基于USIM卡的B3G安全接入技术的研究与实现
|
摘要
对移动通信系统而言,无线接入域是其区别于固定通信网络的标志,移动信道的开放特性和衰落特性,对移动接入的安全机制提出了更高的要求。第二代移动通信的GSM系统引入了智能卡作为用户身份认证模块,把SIM卡应用于移动通信网络实现网络对用户进行认证并产生会话密钥。第三代移动通信系统的用户安全接入,使用USIM卡进行认证,虽然实现了用户和网络之间的双向认证,弥补了GSM的用户认证缺陷,但是无线网络安全体系缺乏可扩展性、不可否认性,对移动终端的安全考虑不够充分和基于对称算法实现的身份认证技术,不能满足下一代通信系统——B3G(Beyond 3G)通信系统的安全需求。
以电子商务为主的无线应用和增值业务不断发展。以移动商务为例,可以开展移动股票、移动证券,移动采购,移动支付等多种类型的移动交易,在采用终端这种“非面对面”、“非面向连接”的交易方式时,除了交易本身的安全之外,交易者的身份真实性与交易的不可抵赖性显得尤其重要。高级的移动业务需要身份安全,身份安全要求移动终端具备可靠的身份认证能力。电信智能卡的安全体系结构和认证功能处于不断完善的过程中,更新一代的身份认证技术——指纹识别技术已经发展成熟,并开始被广泛应用。
本论文在这样的背景下,分析了第三代通信系统的安全机制和UMTS鉴权中的身份认证,针对认证存在的问题、算法的漏洞、鉴权模式的脆弱性,结合B3G通信系统的安全需求和发展趋势,构建B3G的用户认证模块——USIM卡,并基于这个平台结合PIN码、用户指纹特征实现用户安全身份认证,以满足下一代通信系统的接入安全和认证体系结构。
USIM卡的数据安全写机制,保证了卡片在写数据操作中数据的完整性和合法性,避免由于数据更新操作中断而造成卡内数据紊乱。本文身份认证方案基于USIM卡的安全特性,利用RSA机制和SHA-1算法将PIN码和指纹紧密融合,选择随机数代替时间戳技术抵抗重放攻击,并由示证和认证双方共同生成随机因子;用户请求采用预计算的方式,有效减少了实时计算量。更主要的是这种身份认证的机制依赖认证流程中的采用非对称算法的关键环节,实现了对身份认证信息在一定程度上的不可否认性保护,强化了B3G用户域安全。
For mobile radio communications, the wireless access is the most important icon compared with fixed networks. The openness and fading features appeal for higher security. The second Generation (2G) Mobile system GSM uses smart card as subscriber identity module, which assures that the network authenticates the users and generates session keys. Secure access based on USIM in the third Generation (3G) Mobile radio network completes duplex authentication and covers the authentication weaknesses in GSM system. But their secure architecture is short of extensible, non-repudiation, identity authentication technology based on symmetrical algorithm, which is can't satisfy the new requirements of next communications. With the development of multi-application, multi-system, wireless network e-commerce and value-added services, the existing security mechanisms can't meet a high level of security demand in the Beyond 3G (B3G) network.
The e-commerce-based wireless application and value-added services develop fast. For example, various services such as mobile stock, mobile securities, mobile procurement, and mobile payments all can be offered by mobile business. During the process of the transactions which make use of a 'non-face-to-face', 'non-connection-oriented' skills, the identity of the authenticity and non-repudiation of transactions are particularly important, in addition to the safety of the transaction itself. Advanced mobile business needs the security of identity which make a high requirement for the mobile terminals' capability at the aspect of identity authenticity. The security architecture and authentication mechanism of telecommunication smart card developed continuously. A new set of identity authenticity technology, fingerprint recognition, has been developed, and began to be widely used.
Therefore, this article analysis the security mechanism and identity authentication technology in 3G network and UMTS authentication model, discuss access security features and mechanism in B3G Network for the security weaknesses, the algorithm shortcomings, the authentication vulnerabilities in 3G. In order to meet the development trend and security needs in B3G communication systems, this article designs and construct a multi-application smart card platform for access security in B3G, puts forward an identity authentication scheme based on the PIN code, fingerprint characteristics, Universal Subscriber Identity Module (USIM) card. This solution will satisfy the access security and identity authentication architecture for the next generation communication systems.
