基于身份的异构无线网络匿名漫游协议

分析了一种基于身份的认证模型的安全缺陷,指出该方案存在身份伪装攻击,无法实现用户身份认证.提出了一种改进方案用于实现异构无线网络匿名漫游.与原方案相比,改进之处主要体现在2方面:第一,弥补了原协议的安全缺陷,并且在CK模型下是可证明安全的;第二,简化了协议流程,提高了协议的效率.     

异构无线网络中基于标识的匿名认证协议

针对异构无线网络中的认证协议的安全问题,提出一种基于CPK算法和改进的ECDH算法的双向认证和密钥协商协议,引入用户的临时认证身份和临时通信身份实现用户的身份匿名;提出采用临时通信身份有序对防止重认证过程中的重放攻击,并且在协议设计中规避了密钥泄漏带来的风险。分析表明该协议具有身份认证、会话密钥安全、匿名性等安全属性。     

基于公钥的可证明安全的异构无线网络认证方案

该文针对3G-WLAN异构网络的接入安全,对异构网络的实体进行抽象,建立了一种通用的认证模型。在该模型的基础上,利用Canetti-Krawczyk (CK)模型设计了一种新的接入认证与密钥协商方案。该方案利用公钥基础设施分配公钥,简化接入端服务器和归属端服务器间的认证过程和认证信息;利用椭圆曲线密码机制,减少了移动终端的认证计算量;最后利用CK模型对提出的协议进行了形式化分析和证明。分析表明该方案是安全有效的。     

无线网络中高效的匿名漫游安全协议

无线漫游安全(Secure Wireless Roaming,SWR)协议允许隶属于本地服务器的用户漫游到外地时,可以与外地服务器互相验证身份并建立安全的会话密钥.在此基础上,匿名SWR协议能保证即使所有外地服务器串通情况下漫游用户的匿名性和不可追踪性.该文提出了一个匿名的无线漫游安全协议SYM-SWR (SYMmetric key based SWR).而且就目前所知,该协议是第1个完全基于对称密钥的匿名SWR.同其他已知协议相比,SYM-SW的通信复杂度和计算复杂度均最低.因为SYM-SWR只需要4次消息传送,且不需要PKI (Public Key Infrastructure)而采用消息验证码(Message Authentication Code,MAC)和对称密钥加密这两种高效的运算.     

直接匿名的无线网络可信接入认证方案

基于直接匿名证明思想,提出一种无线移动网络中移动用户可信接入认证方案,认证移动用户身份的同时利用直接匿名证明方法验证平台身份的合法性和可信性.方案中,外地网络代理服务器直接验证移动用户平台可信性,并与本地网络代理服务器一同验证移动用户身份,采用临时身份和一次性密钥,保持用户身份匿名性.分析表明,方案具有域分离特性和密钥协商公正性,性能满足无线移动网络环境安全需求.     

基于代理签名的移动通信网络匿名漫游认证协议

随着无线移动终端的广泛应用,漫游认证、身份保密等问题显得日益突出。该文分析了现有的各种漫游认证协议在匿名性及安全性上存在的问题,指出现有协议都无法同时满足移动终端的完全匿名与访问网络对非法认证请求的过滤,进而针对性地提出了一种新的匿名认证协议。该协议基于椭圆曲线加密和代理签名机制,通过让部分移动终端随机共享代理签名密钥对的方式,实现了完全匿名和非法认证请求过滤。此外,协议运用反向密钥链实现了快速重认证。通过分析比较以及形式化验证工具AVISPA验证表明,新协议实现了完全匿名,对非法认证请求的过滤,双向认证和会话密钥的安全分发,提高了安全性,降低了计算负载,适用于能源受限的移动终端。     

直接匿名的无线网络可信接入认证分析

无线网络可信接入在认证移动用户身份的同时,利用直接匿名的方式去对平台身份的合法性和可信性进行验证。外地网络代理服务器和本地网络代理服务器对移动用户的身份进行双重验证,用临时的身份和一次性密钥来保持用户身份的匿名性,并且直接验证移动用户平台的可信性。     

一种有效的WLAN可信匿名认证协议

选取扩展认证-安全传输层(EAP-TLS,Extensible Authentication Protocol-transport Layer Security)协议与直接匿名认证(DAA,Direct Anonymous Attestation)结合,简化了EAP-TLS中用户与服务器间相互证书的交换和认证,去掉冗余步骤,合并EAP-TLS中握手过程和DAA中匿名认证过程。将可信平台模块(TPM,Trusted Platform Module)引入无线局域网(WLAN,Wireless Local Area Networks),实现用户身份的匿名认证,减轻了EAP-TLS协议证书管理压力,不存在效率瓶颈,安全程度比EAP-TLS有所提高,能有效抵抗重放攻击、中间人攻击、拒绝服务(DoS,Denial of Services)攻击等安全威胁。     

