节点文献
无线网络可信认证技术研究
Trusted Authentication in Wireless Networks
【作者】 杨力;
【导师】 马建峰;
【作者基本信息】 西安电子科技大学 , 密码学, 2010, 博士
【摘要】 无线网络快速发展,新的技术类型与应用模式层出不穷,无线网络安全问题成为业界与学术界关注的焦点。无线网络传输媒介的开放性、无线终端的移动性和网络拓扑结构的动态性,使得无线网络更容易被攻击。利用可信计算技术提高移动计算终端的安全性,增强已有无线网络认证架构的安全性,成为解决无线网络信息安全问题的有效措施和手段。可信计算技术及可信认证方法为解决无线网络终端认证提供的新思路,能够提供高可信性、高安全性、高可靠性的认证服务,可使无线网络获得更为广泛和便捷的应用。本文对无线网络的可信认证技术进行了较为深入的研究,具体研究内容为:1.已有的无线认证协议只认证用户身份,不验证平台可信性,存在安全隐患。基于可信计算远程证明与完整性验证的思想,考虑到移动设备运算能力和通信带宽有限等限制,提出一种可信的匿名无线认证协议,对移动用户身份进行认证的同时验证用户终端平台可信性,认证过程的每阶段使用不同的临时身份和一次性密钥,保持用户身份和平台信息的匿名性。分析表明,协议安全可靠,具有域分离特性和密钥协商公正性,计算代价和消息交互轮数满足无线移动网络环境需求。2.可信计算环境下,无线网络的接入认证不仅需要认证用户身份,也需要验证平台可信性。基于直接匿名证明思想,提出一种无线移动网络中移动用户可信接入认证方案,认证移动用户身份的同时利用直接匿名证明方法验证平台身份合法性和可信性。方案中,外地网络代理服务器直接验证移动用户平台可信性,并与本地网络代理服务器一同验证移动用户身份,采用临时身份和一次性密钥,保持用户身份匿名性。分析表明,方案具有域分离特性和密钥协商公正性,性能满足无线移动网络环境安全需求。3.可信计算组织TCG所提出的远程证明的直接匿名证明(DAA)技术规范只提供单可信域的平台认证,而移动网络环境下,终端移动性导致原方案不能适用。基于信任委托的思想,提出一种移动环境下的跨可信域的直接匿名证明方案,采用代理签名技术实现对移动终端在多可信域之间漫游时的可信计算平台认证,并在认证过程中协商会话密钥,增强了远程证明体系的安全性。利用CK模型对方案的认证协议的认证安全性和匿名安全性进行了形式化分析和证明。分析表明方案能够抵抗平台伪装攻击和重放攻击,其性能适用于无线网络环境。4.传统的智能卡口令认证方案只提供服务器与用户之间的身份认证,不验证平台可信性,不利于用户个人信息的保护。提出一种基于智能卡的可信双向认证方案,使用散列函数认证身份,采用远程证明方法验证平台可信性,方案支持安全会话密钥协商,支持用户身份匿名及口令自由更换,服务器平台证书可更新,分析表明方案可以抵抗针对智能卡口令认证方案的常见攻击,安全高效,满足安全设计目标。
【Abstract】 With the rapid development of wireless networks, new types of technology and application are constantly emerging, and the security of wireless networks becomes the focus. The openness of transmission media, the mobility of wireless terminals and the dynamic changing of topology make wireless networks more vulnerable to attacks. With trusted computing technology to enhance general security of mobile, computing terminals and existing wireless network security authentication frame-work, it becomes an effective and measurable solution to the problem of wireless network security. Trusted computing technology and its authentication method, which provide new ideas to solve the wireless network terminals certification and are able to give high reliability, high security, and high reliability authentication services, can facilitate the wide and convenient application of wireless mobile net-works. We make an in-depth research on the trusted authentication in wireless networks in this thesis, and the main contributions are as follows:1. Only user identity has been authenticated in most of the wireless authenti-cation protocols, which can cause potential risk because of the insecurity exiting of user platforms. Based on the trusted computing and remote attestation, a trusted and anonymous wireless authentication protocol was proposed by using temporary identities and one time secret keys, both of user identity and platform be authen-ticated in the proposed protocol. It has demonstrated that the proposed scheme is secure and reliable, it can provide identity anonymity and platform anonymity, with domain separation property and fair key agreement, computation costs and rounds of message exchange meet the demand of wireless IP networks security.2. Not only user identities but also the platforms need to be authenticated in wireless networks under trusted computing environment. Based on direct anony-mous attestation of trusted computing, a wireless anonymous authentication scheme is proposed, the platform of the mobile node was verified by the foreign agent and the identity of the mobile node user was authenticated by the home agent and the foreign agent together. By using temporary identities and one time secret keys, iden-tity anonymity and domain separation property are achieved. The analysis shows that our scheme is secure, reliable, and more efficient.3. The Direct Anonymous Attestation (DAA) scheme adopted by TCG in remote attestation is designed for single trusted domain. It can not be applied in wireless mobile networks due to wireless terminal mobility. Based on delegation of trusted relationship, a new cross-domain direct anonymous attestation scheme for wireless mobile networks is proposed. Proxy signature is used for delegation among domains, and the DAA method is used for mobile terminal authentication when roaming to another domain. The remote attestation system is security enhanced by key agreement. The authentication protocol is analyzed in CK model, and the results show that the protocol is provably secure. The further analysis shows that our proposal can resist reply attacks and platform masquerade attacks; the scheme is effective and suitable for the mobile trusted computing platforms.4. Only identities of the server and the user are authenticated in traditional smart cards based password authentication schemes, but whether the platform is trusted or not is not verified, and they cannot provide enough protection on personal information of users. A trusted mutual authentication scheme based on smart cards is proposed, in which hash functions are used to authenticate identities, and remote attestation is used to verify the platform. Analysis showed that our scheme can resist most of the possible attacks, is secure and efficient, and fulfills the designed security goals, such as session key agreement, user identity anonymity, passwords free changing, platform certification updating.
【Key words】 wireless networks; trusted computing; authentication; remote attestation; provable security; key exchange;