Writing data security mechanism of the USIM card ensures the card data integrity and legitimacy, and avoids data disorder caused by interruption of data updating operations. The identity authentication based on PIN code, fingerprint and USIM card makes use of RSA cryptosystem and SHA-1 hash algorithm, and realizes mutual identity authentication among user, USIM card and the network. The scheme avoids masquerade attack, replay attack and the harm caused by illegal theft. The random factor is generated by the mutual parties to guarantee the authentication fairness. Pre-calculation is used in user ends to reduce the real-time calculation and make the scheme satisfy real-time requirement of mobile communication system. What is more important is that the article presents a non-symmetrical algorithm to protect the authentication information's non-repudiation and strengthen the user's domain security. It protects the information in authentication more safely. To a certain extent the expense of the single authentication time gains security enhancement.
以电子商务为主的无线应用和增值业务不断发展。以移动商务为例,可以开展移动股票、移动证券,移动采购,移动支付等多种类型的移动交易,在采用终端这种“非面对面”、“非面向连接”的交易方式时,除了交易本身的安全之外,交易者的身份真实性与交易的不可抵赖性显得尤其重要。高级的移动业务需要身份安全,身份安全要求移动终端具备可靠的身份认证能力。电信智能卡的安全体系结构和认证功能处于不断完善的过程中,更新一代的身份认证技术——指纹识别技术已经发展成熟,并开始被广泛应用。
本论文在这样的背景下,分析了第三代通信系统的安全机制和UMTS鉴权中的身份认证,针对认证存在的问题、算法的漏洞、鉴权模式的脆弱性,结合B3G通信系统的安全需求和发展趋势,构建B3G的用户认证模块——USIM卡,并基于这个平台结合PIN码、用户指纹特征实现用户安全身份认证,以满足下一代通信系统的接入安全和认证体系结构。
USIM卡的数据安全写机制,保证了卡片在写数据操作中数据的完整性和合法性,避免由于数据更新操作中断而造成卡内数据紊乱。本文身份认证方案基于USIM卡的安全特性,利用RSA机制和SHA-1算法将PIN码和指纹紧密融合,选择随机数代替时间戳技术抵抗重放攻击,并由示证和认证双方共同生成随机因子;用户请求采用预计算的方式,有效减少了实时计算量。更主要的是这种身份认证的机制依赖认证流程中的采用非对称算法的关键环节,实现了对身份认证信息在一定程度上的不可否认性保护,强化了B3G用户域安全。
For mobile radio communications, the wireless access is the most important icon compared with fixed networks. The openness and fading features appeal for higher security. The second Generation (2G) Mobile system GSM uses smart card as subscriber identity module, which assures that the network authenticates the users and generates session keys. Secure access based on USIM in the third Generation (3G) Mobile radio network completes duplex authentication and covers the authentication weaknesses in GSM system. But their secure architecture is short of extensible, non-repudiation, identity authentication technology based on symmetrical algorithm, which is can't satisfy the new requirements of next communications. With the development of multi-application, multi-system, wireless network e-commerce and value-added services, the existing security mechanisms can't meet a high level of security demand in the Beyond 3G (B3G) network.
The e-commerce-based wireless application and value-added services develop fast. For example, various services such as mobile stock, mobile securities, mobile procurement, and mobile payments all can be offered by mobile business. During the process of the transactions which make use of a 'non-face-to-face', 'non-connection-oriented' skills, the identity of the authenticity and non-repudiation of transactions are particularly important, in addition to the safety of the transaction itself. Advanced mobile business needs the security of identity which make a high requirement for the mobile terminals' capability at the aspect of identity authenticity. The security architecture and authentication mechanism of telecommunication smart card developed continuously. A new set of identity authenticity technology, fingerprint recognition, has been developed, and began to be widely used.
Therefore, this article analysis the security mechanism and identity authentication technology in 3G network and UMTS authentication model, discuss access security features and mechanism in B3G Network for the security weaknesses, the algorithm shortcomings, the authentication vulnerabilities in 3G. In order to meet the development trend and security needs in B3G communication systems, this article designs and construct a multi-application smart card platform for access security in B3G, puts forward an identity authentication scheme based on the PIN code, fingerprint characteristics, Universal Subscriber Identity Module (USIM) card. This solution will satisfy the access security and identity authentication architecture for the next generation communication systems.
