一种基于数字签名的无线局域网(WLAN)安全机制
|
摘要
无线局域网(Wireless Local Area Networks; WLAN)是指采用无线通信技术的计算机局域网。随着无线通信技术的发展,WLAN技术也得到了飞速的发展。采用WLAN,终端能够实现局域网内的移动通信,摆脱了庞杂的网络连线的束缚,极大地方便了终端用户。但由于采用公共的电磁波作为载体,因此WLAN对越权存取和窃听的行为更不容易防范。不可否认的是,安全问题严重的束缚了WLAN的高速和健康发展。为了解决WLAN的安全问题,各个生产厂商先后推出了多种安全解决办法,使WLAN的安全性得到了一定的保障,但是这些安全机制或多或少都存在着一些缺陷和漏洞,有必要进行更新和改进。
本文根据WLAN安全的几个特点和要素,提出了一种新的基于数字签名的WLAN安全机制。本机制很好的解决了无线窃听,身份假冒和纂改数据这三个威胁WLAN安全的重大问题。本机制分为两种模式:1.认证后通信不加密模式:即在CA(Certificate Authority,证书认证机构)的中介下,TER(Terminal,终端)与AP(Access Point,接入点)相互鉴别身份且TER与AP连接成功之后,此后它们间传输的数据不加密。此模式适合安全性要求不高的情况下,比如浏览网页等业务;2.认证后通信非对称加密模式:即在CA的中介下,TER与AP相互鉴别身份且TER与AP连接成功之后,此后它们之间传输数据时用对方的公钥加密。此模式适合安全性要求高的场合。比如网上转帐之类等业务。本机制采用基于RSA公钥体制的数字签名技术和MD5消息散列算法,利用证书来对WLAN系统中的AP和终TER进行认证。同时.定义了一种名为CA的实体,用于管理参与信息交换的各方所需要的证书(包括证书的产生、颁发)。进一步地,为了解决系统中TER并发请求的问题,引进了多级CA的认证机制。
整个安全机制提供了认证鉴别,完整性,不可否认性,加密等服务内容,算法成熟可靠,安全性高,实现简单易行。在文章最后,对机制本身和机制采用的各种算法进行了安全性评估,并给出了本机制的一个应用。
WLAN (Wireless Local Area Networks) is a computer area network which use wireless communication technology. With the popularization of the wireless communication technology, the technique of WLAN get great development. Which makes us get away from the astriction of the numerous and jumbled network line, and gives us great convenience. However, WLAN’s carrier is the public electromagnetic wave, so they are harder to defending the eavesdropping and unauthorized acess. The WLAN’s security is now seriously slowing down the development the WLAN. Manufacturers have published many WLAN security machanisms to solve the security problem. These machanisms guarantee the security of WLAN in some extend. But they also need to be updated and improved because of their bugs and weaknesses
For some main factor of the WLAN’s security, a new WLAN security mechanism based on digital signature is presented in this paper. This mechanism aims at the WLAN’s three threats: wireless eavesdropping, counterfeiting identity and modifying data. This mechanism included two modes: one was certification but non-encryption mode .In this mode, after connecting successfully between TER(Terminal) and AP(Access Point), they started non-encryption communication; the other one was certification and encryption mode, in this case, they started encryption communication.
The mechanism based on RSA public key System and MD5 hash function, and also use the certificate to authenticate the AP and TER in WLAN. Defining a entity which named CA(Certificate Authority). This entity manage the certificate which used for the information exchange (including create, issue, revoke the certificate).
The whole mechanism provided many services such as certification and authentication, integrity, availability, non-repudiation, confidentiality and so on. Algorithm is mature, credible and easy to implement. At the last part of this paper, the mechanism and the algorithm’s security performance was evaluated, also the implement schemes under some conditions was presented.
