【作者】 张浩军；

【导师】 祝跃飞；

【作者基本信息】 解放军信息工程大学 ， 计算机软件与理论， 2006， 博士

【摘要】 无线局域网WLAN(Wireless Local Area Network)由于其安装灵活、使用方便而被广泛应用与企业、办公室、家庭、机场、医院以及抢险救灾等特殊环境，但同时开放的无线传输介质也给WLAN应用带来了诸多安全问题，如数据更容易被窃听、截获或篡改，而无线设备更容易遭到拒绝服务、假冒等攻击。 针对WLAN面临的安全问题，本文在详细分析WLAN的网络特点、安全需求的基础上，总结了WLAN面临的安全威胁，并对威胁进行分类；系统地分析了最新两大WLAN安全标准IEEE 802.11i和WAPI的安全架构，指出了它们各自存在的安全弱点或缺陷，这些安全弱点包括实体认证效率不高、密钥协商协议不完备、核心设备AP／AS计算所需资源较大、协议设计易遭拒绝服务攻击从而导致安全架构的可用性差等。分析指出802.11i存在配置不当导致认证属性丧失、密钥协商存在反射攻击、易遭拒绝服务攻击等问题；分析指出WAPI不能实现对STA的真正认证、密钥协商协议不完整、易遭拒绝服务攻击等问题；有针对性地对两个标准协议提出了改进方案或部署策略，从而提高它们的应用安全性、可用性或效率，分析比较说明了这些改进的有效性，这些改进对基于802.11i或WAPI标准部署WLAN具有指导意义。 在分析上述两大标准存在的安全问题基础上，提出了一种新的高效无线局域网认证基础架构(EWAI)，设计了快速实体认证协议(IAKN)、三次握手密钥协商协议(3WAY)、组播密钥分发协议(GK)三个协议组件，定义了密钥使用体系。IAKN协议基于单向哈希链技术构造实体认证令牌，实现了“在第一时间”对WLAN主要认证实体STA的“显性”认证，并完成STA、AS和AP之间的相互认证和初始密钥协商，IAKN协议使用较少的协议交互和消息传递，无需数字签名操作，通过分析比较，所提认证架构比802.11i和WAPI具有更好的安全属性(多因子实体认证、有效抵御拒绝服务攻击)和执行效率。3WAY协议比802.11i减少一次交互，而且实现了每个协议消息源可认证、完整性保护和密钥确认，更安全地实现了密钥更新。GK协议实现了密钥确认。分析表明EWAI弥补了802.11i和WAPI的安全缺陷与不足，具有更好的安全性、更高的效率。同时，使用BAN逻辑验证了所提协议的正确性 采用Datta等人2004年提出的协议组合逻辑(PCL)全面证明了提出安全架构EWAI的安全性，针对EWAI使用的密码原语拓展了PCL系统，分别证明了IAKN、3WAY和GK协议的认证性和密钥保密性，证明它们正确地实现了安全设计目标。证明了EWAI的组合安全特性，定义EWAI协议组件顺序组合的安全环境参量以及协议安全属性保障条件，描述了EWAI协议和其他协议安全并发执行的环境要求。更多还原

【Abstract】 As its flexibility and convenience, Wireless Local Network (WLAN) is widely used in corporations, offices, airports, hospitals, and at home, or in special environment for dealing with an emergency event. However, opening wireless transmission brings some security vulnerabilities into WLAN, such as data is easily eavesdropped, intercepted and modified, as well as Denial of Sevices and masquerading attacks are easily mounted.In order to solve these security problems, upon analyzing the network features and security need of WLAN, vulnerabilities are summarized and classified. The infrastructures of two main standards - IEEE 802.11i and WAPI - are analyzed systematically and vulnerabilities and shortcomings of them are pointed out, which include inefficient authentication, sources-costly computation and DoS attacks brought up with the design of protocols, which influence the availability of WLAN. In 802.11i, the property of authentication can be lost if configuration is deployed incorrectly and reflection attacks are existed to key negotiation protocol. In WAPI, the STA is not authenticated by AS and the key negotiation protocol is incomplete. Furthermore, DoS attacks are easily amounted in the two standards. In order to solve these problems, some improved schemes and method are proposed that could improve the security, availability and computation efficiency of 802.1 li or WAPI.Upon analysis of the two standards and using one-way hash chains technique, a novel and efficient WLAN authentication infrastructure (EWAI) is proposed and protocol components of it are designed, including initial authentication protocol (IAKN), 3-way key negotiation protocol (3WAY) and group key distribution (GK). The implementation architecture of keys is presented. In IAKN , no signature algorithm is needed, AS authenticates STA in the foremost time using less handshakes and less messages in protocol flows, as well as the mutual authentication of STA, AP and AS and initial key negotiation are completed. Compared with 802.11i and WAPI, the proposed infrastructure EWAI has better security properties (muli-factors entities authentication and defending against DoS effectively) and efficiency. The proposed IAKN protocol is reasoned using BAN logic and its correctness is proved. The proposed another protocol - 3WAY - does not decrease one protocol flow, but also achieves source authenticated and integrity protected for every flow and refreshes keys in a more secure manner.The Protocol Composition Logic (PCL) is introduced and extended, which is used to更多还原