Writing data security mechanism of the USIM card ensures the card data integrity and legitimacy, and avoids data disorder caused by interruption of data updating operations. The identity authentication based on PIN code, fingerprint and USIM card makes use of RSA cryptosystem and SHA-1 hash algorithm, and realizes mutual identity authentication among user, USIM card and the network. The scheme avoids masquerade attack, replay attack and the harm caused by illegal theft. The random factor is generated by the mutual parties to guarantee the authentication fairness. Pre-calculation is used in user ends to reduce the real-time calculation and make the scheme satisfy real-time requirement of mobile communication system. What is more important is that the article presents a non-symmetrical algorithm to protect the authentication information's non-repudiation and strengthen the user's domain security. It protects the information in authentication more safely. To a certain extent the expense of the single authentication time gains security enhancement.
引文
[1]Kocher P,Jaffe J,Jun B.Differential Power Analysis:Leaking Secrets[C].Proceedings of CRYPTO'99,1999:388-397.
[2]Messegers T S,Dabbish E,Sloan R.Inverstigations of Power Analysis Attacks on smartcard[C].Proceeding of USENIX Workshop on Smartcard Technology.May 1999:151-161.
[3]Kambourakis G;Rouskas A,Gritzalis S.Performance Evaluation of Public Key-Based Authentication in Future Mobile Communication Systems[J].EURASIP Journal on Wireless Communications and Networking.20041(1):184-197.
[4]3GPP TS 33.203.Access security for IP-based services[S].V7.5.0,Mar.2007.
[5]Celentano D,Fresa A,Longo M,et al.Secure Mobile IPv6 for B3G Networks[J].International Conference on Software in Telecommunications and Computer Networks,2006:331-335.
[6]Munoz M,Rubio C G.A New Model for Service and Application Convergence in B3G/4G Networks[J].IEEE Wireless Communications,2004,11(5):6-12.
[7]R.Tafazolli.Technologies for the Wireless Future[M].New York.NY,USA:John Wiley and Sons.2004.
[8]3GPP TS 33.102 v7.1.0.3G Security;Security architecture[S].Release7(2006-12),2006.
[9]3GPP TS 21.133 v4.1.0.3G Security;Security Threats and Requiements[S].Release4(2002-01),2002.
[10]3GPP TS 35.205 v6.0.0.3G Security;Specification of the MILENAGE Algorithm Set:An example algorithm set for the 3GPP authentication and key generation functions f1,f1~*,f2,f3,f4,f5 and f5~*;Document 1:General[S].Release6(2005-01),2005.
[11]3GPP TS 35.206 v6.0.0.3G Security;Specification of the MILENAGE Algorithm Set:An example algorithm set for the 3GPP authentication and key generation functions f1,f1~*,f2,f3,f4,f5 and f5~*;Document 2:Algorithm specification[S].Release6(2005-01),2005.
[12]3GPP TS 35.207 v6.0.0.3G Security;Specification of the MILENAGE Algorithm Set:An example algorithm set for the 3GPP authentication and key generation functions f1,f1~*,f2,f3,f4,f5 and f5~*;Document 1: Implementors'test data[S].Release6(2005-01),2005.
[13]3GPP TS 35.208 v6.0.0.3G Security;Specification of the MILENAGE Algorithm Set:An example algorithm set for the 3GPP authentication and key generation functions f1,f1~*,f2,f3,f4,f5 and f5~*;Document 1:Design conformance test data[S].Release 6(2005-01),2005.
[14]3GPP TS 35.201 v6.1.0.Specification of the 3GPP confidentiality and integrity algorithms;Document 1;f8 and f9 specifications[S].Release 6(2005-10),2005.
[15]3GPP TS 35.202 v6.1.0.Specification of the 3GPP confidentiality and integrity algorithms;Document 2:Kasumi algorithm specification[S].Release 6(2005-10),2005.
[16]3GPP TS 35.203 v6.0.0.Specification of the 3GPP confidentiality and integrity algorithms;Document 3:Implementors'test data[S].Release 6(2005-01),2005.
[17]3GPP TS 35.204 v6.0.0.Specification of the 3GPP confidentiality and integrity algorithms;Document 1:Design conformance test data[S].Release 6(2005-01),2005.
