【作者】 姜奇；

【导师】 马建峰；

【作者基本信息】 西安电子科技大学 ， 计算机系统结构， 2011， 博士

【摘要】 下一代无线网络的发展趋势是多种无线接入技术并存的全IP异构无线网络融合,提供多样化的、无处不在的接入服务。漫游是实现泛在无线接入的关键技术,但是漫游安全面临着诸多挑战。第一,由于传输介质的开放性与无线设备资源的受限性,无线网络面临着比传统有线网络更加严重的安全威胁;第二,众多网络运营商需要共存及协作,异构无线接入系统的安全解决方案之间也存在很大差异。第三,漫游过程中的用户隐私保护也越来越受到关注。因此,研究匿名漫游具有重要意义。本文研究了匿名漫游认证及异构无线接入网络安全融合,主要包括如下内容:1.分析了一种基于身份的认证模型的安全缺陷,指出该方案存在身份伪装攻击,无法实现用户身份认证。提出了一种改进方案用于实现无线网络匿名漫游。与原方案相比,改进之处主要体现在2方面:第一,弥补了原协议的安全缺陷,并且在CK模型下是可证明安全的;第二,简化了协议流程,提高了协议的效率。2.分析了一种结合证书公钥和身份公钥的混合认证方案,指出该方案存在移动节点欺骗攻击和Rogue网络攻击,密钥更新不满足后向保密性等缺陷,及可扩展性低的问题。提出了一种改进的混合匿名认证方案,弥补了安全缺陷,提高了可扩展性。CK模型下的安全性分析表明该协议是可证明安全的。同时,性能对比分析表明改进协议保持了原方案计算量低的特点。3.分析了一种双因子匿名无线漫游协议,指出该方案不满足强双因子安全,存在多米诺效应、特权内部人员攻击、用户无法更新口令等缺陷。提出了一种改进协议,实现了强双因子安全。在CK模型下进行了安全性分析,特别地,构造了基于智能卡和口令的双因子认证器,分析表明改进方案是可证明安全的。与原协议相比,改进协议弥补了原协议的安全缺陷,同时提高了安全性。4.针对3G与基于WAPI的WLAN之间的安全融合问题,提出了新的基于USIM的证书分发协议,给出了松耦合和紧耦合两种安全融合方案,统一了3G安全体系与WAPI的用户管理,实现了3G签约用户基于WAPI安全机制的网络接入以及身份隐私保护。利用CK模型分析了证书分发协议的认证性和匿名性,结果表明该协议是可证明安全的。更多还原

【Abstract】 One of the main trends in next generation wireless networks is the all-IP based heterogeneous wireless network integration with the coexistence of a number of wireless access technologies, which is to provide diversified and ubiquitous access services. Roaming is the key enabling technology for ubiquitous wireless access. However, roaming security faces many challenges. Firstly, due to the openness of wireless channel and resource constraints of wireless devices, wireless networks suffers more severe threats than their wired counterparts. Secondly, a large number of operators coexist and cooperate, and each wireless access systems has addressed security in different ways. Finally, privacy protection during roaming process has become an increasing concern for people. Therefore, the study of anonymous roaming is of great significance. The main contributions are as follows.1. The security flaws of an identity-based authentication model are analyzed. The scheme fails to achieve entity authentication due to identity impersonation attack. Then, an improved authentication scheme is proposed to realize anonymous roaming in wireless networks. Our authentication scheme improves the original one in two aspects. Firstly, our scheme remedies the security flaws and is provably secure in the CK model. Secondly, our scheme simplifies the protocol interaction and is more efficient.2. A hybrid authentication scheme integrating certificate based and identity based public key cryptography is analyzed. It is demonstrated that the scheme suffers from mobile node spoofing attack and rogue network attack, and the key updating fails to possess backward secrecy, the scheme also has low scalability. Then, an improved authentication scheme is proposed, which remedies the security flaws and improves the scalability. Security analysis shows that the improved scheme is provably secure in the CK model. Meanwhile, performance comparison indicates that the improved scheme maintains the merit of low computation cost in Zhu et al.’s scheme.3. A smart card and password based two-factor anonymous authentication protocol for wireless roaming is analyzed. It is demonstrated that the scheme fails to achieve strong two-factor security, and suffers from domino effect, privileged insider attack and no password change option, etc. Then, an improved authentication scheme, which achieves strong two-factor security, is proposed and analyzed in the CK model. In particular, a smart card and password based two-factor authenticator is constructed. Security analysis shows that the improved scheme is provably secure. Compared with the original protocol, our improved protocol remedies its security flaws and enhances its security strength, with a slightly higher computation cost.4. How to integrate the vastly different security architectures used in each access network and unify user management is to be solved in urgent need. To achieve the security integration of 3G and WAPI based WLAN, a USIM based certificate distribution protocol is proposed. Two security integration schemes, i.e., loosely coupled and tightly coupled, are presented, which unify user management of 3G security architecture and WAPI, and realize WAPI based network access for 3G subscribers and identity privacy protection. The entity authentication and anonymity of the certificate distribution protocol is analyzed in CK model, and the results show that the protocol is provably secure.更多还原