【作者】 马文静；

【导师】 宋俊德；

【作者基本信息】 北京邮电大学 ， 电路与系统， 2010， 博士

【摘要】 随着通信、计算机与集成电路等技术的不断进步,人们对无线通信和移动性的需求也越来越高。现有移动通信系统更新换代的同时,支持高移动性的无线接入技术也在不断涌现,这些都为下一代无线网络的发展奠定了很好的基础。下一代无线网络能够融合各种网络,具有接入方式多样化、数据传输宽带化、终端高速移动化和全IP统一化等特点,以期为用户提供无时无刻、无处不在的高效安全网络服务。异构网络融合技术是下一代无线网络发展的关键所在,是一项非常复杂的系统工程,不仅面临现有各种普通网络的安全问题,也面临着异构网络互联所产生额外的安全问题。比如,如何实现异构网络间统一接入认证问题；如何在复杂的网络环境中实现更为严格的授权控制机制；如何降低网络间密钥协商的复杂管理和密钥负荷；如何实现异构融合网络间的无缝切换等。本论文深入研究和探讨了异构无线网络融合的安全架构,通过对其接入认证、授权控制、密钥协商和自适应保障等机制的完善,提高了异构无线网络的整体性能和效率,主要工作体现如下：1.首先对无线通信网络的发展与演进进行了总结；其次对下一代无线网络的特点、支撑的关键技术、面临的安全问题以及研究现状进行了分析和归纳；最后对异构网络安全架构的设计原则与实现方法进行了阐述。2.从整体上考虑异构多接入网络的安全认证问题,提出了一种基于移动IPv6协议的统一认证机制,能够面向上层通用协议,屏蔽不同的链路层技术。通过对多种通信优化方法进行综合分析与比较,采用了一种绑定信息与部署架构相联合的优化方式,并针对移动节点当前是否进行网络漫游的情况分别进行讨论。为了避免移动节点在外地域通信时网络拓扑信息容易泄露的问题,提出了优化的密钥分发机制,阐述了密钥产生与交互过程。通过实验分析,证明了此通信优化策略机制,能够在保证通信安全的同时,降低网络切换时的认证注册时延,从而使得异构融合网络具有真正的可运营性。3.针对复杂的异构网络环境,在多接入网络统一认证的基础上,提出了一种异构网络的优化授权架构,根据基于角色访问控制的设计思想,采用SAML和XACML相融合策略,为用户分配角色属性来获取网络资源接入,实现异构网络的优化授权与管理。本文综合分析了异构网络环境下的多种应用场景：根据用户当前所在的位置,分为域内和域间场景,根据用户获取网络资源方式的不同,分为Pull场景和Push场景,并根据不同的应用场景,完成了异构网络优化授权架构的不同工作流程设计,从而使得异构融合网络能够满足移动用户多样化的网络资源应用需求,提高了异构网络的服务质量。核心功能模块的实验床实现,也为将来异构网络优化授权架构的发展奠定了坚实的基础。4.针对异构网络安全存在的问题进行了阐述,给出了相应的安全需求说明。在对不同密钥体制算法进行分析后,选择了一种基于迹离散函数对数问题的XTR4算法,并在此基础上,提出了一种高效的认证与密钥协商机制,设置了三种不同作用域的密钥,即：随机协商密钥、身份验证密钥和用户认证密钥,建立了一次性的匿名验证机制,实现了移动用户在家乡域和外地域不同的密钥协商。通过实验仿真分析,证明了此密钥协商机制能够满足相应的网络安全需求,优于现有的一般密钥协商机制。5.为了实现异构融合网络间的无缝切换,提出了一种基于跨层思想的自适应切换机制,能够综合当前网络的动态变化参数和终端用户的移动速度,实时预估测不同网络间的切换阈值以保证充足有效的切换时间。本文所提出的自适应切换机制允许不同层次协议之间进行信令交互,利用链路层和IP层的切换初始化信息触发TCP层的优化机制,自适应的调整移动切换过程中的TCP传输方式,从而能够在移动IPv6机制下,进行不同网络间切换时,保证良好的TCP传输性能。相应的仿真分析也证明了该机制在降低网络切换错误率的同时,增强了TCP层的传输能力。本文所提出的面向下一代无线网络安全及切换机制研究内容,具有明确的概念和功能描述、架构机制设计简单、不仅在理论上值得深入研究,而且还具有较好的应用价值。更多还原

