Internet中基于主机标识协议的访问控制模型

身份认证和访问控制是Internet应用的重要方面,传统的实施方案通常适用于具体应用,也不能用于普适计算环境下的移动终端.文中提出了一个新的访问控制模型,该模型利用了IETF定义的主机标识协议(HIP),并扩展了HIP基本交换过程来实现对用户的认证,这样,也实现了客户端主机标识和用户标识的绑定认证,建立主机和用户的绑定关系.     

HIPSCS：基于HIP的安全IP通信系统

针对主机标识协议(HIP, host identity protocol)实际部署应用的相关问题,设计实现了一种基于HIP的安全IP通信系统(HIPSCS, HIP based secure communication system)。该系统通过将主机标识(HI, host identifier)和用户身份证书唯一关联,实现了主机身份的实名化,以保障网络报文的源地址真实可信,并通过IPsec技术加密所有通信数据以达到安全通信目的。实现并在实验室环境中部署了HIPSCS原型系统。实验表明此通信系统可用性强,并能很好地支持移动通信。     

利用PKI扩展主机标识协议

主机标识协议HIP使得主机身份有了独立的标识HI,它作为唯一代表主机身份的标识验证主机的身份。HIP中虽然给出了拥有HI的主机的身份验证和建立安全关联的方法,但并没有涉及主机和HI的映射关系。文中通过PKI注册生成主机和HI的对应关系的证书来保证主机身份和HI映射的权威性,同时扩展HIP的基本交换,将它用于验证证书的真实性,从而和HIP共同形成一套完整的网络安全体系。     

结合3A系统的接入控制技术探析

针对Intranet在接入安全与可管理性方面所面临的问题，提出了结合3A系统的接入控制技术的应用解决方案。通过对用户和主机接入时进行多元素绑定认证，对在线用户的网络运行状态进行监控，实现了对接入用户和主机、网络资源的统一控制与管理。     

基于PKI/PMI的Web解决方案在校园网中的应用

文章利用PKI/PMI技术,设计了一个Web应用安全整体方案,实现身份认证和访问控制功能,采用基于角色的访问控制思想,将属性证书分为角色分配证书和角色规范证书,分别用来表示用户的角色和角色对应的权限,并通过在校园网中的应用来说明具体身份认证和安全访问控制的实现方法。     

基于DNS的HIP位置管理机制

通过在现有域名系统中引入针对主机标识符的集合服务点,分层实现从主机域名到主机标识符的映射,解决了域名系统在主机标识协议(HIP)下位置更新时延大的问题。在引入集合服务点的基础上引入针对集合服务点的新域名系统资源记录,从而实现对原有域名系统的扩展,并在此基础上对主机标识协议下的位置管理机制进行了研究。     

网络管理系统中主机管理技术的研究

本文设计了一个基于Web的主机管理系统,通过对主机用户进行身份认证以及基于权限的访问控制达到管理主机资源的目的。     

HIP技术在异构网融合中的应用

传统TCP/IP网络中的IP扮演着主机标识和路由的双重角色,而主机身份标识协议（Host Identity Protocol,HIP）的出现则引起了网络层次的较大改变,它把IP用来标识主机的功能剥离出来,从而解决了IP地址在网络中由于多种协议需要其标识身份而带来的困难。文中通过将HIP协议应用于移动终端的方式,保证了移动终端在进行网络切换时（改变IP）的通信不中断,从而为异质网络融合提供了基本的技术支持。     

一种面向计算网格U2R攻击的主机入侵检测技术

文中提出了一种针对计算网格U2R攻击的主机入侵检测技术,在主机层使用BV方法,以降低漏报率和误报率.在主机操作系统内核中使用基于整数比较实现的BV方法,不仅占用较小的系统开销,而且可对主机关键资源的使用进行检测.同时通过整合网格访问控制机制,在网格环境下准确地标识入侵者,并向网格中间件层提供网格用户使用主机资源的信息为进一步的用户行为分析提供支持.     

基于J2EE过滤器技术的统一身份认证与访问控制技术

为了解决信息化应用系统的安全性问题，特别是用户身份认证与访问控制自身的安全性问题，通过分析、研究用户身份认证、访问控制原理及J2EE Servlet过滤器技术，在基于Web应用系统特点和J2EE Servlet过滤器技术的基础上，提出了企业信息化应用系统的统一用户身份认证与访问控制的实现方法，并在J2EE应用框架中得到了应用。结果表明：该方法满足设计要求，提高了企业信息化应用系统的安全性。     

HSIP：下一代无线网络理想的选择

在未来的无线通信网络中,如4G,不同的无线技术和基础架构将并存。在这些异构的网络环境中,移动管理是一个关键问题。文中提出了一种新的移动管理方案,这种方案基于两个协议：主机标识协议（HIP）和会话初始化协议（SIP）。文中称这种方案为HSIP（HIP—SIP）。与SIP相比,HSOP有更好的性能,其信令开销小,延迟短,切换速度快。     

基于动态层次位置管理的HIP移动性支持机制

针对现有HIP机制不支持节点微移动的问题,该文提出了基于动态层次位置管理的HIP移动性支持机制。在该机制中,网络划分成多个自治域,每个自治域划分成多个注册域。当节点在同一个注册域内移动时,在管理该注册域的本地集合服务点中进行位置更新;当节点在同一个自治域内移动时,在管理该自治域的网关集合服务点中进行位置更新。节点根据自己的移动速率以及呼叫到达率选取本地集合服务点并计算注册域的最佳范围。仿真结果表明,该机制能较好地降低节点移动时的信令开销,支持节点微移动。     

