基于Anycast技术的RADIUS负载均衡

RADIUS是一种在网络接入服务器（NetworkAccessServer）和共享认证服务器问传输认证、授权和配置信息的协议。作为2010年联通宽带提速战略的关键,RADIUS的响应速度及安全性至关重要。通过优化现有RADIUS网络结果来实现Anycast业务,实现了基于IPv4环境下RADIuS分布式负载均衡,加强了RADIUS网络结构健壮性,使RADIUS具备灵活的扩展性。     

RADIUS协议的原理(上)

本文详尽介绍了 Internet电话拨号接入的认证 ／ 计费协议RADIUS（Remote Authentication Dial In User Service），从认证和计费两个方面通过举例全面分析了RADIUS协议的工作流程，深入剖析了协议的数据结构和属性含义，并在文末简要介绍了RADIUS的其他应用。     

RADIUS协议的原理（上）

本详尽介绍了Internet电话拨号接入的认证／计费协议RADIUS（Remote Authentication Dial In User Service),从认证和计费两个方面通过举例全面分析RADIUS协议的工作流程,深入剖析了协议的数据结构和属性含义,并在末简要介绍了RADIUS的其他应用。     

基于EAP/RADIUS的移动IPv6接入认证研究

对可扩展认证协议(EAP)和远程用户拨入认证系统(RADIUS)协议进行了阐述,给出了基于移动IPv6的AAA(认证、授权、计费)体系架构。针对移动IPv6移动用户接入认证问题,提出了基于EAP/RADIUS的移动IPv6接入认证构架,通过EAP与RADIUS服务器协作的方式实现对移动用户的接入认证。     

RADIUS协议在计费系统中的应用

首先介绍了RADIUS体系结构与协议分析,随后着重介绍了RADIUS协议的主要特点以及认证、授权和计费的实现过程,最后提出其应用前景。     

支持第三方认证的RADIUS系统设计

分析了RADIUS工作原理及体系结构,指出其安全性存在的不足.提出了支持第三方认证的RADIUS系统结构,详细分析了系统的设计、数据流程以及加密机制.利用该结构,设计了支持第三方认证的RADIUS服务器,给出和分析了设计方法和策略,从而扩展了RADIUS,增强了认证机制的安全性和灵活性.     

RADIUS协议在GPRS网络监测中的研究与实现

介绍了RADIUS协议在GPRS网络Gi接口监测的基本概念和功能,说明RADIUS协议监测模块消息结构,并以此为基础研究RADIUS协议的解码、重点探讨CDR合成及统计技术、并以RADIUS认证、计费过程为例,详细阐述合成及原理与方法,通过数据采集测试验证了相关理论的有效可行性。     

一种基于RADIUS变种的一次性口令身份认证系统

在开放系统通信协议提供的五种主要安全服务中,身份认证是第一层防护,也往往是其他服务的基础.目前,一次性口令被公认是最为安全的身份认证机制.本文提出了目前应用最为广泛的RADIUS协议的一个变种,修补了其前身在保密性完整性等方面的一些安全缺陷漏洞,并讨论了基于事件同步的跨平台一次性口令认证系统的整体架构和认证算法,为小体量高安全性要求的认证环境提供了一种简单可靠的AAA通信方案.     

RADIUS协议在计费系统中的应用

首先介绍了RADIUS体系结构与协议分析，随后着重介绍了RADIUS协议的主要特点以及认证、授权和计费的实现过程，最后提出其应用前景。     

基于EAP/RADIUS的WLAN认证和密钥分配协议

研究了无线局域网的认证机制,描述了EAP/RADIUS协议在IEEE802.1x标准中的消息封装格式,针对基于端口访问控制协议的缺陷,提出一种新的应用于WLAN的认证和密钥分配方案,并设计详细协议流程.该协议基于EAP/RADIUS认证框架,使用服务令牌将认证和授权结合起来,授权校验的同时进行密钥分配,完善了WLAN的访问控制机制.     

Improvement of robust smart‐card‐based password authentication scheme

Smart‐card‐based password authentication scheme is one of the commonly used mechanisms to prevent unauthorized service and resource access and to remove the potential security threats over the insecure networks and has been investigated extensively in the last decade. Recently, Chen et al. proposed a smart‐card‐based password authentication scheme and claimed that the scheme can withstand offline password guessing attacks even if the information stored in the smart card is extracted by the adversary. However, we observe that the scheme of Chen et al. is insecure against offline password guessing attacks in this case. To remedy this security problem, we propose an improved authentication protocol, which inherits the merits of the scheme of Chen et al. and is free from the security flaw of their scheme. Compared with the previous schemes, our improved scheme provides more security guarantees while keeping efficiency. Copyright © 2013 John Wiley & Sons, Ltd.     