本文根据WLAN安全的几个特点和要素,提出了一种新的基于数字签名的WLAN安全机制。本机制很好的解决了无线窃听,身份假冒和纂改数据这三个威胁WLAN安全的重大问题。本机制分为两种模式:1.认证后通信不加密模式:即在CA(Certificate Authority,证书认证机构)的中介下,TER(Terminal,终端)与AP(Access Point,接入点)相互鉴别身份且TER与AP连接成功之后,此后它们间传输的数据不加密。此模式适合安全性要求不高的情况下,比如浏览网页等业务;2.认证后通信非对称加密模式:即在CA的中介下,TER与AP相互鉴别身份且TER与AP连接成功之后,此后它们之间传输数据时用对方的公钥加密。此模式适合安全性要求高的场合。比如网上转帐之类等业务。本机制采用基于RSA公钥体制的数字签名技术和MD5消息散列算法,利用证书来对WLAN系统中的AP和终TER进行认证。同时.定义了一种名为CA的实体,用于管理参与信息交换的各方所需要的证书(包括证书的产生、颁发)。进一步地,为了解决系统中TER并发请求的问题,引进了多级CA的认证机制。
整个安全机制提供了认证鉴别,完整性,不可否认性,加密等服务内容,算法成熟可靠,安全性高,实现简单易行。在文章最后,对机制本身和机制采用的各种算法进行了安全性评估,并给出了本机制的一个应用。
WLAN (Wireless Local Area Networks) is a computer area network which use wireless communication technology. With the popularization of the wireless communication technology, the technique of WLAN get great development. Which makes us get away from the astriction of the numerous and jumbled network line, and gives us great convenience. However, WLAN’s carrier is the public electromagnetic wave, so they are harder to defending the eavesdropping and unauthorized acess. The WLAN’s security is now seriously slowing down the development the WLAN. Manufacturers have published many WLAN security machanisms to solve the security problem. These machanisms guarantee the security of WLAN in some extend. But they also need to be updated and improved because of their bugs and weaknesses
For some main factor of the WLAN’s security, a new WLAN security mechanism based on digital signature is presented in this paper. This mechanism aims at the WLAN’s three threats: wireless eavesdropping, counterfeiting identity and modifying data. This mechanism included two modes: one was certification but non-encryption mode .In this mode, after connecting successfully between TER(Terminal) and AP(Access Point), they started non-encryption communication; the other one was certification and encryption mode, in this case, they started encryption communication.
The mechanism based on RSA public key System and MD5 hash function, and also use the certificate to authenticate the AP and TER in WLAN. Defining a entity which named CA(Certificate Authority). This entity manage the certificate which used for the information exchange (including create, issue, revoke the certificate).
The whole mechanism provided many services such as certification and authentication, integrity, availability, non-repudiation, confidentiality and so on. Algorithm is mature, credible and easy to implement. At the last part of this paper, the mechanism and the algorithm’s security performance was evaluated, also the implement schemes under some conditions was presented.
引文
[1]李正豪. WAPI是整个WLAN产业的福音[J].《通信世界》周刊, 2009-7-13, A9
[2] CNW.com.cn.网界知识库:究竟什么是“云”计算?[DB/OL]. http://www.cnw.c om.cn/cnw07/ServerStorage/virtualization/htm2008/20080619_55003.shtml . 2008-6- 19
[3]翁启斌.一种基于数字签名的WLAN无线安全机制[D].四川:四川大学计算机学院. 2004