Improved IPSec tunnel establishment for 3GPP–WLAN interworking

Interworking between wireless local area network (WLAN) and the 3rd Generation Partnership Project (3GPP) such as Long Term Evolution (LTE) is facing more and more problems linked to security threats. Securing this interworking is a major challenge because of the vastly different architectures used within each network. Therefore, security is one of the major technical concerns in wireless networks that include measures such as authentication and encryption. Among the major challenges in the interworking security is the securing of the network layer. The goal of this article is twofold. First, we propose a new scheme to secure 3GPP LTE–WLAN interworking by the establishment of an improved IP Security tunnel between them. The proposed solution combines the Internet Key Exchange (IKEv2) with the Host Identity Protocol (HIP) to set up a security association based on two parameters, which are location and identity. Our novel scheme, which is called HIP_IKEv2, guarantees better security properties than each protocol used alone. Second, we benefit from Mobile Internet Key Exchange protocol (MOBIKE) in case of mobility events (handover). And we extend HIP_IKEv2 to HIP_MOBIKEv2 protocol in order to reduce the authentication signaling traffic. The proposed solution reinforces authentication, eliminates man‐in‐the‐middle attack, reduces denial‐of‐service attack, assures the integrity of messages, and secures against reply attack. Finally, our proposed solution has been modeled and verified using the Automated Validation of Internet Security Protocols and Applications and the Security Protocol Animator, which has proved its security when an intruder is present. Copyright © 2014 John Wiley & Sons, Ltd.     

基于PKI和PMI的生物认证系统研究

生物认证技术作为一种准确高效的身份认证方法越来越广泛的应用于身份认证领域。但是目前还没有一种面向开放式网络的通用生物认证系统出现。由于在开放式网络中,基于X.509的公钥基础设施和权限管理基础设施(PMI)是目前应用广泛且有效的身份认证技术和权限管理技术,所以在PKI和PMI技术基础上,该文创新性的提出了一种基于生物证书的能实现身份认证和权限管理的通用生物认证系统。最后通过设计一个能实现身份认证和权限管理系统的高安全性生物智能卡,验证了基于PKI和PMI生物认证系统的可行性和可操作性。     

Realization of Mobile Femtocells: Operational and Protocol Requirements

Femtocells are commissioned in wide range of commercial systems, such as CDMA, GSM, LTE, Wi-Fi, and WiMAX, and offer economically viable solutions to improve network scalability and indoor coverage. The ability to offer multitude of context-aware and value added services, and per-user customization have caught world-wide research interest on femtocells. In this article, we have investigated the feasibility to use femtocells as short-range mobile base stations, and discussed the demanding architectural requirements and challenges. The protocol stack on legacy femtocells must be modified to realize mobility. Mobility introduces new challenges in security and user privacy. Firstly, we analyze several candidate mobility protocols that are deployable on Mobile Femtocells (MFs). Among them, Host Identity Protocol (HIP) was chosen due to enhanced support in flexible mobility, security and end-user privacy. Secondly, we propose the indispensable modifications that enable device mobility, and the suitable transport architecture options based on direct IP links and relay chains. Finally, with the simulation results, the proposal is verified, and the architectural options are evaluated. That, in turn, proves the proposed mobility protocol has low latency in location locking with respect to another competing protocol and low resource utilization as it is depicted from mean round trip time.     

Design and Evaluation of DNS as Location Manager for HIP

Host Identity Protocol (HIP) is designed to provide secure and continuous communication by separating the identifier and locator roles of the Internet Protocol (IP) address. HIP also has efficient solutions to support host mobility. In this paper, we propose a location management scheme based on Domain Name System (DNS) for HIP. In the proposed scheme, a new DNS HIP resource record is used to translate a domain name into a host identity tag and an IP address. We also develop an analytical model to study the performance of DNS as location manager in terms of success rate, which takes into account the velocity of mobile nodes, the radius of a subnet, the regional network size, the packet transmission delay between the mobile node and the rendezvous server, and the packet processing delay at the DNS and the rendezvous server. The performance results show that for a reasonable range, the DNS is a feasible solution for location management with high success rate for HIP.

Performance evaluation of an authentication solution for IMS services access

The IP Multimedia Subsystem (IMS) is an access-independent, IP based, service control architecture. Users’ authentication to the IMS takes place through the AKA (Authentication and Key Agreement) protocol, while Generic Bootstrapping Architecture (GBA) is used to authenticate users before accessing the multimedia services over HTTP. In this paper, we focus on the performance analysis of an IMS Service Authentication solution that we proposed and that employs the Identity Based Cryptography (IBC) to personalize each user access. We carry out the implementation of this solution on top of an emulated IMS architecture and evaluate its performance through different clients’ access scenarios. Performance results indicate that increase in the number of clients does not influence the average processing time and the average consumed resources of the GBA entities during the authentication. We also notice that the Bootstrapping Server Function (BSF) presents a bottleneck during the service authentication which helps in giving some guidelines for the GBA entities deployment.     

RSA算法实现统一身份认证的方法研究

统一身份认证系统统一管理用户和校园内各个分应用系统(成员站点)。每个注册的校园网用户拥有统一的网络账户(用户名/密码),系统为用户应用提供统一身份认证和单点登录服务。论文就数字化校园网络中统一身份认证的安全性进行了初步讨论,详细地阐述了基于RSA算法的实现方法。