【Abstract】 With the development of communication engineering, computer network and integrated circuit technologies, mobile communication and wireless network become highly desirable. Due to the progress of IT technologies, mobile communication systems are highly developed and various new radio access technologies come forth, which paves the way for the next generation wireless network. The next generation wireless network combines the merits of different wireless networks, thereby featuring diversified access method, high speed data transmission, ultra mobility and all IP integration. Users therefore easily enjoy the ubiquitous high performance network service provided by the next generation wireless network. Heterogeneous wireless network integration is the key technology to the next generation wireless network. As a highly complicated system engineering, the heterogeneous wireless network not only has similar problems to the traditional network, but also faces additional security problems caused by the interconnection of heterogeneous networks. These extra security problems with the heterogeneous wireless network include how to realize unified security acess among different wireless networks; how to realize strict access control in the complicated heterogeneous network; how to simplify the complex key management of AKA mechanism and reduce the large key size; and how to make seamless handover in heterogeneous network.In this thesis, the security architecture of heterogeneous network is investigated and explored. The performance and efficiency of heterogeneous network is enhanced significantly with the improved access authentication, authorization control, key agreement and adaptive adjusted mechanisms. The main contributions of this thesis are listed as follows:1. The evolution of wireless network is summarized. The characteristics, key technologies, and major security problems of the next generation wireless networks are carefully investigated and concluded. Furthermore, the design principles of the security architecture of heterogeneous network are provided. The methods to improve the system performance are presented as well.2. An unified authentication mechanism for upper protocol based on mobile IPv6 protocol to mask different link layer access is proposed in this thesis. Based on the comprehensive analysis and comparison of different communication optimization methods, an optimization method with the integration of binding information and architecture deployment is proposed. The new optimization method considers whether the mobile node roams in the foreign domain. Furthermore, specified packet format is designed to support different scenarios. In order to avoid divulging the topological information of the home domain when the mobile node communicates with other nodes in the foreign domain, an improved key framework is introduced in the thesis. The process of the key generation and exchange is provided. The simulation results indicate that the novel optimization method reduces the delay of the authentication and login process significantly and maintains the security of the system. The realizable operation of the heterogeneous network is therefore achieved.3. Based on the unitifed authentication mechanism of different access wireless networks, optimum authorization architecture in heterogeneous network is proposed to deal with the complex environment. Based on the concept of role-based access control model, SAML and XACML are combined to assign roles and attributes of visiting domain to users, thereby realizing optimum authorization and management performance of the heterogeneous network. Different application scenarios in heterogeneous network are analyzed systematically in this thesis. Based on users’location, the heterogeneous network has intra-domain and inter-domain applications. Alternatively, the heterogeneous network has Pull application scenario and Push application scenario according to the method in which users obtain network resource. Specific workflows in different application scenarios are analyzed and designed for the optimum authorization architecture of the heterogeneous network. The proposed heterogeneous network satisfies users’various requirements for network resource applications with the new architecture. Furthermore, the quality of service is improved significantly. The test bench of the key function module lays a solid foundation for the development of the optimum authorization architecture of the heterogeneous network in the future.4. Potential security hazards in the heterogeneous network are analyzed. Correspondent security requirements are presented in this thesis. Based on the analysis of different cryptography algorithms, an XTR4 algorithm based on subgroup-trace discrete algorithm is chosen for key agreement mechanism. Furthermore, an authentication and key agreement mechanism is proposed for the optimum authorization architecture of the heterogeneous network. Three kinds of keys are used in different scopes to accomplish different negotiation processes for users in home domain and visiting domain. Simulation results show that this authentication and key agreement mechanism satisfies the security requirement and is superior to the traditional key agreement mechanism.5. In order to realize seamless handover in the heterogeneous network, an adaptive handover mechanism based on cross-layer design is proposed. With comprehensive consideration of travelling speed parameter of users and dynamic parameters of current network connection, the heterogeneous network pre-estimates the real-time handover threshold and provides enough reservation time for handover. Handover initiation information from link layer and IP layer can be used to trigger optimum congestion control mechanism and adjust the TCP transmission mode adaptively for mobile handover information in the protocol of one layer is allowed to be transmitted and interacted with the protocols of another layer. High TCP transmission performance is guaranteed for handover among different networks in mobile IPv6 environment. Simulation results show that this adaptive handover mechanism not only reduces the handover error rate, but also enhances the TCP transmission performance when handover happens.In conclusion, security architecture and handover mechanism for the next generation wireless network proposed in this thesis has clear definitions and functional descriptions. The architecture is easy to implement and friendly to the engineers. The novel wireless network is not only worth in-depth theoretical research, but also has high application value for projects.更多还原