[18]Grecas C F,Maniafis S I,Venieris I S.Towards the Introducrion of the Asymmetric Cryptography in GSM,GPRS,and UMTS Networks[C].Proceedings of Sixth IEEE Symposium,Computers and Communications,July 2001:15-21.
[19]Koien G M.An introduction to access security in UMTS[J].IEEE Wireless Communications,200411(1):8-18.
[20]Gazis V,Houssos N,Alonistioti A,et al.Evolving Perspectives of 4th Generation Mobile Communication System[C].Proceedings of 13th IEEE Conference on Personal,Indoor and Mobile Radio Communications.Vol 1.Sept 15-18,2002,Coimbra,Protugal.Piscataway,NJ,USA:IEEE,2002:201-207.
[21]Karlich S,Zahariadis T,Zervos N,et al.A Self-Adaptive Service Provisioning Framework for 3G+/4G Mobile Applications[J].IEEE Wireless Communications,2004,11(5):48-56.
[22]Lach H Y,Janneteau C.Network Mobility in Beyond-3G Systems[J].IEEE Wireless Communication,2003,41(2):52-57.
[23]3GPP TS 33.234 V6.8.0.3G Security;Wireless Local Area Network(WLAN)interworking security[S].Release 6(2006-05),2006.
[24]3GPP TS 23.060 v5.12.0.General Packet Radio Service(GPRS)Service description;Stage 2[S].Release5(2006-01),2006.
[25]3GPP TS 23.934 V.6.7.0.3GPP system to Wireless Local Area Network(WLAN)interworking description[S].Released 6(2006-01),2006.
[26]Lee J K,Ryu S R,Yoo K Y.Fingerprint-based remote user authentication scheme using smart cards[J].Electronics Letters.June 2002,38(12):554-555.
[27]Lin C H,Lai Y Y A flexible biometrics remote user authentication scheme[J].Computer Standards & Interfaces,2004,27(1):19-23.
[28]MITCHELL C J,TANG Q.Security of the Lin-Lai smart card based user authentication scheme[EB/OL],http//www.rhul.ac.uk/mathematics/techreports,2005.
[29]Boyd C,Mathuria A.Protocols for Authentication and Key Establishment[M].Berlin:Springer-Verlag,2003.
[30]Hang K,Chang C.A self-encryption mechanism for authentication of roaming and teleconference services[J].IEEE Trans Wireless Commun.2003,2(2):400-407.
[31]Ku W C,Chang S T,Chiang M H.Further cryptanalysis of fingerprint-based remote user authentication scheme using smart cards[J].Electronics Letters.March 2005,41(5):240-241.
[32]Lu R,Cao Z.Efficient remote user authentication scheme using smart card[J].Computers Networks.2005,49(4):535-540
[33]Khan M K,Zhang J.Improving the security of 'a flexible biometrics remote user authentication scheme'[J].Computer Standards & Interfaces.January 2007,29(1):82-85.
[34]3GPP TS 31.102 V813.0 Characteristics of the USIM application[S].Release 1999,(2005-06),2006.
[35]3GPP TS 31.101 V6.5.1 UICC-terminal interface;Physical and logical characteristics[S].Release 6(2006-01),2006.
[36]3GPP TS 51.014 V4.5.0 Specification of the SIM Application Toolkit for the Subscriber Identity Module-Mobile Equipment(SIM-ME)[S].Release 4(2004-12),2004.
[37]李翔.智能卡研发技术与工程实践[M].北京:人民邮电出版社,2003:199-202.
[38]Liaw H T,Lin J F,Wu W C.An efficient and complete remote user authentication scheme using smart cards[J].Mathematical and Computer Modelling.July 2006,44(1-2):223-228.
[39]Khan M K.Further Cryptanalysis of 'A User Friendly Remote User Authentication Scheme with Smart Cards'[C].International Ccnference on Information and Emerging Technologies,6-7 July 2007:1-5.
[40]Jain A K,Hong L,Pankanti S,et al.An identity-authentication system using fingerprints[J].Proceeding of the IEEE.1997,85(9):1365-1388.
[41]李涛,曾英,甄姬娜.一种新的基于动态口令的远程双向认证[J].微计算机信息2007年23(11-3):38-40.
[42]Schneier B著.吴世忠,祝世雄,张文政等译.应用密码学—协议、算法与C 源程序[M].北京:机械工业出版社,2001:334-340.