移动漫游中强安全的两方匿名认证密钥协商方案

由于低功耗的移动设备计算和存储能力较低,设计一种高效且强安全的两方匿名漫游认证与密钥协商方案是一项挑战性的工作.现有方案不仅计算开销较高,而且不能抵抗临时秘密泄露攻击.针对这两点不足,提出一种新的两方匿名漫游认证与密钥协商方案.在新方案中,基于Schnorr签名机制,设计了一种高效的基于身份签密算法,利用签密的特性实现实体的相互认证和不可追踪;利用认证双方的公私钥直接构造了一个计算Diffie-Hellman（Computational Diffie-Hellman,CDH）问题实例,能抵抗临时秘密泄露攻击.新方案实现了可证明安全,在eCK（extended Canetti-Krawczyk）模型基础上,探讨两方漫游认证密钥协商方案安全证明过程中可能出现的情形,进行归纳和拓展,并给出新方案的安全性证明,其安全性被规约为多项式时间敌手求解椭圆曲线上的CDH问题.对比分析表明：新方案安全性更强,需要实现的算法库更少,计算和通信开销较低.新方案可应用于移动通信网络、物联网或泛在网络,为资源约束型移动终端提供漫游接入服务.     

异构无线网络可证安全的接人认证和密钥交换协议

针对异构网络模型BRAIN（Broadband Radio Access for IP based Network）中的安全第一跳通信，提出一种新的基于Canetti-Krawczyk（CK）可证安全模型的双向认证和密钥交换协议．根据该模型方法，首先构造并证明了一种理想环境下的混合密钥交换协议HKE；然后利用现有安全的消息传输认证器构造一个适合BRAIN网络安全第一跳的认证器．最后利用该认证器自动编译理想的HKE协议，得到可证安全和实际可行的PHKE协议．分析比较表明，该协议更安全有效．     

Secure Authentication System for Public WLAN Roaming

A serious challenge for seamless roaming between independent wireless LANs (WLANs) is how best to confederate the various WLAN service providers, each having different trust relationships with individuals and each supporting their own authentication schemes, which may vary from one provider to the next. We have designed and implemented a comprehensive single sign-on (SSO) authentication architecture that confederates WLAN service providers through trusted identity providers. Users select the appropriate SSO authentication scheme from the authentication capabilities announced by the WLAN service provider, and can block the exposure of their privacy information while roaming. In addition, we have developed a compound Layer 2 and Web authentication scheme that ensures cryptographically protected access while preserving pre-existing public WLAN payment models. Our experimental results, obtained from our prototype system, show that the total authentication delay is about 2 seconds in the worst case. This time is dominated primarily by our use of industry-standard XML-based protocols, yet is still small enough for practical use. Ana Sanz Merino received her B.S. degree in Electrical Engineering from Universidad Politécnica de Madrid (Spain) in 1999. She was the recipient of the Fundación Telefónica award to the best final thesis in telecommunications networks and services published in Spain in the 1999–2000 academic year. Her area of expertise is data communications, a field in which she has worked in R&D since 1998, first at Universidad Politécnica de Madrid, and later for two companies in the telecom sector, Telefónica and Ericsson. Presently, she is a student of the M.S. in Computer Science and a researcher at University of California, Berkeley, where she works on wireless network security with Professor Randy H. Katz. Yasuhiko Matsunaga is a researcher at NEC Corporation, Japan. He specializes in resource and security management in wireless and broadband networks. He received B.S and M.S degrees from the University of Tokyo in 1992 and 1994. He was a visiting researcher at the computer science division at the University of California, Berkeley from Dec. 2002 to Dec. 2003. Manish Shah is a third year undergraduate student at University of California, Berkeley Computer Science Department. He has been doing research with Prof. Katz and the Sahara Group since May 2003. His research interests are networking related focusing on wireless systems and technologies. He has recently been involved in sensor network related research. Takashi Suzuki received B.E and M.E. degrees in communication engineering from Osaka University, Japan, in 1994 and 1996, respectively. In 1996, he joined NTT DoCoMo, Japan, where he was engaged in research and development of mobile multimedia communication protocols. He was a visiting industrial fellow at University of California, Berkeley from 2001 to 2003, where he worked on web service security and WLAN security. He is now engaged in research on secure mobile terminal architecture at Multimedia Laboratories of NTT DoCoMo. Randy Howard Katz received his undergraduate degree from Cornell University, and his M.S. and Ph.D. degrees from the University of California, Berkeley. He joined the faculty at Berkeley in 1983, where he is now the United Microelectronics Corporation Distinguished Professor in Electrical Engineering and Computer Science. He is a Fellow of the ACM and the IEEE, and a member of the National Academy of Engineering. He has published over 200 refereed technical papers, book chapters, and books. His hardware design textbook, Contemporary Logic Design, has sold over 85,000 copies worldwide, and has been in use at over 200 colleges and universities. He has supervised 35 M.S. theses and 21 Ph.D. dissertations, and leads a research team of over a dozen graduate students, technical staff, and industrial visitors. He has won numerous awards, including seven best paper awards, one “test of time” paper award, one paper selected for a 50 year retrospective on IEEE communications publications, three best presentation awards, the Outstanding Alumni Award of the Computer Science Division, the CRA Outstanding Service Award, the Berkeley Distinguished Teaching Award, the Air Force Exceptional Civilian Service Decoration, the IEEE Reynolds Johnson Information Storage Award, the ASEE Frederic E. Terman Award, and the ACM Karl V. Karlstrom Outstanding Educator Award. With colleagues at Berkeley, he developed Redundant Arrays of Inexpensive Disks (RAID), a $25 billion per year industry sector today. While on leave for government service in 1993–1994, he established whitehouse.gov and connected the White House to the Internet. His current research interests are Internet Services Architecture, Mobile Internet, and the technologies underlying the convergence of telecommunications and packet networks. Prior research interests have included: database management, VLSI CAD, and high performance multiprocessor and storage architectures.This revised version was published online in August 2005 with a corrected cover date.     

