【作者】 张鸿；

【导师】 钱华林；

【作者基本信息】 中国科学院研究生院（计算技术研究所） ， 计算机系统结构， 2004， 博士

【摘要】 随着互联网技术和移动通信技术的不断发展,两者融合所产生的移动互联网(Mobile Internet)正在逐渐形成、发展。移动互联网是指用户采用移动终端连接互联网,它的目标是为移动中的用户提供无处不在的互联网服务。移动互联网的应用前景非常广阔。但为实现移动互联网,还有许多问题需要解决,认证、授权和计费问题就是其中之一。AAA是指认证(Authentication)、授权(Authorization)和计费(Accounting)。就是对用户使用网络服务和资源访问时的身份进行辨别,权限进行判别,并根据使用情况进行计费的过程。认证和授权保证用户身份不被盗用,限制非授权用户的使用。计费是用户、运营商和服务提供商都非常关心的问题。安全、方便的AAA将对移动互联网的推广起到很大的作用。移动互联网的AAA与传统的AAA相比,具有移动性、异构性、安全性等方面的区别。移动性是指随着用户位置的移动,其网络接入点不断改变,并可能不断的接入不同的运营商网络。异构性是指接入网络可能包含WLAN,GSM,UMTS,卫星网络等多种形式,构成一个统一的移动互联网。用户在异构网络中不断切换,需要解决快速、安全的AAA问题。安全性是指在无线网络出现后,用户通过无线接入,与网络之间的信号暴露,更容易遭到窃听、伪造等攻击。因此,这就对用户和网络之间的安全认证要求更加严格。本文重点研究移动互联网AAA问题中与安全相关的认证和授权问题,主要工作和创新之处包括:1)传统的信任模型主要用来描述静态网络中各实体间的信任关系,不能很好的描述在移动互联网环境下的信任关系。本文在提出了在移动互联网中信任模型的时变性和迁移性,并参考现有的信任模型,给出了移动环境下信任模型的描述,以及计算信任有效期和信任度的方法。并提出移动互联网对整体信任框架的需求,设计了一个三层面的认证框架。该框架利用现有的信任机制,整合并建立联系,旨在提供互联网上信任关系的服务,为AAA机制的互通创造安全保障。2)针对计算机网络中缺乏移动IPv6安全接入协议的问题,设计了一种安全、链路层无关、不修改IPv6协议的安全接入协议和系统SECCESS(Secure Access),用于计算机网络的移动IPv6安全接入。主要包括以下几部分:移动IPv6安全接入的整体结构;移动节点和接入服务器之间三个阶段的安全认证协议;对安全协议采用形式化的方法进行了证明;设计实现了原型协议。3)移动通信和无线网络技术的融合是研究热点,现有的各种无线网络技术各有特点,通过把WLAN,3G等技术结合在一起,能够为用户提供无处不在的网络接入服务。这就要求各种网络的AAA能够联合在一起,提供统一、互通的AAA机制。本文针对异构网络融合时跨域认证导致时延过大,效率降低的问题,更多还原

【Abstract】 With the development of Internet and mobile communication, Mobile Internet is progressing very fast. Users could access Mobile Internet via mobile terminals and get Internet service everywhere. The prospect of Mobile Internet is very promising. In order to achieve the goals of Mobile Internet, there are many problems to solve, and AAA (Authentication, Authorization and Accounting) is one of them.Authentication is the verification of the identity of a subject performing an action. Authorization is the verification of whether a subject is allowed to perform an action on an object, e.g., access to or use of some objects. Accounting is the collection and aggregation of information (accounting records) in relation to a customer’s service utilization. AAA is very important for users, service providers and operators. AAA in Mobile Internet is different from traditional AAA in mobility, heterogeneity and security aspects. Mobility means user may change access point and operator from time to time. Heterogeneity means the Mobile Internet comprises various wireless networks, such as WLAN, GSM, UMTS, satellite network, etc. Security means the security demands is much higher in Mobile Internet AAA, since the radio interface is open and it’s easier for hackers to attack.Authentication and authorization issues are studied in this dissertation. The main contributions are as follows:1) Traditional trust model is not adequate for the illustration of trust relationship in Mobile Internet. New problems including time-limited, trust-transfer are discussed in this dissertation. New methods for trust model description, trust value calculation and trust period calculation are introduced. As far as Mobile Internet is concerned, a three planes authentication framework is designed, which utilizes current trust mechanisms and provides guarantee for inter-working of different AAA system.2) For mobile IPv6 protocol, a secure access system, named SECCESS, is designed. SECCESS has some advantages such as link-layer independent, no modification of IPv6 protocol stack, etc. It is suitable for wired computer network as well as wireless computer network. The correctness of this protocol is analyzed through the model logic AUTOLOG.3) The integration of mobile communication and wireless network is important for a unified Mobile Internet. Current AAA mechanism in integration has large latency due to inter-domain AAA messages. The hierarchal AAA architecture is created to reduce the latency. A Diameter HAA protocol is designed to facilitate the integration of WLAN and 3G networks.4) After the user has accessed the network, service oriented AAA is also needed. With the更多还原