[43]冯登国,林东岱,吴文玲.欧洲安全算法工程[M].北京:科学出版社,2003:128-149.
[44]张金颖,郑宇,路献辉,等.基于智能卡和指纹的动态口令鉴别方案[J].计算机应用.2005年11月,25(11):2554-2556.
[45]粟栗,王小非,郑明辉,等.基于RSA体制的数字移动通信系统用户认证方案[J].华中科技大学学报(自然科学版).2007年4月,35(4):11-13.
[2]Messegers T S,Dabbish E,Sloan R.Inverstigations of Power Analysis Attacks on smartcard[C].Proceeding of USENIX Workshop on Smartcard Technology.May 1999:151-161.
[3]Kambourakis G;Rouskas A,Gritzalis S.Performance Evaluation of Public Key-Based Authentication in Future Mobile Communication Systems[J].EURASIP Journal on Wireless Communications and Networking.20041(1):184-197.
[4]3GPP TS 33.203.Access security for IP-based services[S].V7.5.0,Mar.2007.
[5]Celentano D,Fresa A,Longo M,et al.Secure Mobile IPv6 for B3G Networks[J].International Conference on Software in Telecommunications and Computer Networks,2006:331-335.
[6]Munoz M,Rubio C G.A New Model for Service and Application Convergence in B3G/4G Networks[J].IEEE Wireless Communications,2004,11(5):6-12.
[7]R.Tafazolli.Technologies for the Wireless Future[M].New York.NY,USA:John Wiley and Sons.2004.
[8]3GPP TS 33.102 v7.1.0.3G Security;Security architecture[S].Release7(2006-12),2006.
[9]3GPP TS 21.133 v4.1.0.3G Security;Security Threats and Requiements[S].Release4(2002-01),2002.
[10]3GPP TS 35.205 v6.0.0.3G Security;Specification of the MILENAGE Algorithm Set:An example algorithm set for the 3GPP authentication and key generation functions f1,f1~*,f2,f3,f4,f5 and f5~*;Document 1:General[S].Release6(2005-01),2005.
[11]3GPP TS 35.206 v6.0.0.3G Security;Specification of the MILENAGE Algorithm Set:An example algorithm set for the 3GPP authentication and key generation functions f1,f1~*,f2,f3,f4,f5 and f5~*;Document 2:Algorithm specification[S].Release6(2005-01),2005.
[12]3GPP TS 35.207 v6.0.0.3G Security;Specification of the MILENAGE Algorithm Set:An example algorithm set for the 3GPP authentication and key generation functions f1,f1~*,f2,f3,f4,f5 and f5~*;Document 1: Implementors'test data[S].Release6(2005-01),2005.
[13]3GPP TS 35.208 v6.0.0.3G Security;Specification of the MILENAGE Algorithm Set:An example algorithm set for the 3GPP authentication and key generation functions f1,f1~*,f2,f3,f4,f5 and f5~*;Document 1:Design conformance test data[S].Release 6(2005-01),2005.
[14]3GPP TS 35.201 v6.1.0.Specification of the 3GPP confidentiality and integrity algorithms;Document 1;f8 and f9 specifications[S].Release 6(2005-10),2005.
[15]3GPP TS 35.202 v6.1.0.Specification of the 3GPP confidentiality and integrity algorithms;Document 2:Kasumi algorithm specification[S].Release 6(2005-10),2005.
[16]3GPP TS 35.203 v6.0.0.Specification of the 3GPP confidentiality and integrity algorithms;Document 3:Implementors'test data[S].Release 6(2005-01),2005.
[17]3GPP TS 35.204 v6.0.0.Specification of the 3GPP confidentiality and integrity algorithms;Document 1:Design conformance test data[S].Release 6(2005-01),2005.
[18]Grecas C F,Maniafis S I,Venieris I S.Towards the Introducrion of the Asymmetric Cryptography in GSM,GPRS,and UMTS Networks[C].Proceedings of Sixth IEEE Symposium,Computers and Communications,July 2001:15-21.
[19]Koien G M.An introduction to access security in UMTS[J].IEEE Wireless Communications,200411(1):8-18.