Two‐factor authentication scheme using attribute and password

In this study, based on attribute and password, we introduce a new kind of two‐factor authentication protocol that has various applications such as anonymous authentication and privacy protection. Specifically, our proposal is constructed by introducing password authentication into the generic framework of attribute‐based authentication. Consequently, it not only achieves two‐factor authentication, but also enjoys the advantages of attribute authentication and password authentication simultaneously. Furthermore, to formally evaluate the security of the proposed protocol, we present the corresponding security model, within which the detailed security proof of the proposal is given. Copyright © 2014 John Wiley & Sons, Ltd.     

基于手机令牌的动态口令身份认证系统

随着无线网络的日益完善,通过手机无线接入Internet的用户不断增加,因此解决无线接入用户的身份认证问题极为重要。动态12令已经成为认证机制新的发展趋势,它提供了比传统静态口令更高的安全性。文中设计了一种基于挑战／应答机制的动态口令认证协议,并根据此协议设计了一个基于手机令牌的动态口令身份认证系统,论述了系统的组成、认证过程,分析了系统的安全性。分析表明,该系统具有安全性高、适用面广、使用方便、系统成本低的特点。     

Cryptanalysis of smart‐card‐based password authenticated key agreement protocol for session initiation protocol of Zhang et al.

As the core signaling protocol for multimedia services, such as voice over internet protocol, the session initiation protocol (SIP) is receiving much attention and its security is becoming increasingly important. It is critical to develop a roust user authentication protocol for SIP. The original authentication protocol is not strong enough to provide acceptable security level, and a number of authentication protocols have been proposed to strengthen the security. Recently, Zhang et al. proposed an efficient and flexible smart‐card‐based password authenticated key agreement protocol for SIP. They claimed that the protocol enjoys many unique properties and can withstand various attacks. However, we demonstrate that the scheme by Zhang et al. is insecure against the malicious insider impersonation attack. Specifically, a malicious user can impersonate other users registered with the same server. We also proposed an effective fix to remedy the flaw, which remedies the security flaw without sacrificing the efficiency. The lesson learned is that the authenticators must be closely coupled with the identity, and we should prevent the identity from being separated from the authenticators in the future design of two‐factor authentication protocols. Copyright © 2014 John Wiley & Sons, Ltd.     

EPON系统中RADIUS认证技术的研究

安全管理和计费管理对于以太网无源光网络(EPON)进入电信级运营,推动EPON的大规模商用有着重要意义.认证是实现安全管理和计费管理的关键技术.文章结合IEEE802.1x标准和RADIUS协议,提出了EPON系统认证机制的一种设计,通过net-snmp软件包在Linux系统上开发代理,实现了远程认证拨号用户服务(RADIUS)客户端功能.     

基于口令认证的RFID系统安全协议及其BAN逻辑分析

本文提出一种新的基于口令认证的RFID系统安全协议.该方法充分利用RFID低等级标签提供的有限资源:访问口令(PW)、标签的标识码(ID)和伪随机函数等建立RFID系统读写器和标签双向认证的安全协议,对该协议抵抗各种攻击的安全性进行理论分析并对该协议的认证功能进行BAN逻辑的形式化分析.结果表明该协议能够有效抵御在线和离线字典攻击、伪装攻击、重放攻击以及流量分析和跟踪攻击,因而解决了RFID系统的安全问题.     

Two-factor authenticated key agreement protocol based on biometric feature and password

A new two-factor authenticated key agreement protocol based on biometric feature and password was proposed.The protocol took advantages of the user’s biological information and password to achieve the secure communication without bringing the smart card.The biometric feature was not stored in the server by using the fuzzy extractor technique,so the sensitive information of the user cannot be leaked when the server was corrupted.The authentication messages of the user were protected by the server’s public key,so the protocol can resist the off-line dictionary attack which often appears in the authentication protocols based on password.The security of the proposed protocol was given in the random oracle model provided the elliptic computational Diffie-Hellman assumption holds.The performance analysis shows the proposed protocol has better security.     

一种基于智能卡的有效远程双向鉴别方案

提出了一种基于智能卡的有效远程双向身份鉴别方案。用户可自由地选择和改变登录口令,无需维护口令目录表或验证表。此外,该方案不仅能够提供通信双方的相互鉴别,而且引入质询随机数代替时间戳,既可保证每次身份鉴别信息的随机性,有效防止重放攻击,又避免了复杂的时间同步问题,极大地增强了应用系统的安全性和实用性。     

一种改进的一次性口令认证方案

身份认证是信息安全理论和技术中非常重要的方面,传统的身份认证采用静态口令,但是静态口令一旦被截获,就极易被他人利用。一种常见的解决方法就是采用S／KEY结构一次性口令系统来实现身份认证。但此系统仍然存在服务器开销过大、单向认证及容易被冒充攻击与重放攻击等不足。在此基础上,提出了一种改进的一次性口令认证方案。与原方案相比,该方案具有效率更高、安全性更好和双向认证等优点。