无线局域网可信接入体系架构及远程证明的研究与实现

【作者】 种惠芳；

【导师】 吴振强；

【作者基本信息】 陕西师范大学 ， 计算机系统结构， 2010， 硕士

【摘要】 为了提高无线局域网环境下应用的安全性和可靠性,人们在网络接入的过程中引入了访问控制技术,以对请求接入网络的无线终端进行接入控制。典型的网络接入访问控制技术是身份认证技术。该技术建立在密钥技术之上,以身份认证技术为基础,以终端平台自身的安全性为前提,结合协议的安全性来确保满足特定访问控制策略的终端能够安全地接入网络。该技术对解决网络接入的安全问题起到了一定的作用。但传统的接入控制方案是以终端设备自身是安全的为前提假设的,因而会使得那些符合协议安全需求但自身存在潜在破坏或威胁的无线终端接入网络,而对整个网络环境造成破坏。随着可信计算技术的出现及对其研究的不断深入,无线局域网环境下的接入控制问题有了新的解决方案。(1)提出了一种无线多级可信接入体系架构模型。在对现有网络接入技术进行研究的基础上,提出了一种无线可信多级接入体系架构模型。该模型实现了接入时的双向验证功能,克服了单向认证的局限性；在传统身份认证的基础上引入了平台真实性和平台完整性认证,提高了接入控制的安全强度：多级可信接入方法提高了现有“非此即彼”接入控制技术的灵活性和效率。(2)提出了两种远程证明方案。在构建无线多级可信接入体系架构的基础上,设计出两种远程证明模型：“基于属性的自证实模型”和“基于隐藏证书的远程证明模型”,同时给出了两种模型下的安全认证协议及授权过程。分析表明,两种方案分别从不同角度对现有远程证明方案的隐私性和安全性进行了改进,并提高了协议交互过程的执行效率。(3)使用TPM_emulator对所提出的理论模型进行了模拟实现。在Linux操作系统下,借助开源的TPM模拟器和VMware虚拟机来搭建原型实验平台,使用Glade技术开发了相应的图形化界面,并对本文所提出的模型方案给出了一定的验证。更多还原

【Abstract】 In order to improve the security and dependability of the applications in context of wireless LAN, Access Control technology has been used to control the terminal which requests to access the network. Typical authentication technology is identity verification. This technology is based on the key technology, and combines the security agreement to assure that only terminal which meets specific access control policy can access the network securely. This method just considers the credibility of wireless devices from protocol but no securities, which may allows the wireless terminal that meets the requirements of protocol security but has some threats to access the network and leads some destroy to the whole network. With the emergency and deep research of Trusted Computing technology, new solution to control the wireless terminal that requests to access the WLAN is come out.Through studying the Access Control technology in wireless LAN and Trusted Computing technology, contributions made in this thesis are listed as below.1. A trusted multi-level architecture model for access controlling in wireless environment is proposed. This model requires bidirectional access verification when a terminal requests to access network, which overcomes the limitations of unidirectional verification; The Authentication Verification and Integrity Verification of terminal are introduced also, which improves the intension of access control; The model also improves the flexibility and efficiency by introducing dichotomy access control technology.2. Two remote attestation methods are proposed. Based on the given trusted multi-level architecture model for access controlling, two remote attestation methods are given, which based on the property of terminal and Hidden Credentials technology. Then, the security protocol and authentication process of these remote attestation methods is given in detail. Analysis shows that these two attestation methods improve the privacy and security of existing remote attestation methods, and have good protocol efficiency.3. Remote attestation methods supposed in this thesis has been verified by TPM-Emulator. Using TPM-simulator and VMware software, a prototype platform in Linux operating system is built. Using Glade technology, corresponding graphical interface is designed, and some validation of the theory results presented in this paper is given.更多还原