[20]Gazis V,Houssos N,Alonistioti A,et al.Evolving Perspectives of 4th Generation Mobile Communication System[C].Proceedings of 13th IEEE Conference on Personal,Indoor and Mobile Radio Communications.Vol 1.Sept 15-18,2002,Coimbra,Protugal.Piscataway,NJ,USA:IEEE,2002:201-207.
[21]Karlich S,Zahariadis T,Zervos N,et al.A Self-Adaptive Service Provisioning Framework for 3G+/4G Mobile Applications[J].IEEE Wireless Communications,2004,11(5):48-56.
[22]Lach H Y,Janneteau C.Network Mobility in Beyond-3G Systems[J].IEEE Wireless Communication,2003,41(2):52-57.
[23]3GPP TS 33.234 V6.8.0.3G Security;Wireless Local Area Network(WLAN)interworking security[S].Release 6(2006-05),2006.
[24]3GPP TS 23.060 v5.12.0.General Packet Radio Service(GPRS)Service description;Stage 2[S].Release5(2006-01),2006.
[25]3GPP TS 23.934 V.6.7.0.3GPP system to Wireless Local Area Network(WLAN)interworking description[S].Released 6(2006-01),2006.
[26]Lee J K,Ryu S R,Yoo K Y.Fingerprint-based remote user authentication scheme using smart cards[J].Electronics Letters.June 2002,38(12):554-555.
[27]Lin C H,Lai Y Y A flexible biometrics remote user authentication scheme[J].Computer Standards & Interfaces,2004,27(1):19-23.
[28]MITCHELL C J,TANG Q.Security of the Lin-Lai smart card based user authentication scheme[EB/OL],http//www.rhul.ac.uk/mathematics/techreports,2005.
[29]Boyd C,Mathuria A.Protocols for Authentication and Key Establishment[M].Berlin:Springer-Verlag,2003.
[30]Hang K,Chang C.A self-encryption mechanism for authentication of roaming and teleconference services[J].IEEE Trans Wireless Commun.2003,2(2):400-407.
[31]Ku W C,Chang S T,Chiang M H.Further cryptanalysis of fingerprint-based remote user authentication scheme using smart cards[J].Electronics Letters.March 2005,41(5):240-241.
[32]Lu R,Cao Z.Efficient remote user authentication scheme using smart card[J].Computers Networks.2005,49(4):535-540
[33]Khan M K,Zhang J.Improving the security of 'a flexible biometrics remote user authentication scheme'[J].Computer Standards & Interfaces.January 2007,29(1):82-85.
[34]3GPP TS 31.102 V813.0 Characteristics of the USIM application[S].Release 1999,(2005-06),2006.
[35]3GPP TS 31.101 V6.5.1 UICC-terminal interface;Physical and logical characteristics[S].Release 6(2006-01),2006.
[36]3GPP TS 51.014 V4.5.0 Specification of the SIM Application Toolkit for the Subscriber Identity Module-Mobile Equipment(SIM-ME)[S].Release 4(2004-12),2004.
[37]李翔.智能卡研发技术与工程实践[M].北京:人民邮电出版社,2003:199-202.
[38]Liaw H T,Lin J F,Wu W C.An efficient and complete remote user authentication scheme using smart cards[J].Mathematical and Computer Modelling.July 2006,44(1-2):223-228.
[39]Khan M K.Further Cryptanalysis of 'A User Friendly Remote User Authentication Scheme with Smart Cards'[C].International Ccnference on Information and Emerging Technologies,6-7 July 2007:1-5.
[40]Jain A K,Hong L,Pankanti S,et al.An identity-authentication system using fingerprints[J].Proceeding of the IEEE.1997,85(9):1365-1388.
[41]李涛,曾英,甄姬娜.一种新的基于动态口令的远程双向认证[J].微计算机信息2007年23(11-3):38-40.
[42]Schneier B著.吴世忠,祝世雄,张文政等译.应用密码学—协议、算法与C 源程序[M].北京:机械工业出版社,2001:334-340.
[43]冯登国,林东岱,吴文玲.欧洲安全算法工程[M].北京:科学出版社,2003:128-149.
[44]张金颖,郑宇,路献辉,等.基于智能卡和指纹的动态口令鉴别方案[J].计算机应用.2005年11月,25(11):2554-2556.
[45]粟栗,王小非,郑明辉,等.基于RSA体制的数字移动通信系统用户认证方案[J].华中科技大学学报(自然科学版).2007年4月,35(4):11-13.