无线网络中基于无证书聚合签名的高效匿名漫游认证方案

针对无线移动网络漫游认证中的隐私保护需求,提出了新的匿名漫游认证方案。引入在线离线签名技术,并巧妙结合聚合验证方法,设计了一个无证书聚合签名方案。与相关方案相比,该签名方案降低了签名和验证过程的计算开销,提高了通信效率。继而,基于该签名方案,提出了一种新型高效的匿名漫游认证方案,简化了传统的三方漫游认证模型。理论分析结果表明,该方案安全、有效,特别适用于大规模无线移动网络。     

Private Authentication Techniques for the Global Mobility Network

Numerous authentication approaches have been proposed recently for the global mobility network (GLOMONET), which provides mobile users with global roaming services. In these authentication schemes, the home network operators can easily obtain the authentication key and wiretap the confidentiality between the roaming user and the visited network. This investigation provides a solution of authentication techniques for GLOMONET in order to prevent this weakness from happening and presents a secure authentication protocol for roaming services. In addition, a round-efficient version of the same authentication protocol is presented. Comparing with other related approaches, the proposed authentication protocol involves fewer messages and rounds in communication. Tian-Fu Lee was born in Tainan, Taiwan, ROC, in 1969. He received his B.S. degree in Applied Mathematics from National Chung Hsing University, Taiwan, in 1992, and his M.S. degree in Computer Science and Information Engineering from National Chung Cheng University, Taiwan, in 1998. He works as a lecturer in Leader University and pursues his Ph.D. degree at Department of Computer Science and Information Engineering, National Cheng Kung University, Taiwan. His research interests include cryptography and network security. Chi-Chao Chang received the BS degree in Microbiology from Soochow University in 1990 and the MS degree in Computer Science from State University of New York at Albany in 1992. He is currently working as an instructor in Chang Jung Christian University and a graduate student in National Cheng Kung University. His research interests are information security, mobile agent systems, anonymous digital signatures and quantum cryptography. Tzonelih Hwang was born in Tainan, Taiwan, in March 1958. He received his undergraduate degree from National Cheng Kung University, Tainan, Taiwan, in 1980, and the M.S. and Ph.D. degrees in Computer Science from the University of Southwestern Louisiana, USA, in 1988. He is presently a professor in Department of Computer Science and Information Engineering, National Cheng Kung University. His research interests include cryptology, network security, and coding theory.     

移动网络中的独立式安全管理系统

本文提出一种适用于移动网络的安全管理系统,由于访问网络能够独立地对漫游用户进行认证,所以称该系统为独立式安全管理(ISM).基于ISM设计一种漫游用户的认证协议,通过对协议的比较分析可以看出,相对于其它安全管理系统,ISM的突出优点是安全责任划分清晰、认证效率高.     

无线局域网技术与应用

作为宽带有线接入网的延伸和补充,无线局域网（WLAN）以其灵活性和可移动性,越来越受到业界的广泛关注,显示出极大的应用前景。本介绍了WLAN的主要标准情况以及技术的特点和优势,并结合中国电信的实际情况阐述了其应用。