposed an improved model designed with bilinear pairing operations, countering the identified threats as posed to Tsai scheme. Additionally, the proposed scheme is backed up by performance evaluation and formal security analysis.     

PSMECS: A provably secure ID-based communication in mobile edge computing

Human-centered systems play an important role in the modern world, for example, driverless car, autonomous and smart vehicles, drones, and robotics. The internet of things environment demands a faster real-time response depending on the applications processed in a particular duration. Mobile edge computing (MEC) allows a user to get a real-time response as compared with cloud computing (CC), although ensuring a number of security attributes in MEC environment remains challenging. In this article, a protocol is designed to achieve mutual authentication, anonymous communication, and security against traceability, as these are very crucial factors to ensure the security of data and user's privacy. Moreover, the proposed scheme ensures mutual authentication between a mobile user and an edge server along with the user's anonymity and untraceability. The proof of security and evaluation of performance of the scheme validates that it ensures security attributes and improves efficiency in terms of communication and computation overheads.     

适用于车载边缘计算网络的高效匿名认证协议

为了解决车载边缘计算网络中无线网络传输特性导致的窃听、重放、拦截、篡改等安全威胁,考虑到车载终端资源有限的特点,提出了一种轻量级匿名高效身份认证协议。基于切比雪夫混沌映射算法,避免了多数方案所采用的指数、双线性映射等复杂算法,有效降低了身份认证与密钥协商过程中的计算复杂度。此外,在实现接入认证及切换认证的同时,能够实现终端匿名性及可追溯、可撤销等安全功能。通过Scyther工具验证结果表明该协议能够满足认证过程中的安全需求并且能够抵抗多种协议攻击。相比已有方案,所提接入认证方案总计算开销最低可节省67%,带宽开销最低可节省11%。此外,相比于接入认证方案,所提域内切换认证方案总计算开销可节省99.8%,带宽开销可节省52%;域间切换认证方案总计算开销可节省80%,带宽开销可节省37%。性能分析结果表明该协议具备更良好的计算和通信性能,因此可以解决车载边缘计算网络中的终端高效安全接入及切换问题。