[4]何秉姣,吴桂华. WLAN核心标准的分析比较[J].中南民族大学学报. 2004, 23(3): 68-71
[5]顾晓亮,郑恒瑞.无线局域网技术标准的比较[J].中国数据通信, 2004, (9): 68-72
[6]杜鹃.通信世界网[DB/OL] http://www.cww.net.cn/3G/html/2009/7/17/2009717 1349366419.htm. 2009-7-17
[7]陈敏编著OPNET网络仿真[M].北京:清华大学出版社, 2005: 10-11
[8]王健,姜楠,刘培玉.两种网络安全协议分析与比较[J].电视技术. 2003, 10: 82-85
[9]严军. NGN网络业务NAT穿透技术探讨[J].通信世界, 2003, (37): 31-32
[10]姜华. NGN组网的安全性分析与安全策略.现代电信科技, 2003, (12): 6-8
[11]曹家琏,尚遵义.网络传输中数据安全及加密技术研究.大连铁道学院学报, 2002, (1): 63-67
[12]赵泽茂.数字签名理论[M].北京:科学出版社, 2007: 4-8
[13]张先红.数字签名原理及技术[M].北京:机械工业出版社, 2004: 15-98
[14]施荣华.基于数字签名的安全存取控制方案[J].软件学报, 2002, 13(5): 1003-06
[15]卿斯汉.安全协议的设计与逻辑分析[J].软件学报, 2003, 14(07): 1300-1309
[16]范红.互联网密钥交换协议及安全性分析[J].软件学报, 2003,14(03): 600-605
[17]王志海,童新海,沈寒辉.OpenSSL与网络信息安全[M].北京:清华大学出版社, 2007-4: 68-80
[18] Harn L. New digital signature scheme based on discrete Logarithm[J]. Electron Letters, 1994, 30(5):396-398
[18] Harn L. Group Oriented(t, n)threshold digital signature scheme and digital multisignature[J]. IEE Computers Digital Techniques, 1994, 141(5): 307-313
[19] Okamoto T. Designated confirmer signatures and public-key encryption are equivalent[A]. In: Desmendt YG, ed. Proceedings of the Advances in Cryptology(CR YPTO’94)[C]. LNCS839, Berlin: Springer-Verlag, 1994. 61-74
[20] Rivest R, Shamir A, Adleman L. A method for obtaining digital signatures and public-key cryptosystems[J]. Communication of the ACM, 1978, 21(2): 120-126
[21] He J, Dawson E. Multistage secret sharing based on one-way function[J]. Electronics letters, 1994, 30(19): 1591-1592
[22] Schoof R. Elliptic Curves Over Finite Fields and Computation of Square Roots modp[J]. Math.Comp. 1985, 44: 483-494
[23] Wong DS, Chan AH. Mutual authentication and key exchange for low power wireless communications[A]. In: Edmonds A, Yenser G, Ferrari G, eds. Proceedings of the IEEE MILCOM 2001 Confereence[C]. Washington DC: IEEE Communication Society, 2001, 39-43
[24]张健红,韦永壮,王育民.基于RSA的多重数字签名[J].通信学报, 2003, 24(8): 150-154
[25]符景云,陈鲁生.一种新的强代理签名方案及强代理多重签名方案[J].南开大学学报, 2006, 39(2): 35-39
[26] Chen X, Zhang F, Kim K. ID-based multi-proxy signature and blind muitisignat ure from bilinear pairings [C]// KIISC’03, Korea, 2003, (8): 17-19
[27]祁明,史国庆.多重盲签名方案及其应用[J].计算机工程与应用, 2001, 13(3): 91-92
[28]李斌,龚少麟,赵泽茂. Schnorr型多重数字签名方案[J].河海大学常州分校学报, 2005, 19(2): 12-15
[30]陈未临.三大运营商齐面手机支付瓶颈:技术标准不一[DB/OL]. http://www.chin anews.com.cn/it/it-txxw/news/2010/02-10/2119018.shtml, 2010-2-10
[2] CNW.com.cn.网界知识库:究竟什么是“云”计算?[DB/OL]. http://www.cnw.c om.cn/cnw07/ServerStorage/virtualization/htm2008/20080619_55003.shtml . 2008-6- 19
[3]翁启斌.一种基于数字签名的WLAN无线安全机制[D].四川:四川大学计算机学院. 2004
[4]何秉姣,吴桂华. WLAN核心标准的分析比较[J].中南民族大学学报. 2004, 23(3): 68-71
[5]顾晓亮,郑恒瑞.无线局域网技术标准的比较[J].中国数据通信, 2004, (9): 68-72
[6]杜鹃.通信世界网[DB/OL] http://www.cww.net.cn/3G/html/2009/7/17/2009717 1349366419.htm. 2009-7-17
[7]陈敏编著OPNET网络仿真[M].北京:清华大学出版社, 2005: 10-11
[8]王健,姜楠,刘培玉.两种网络安全协议分析与比较[J].电视技术. 2003, 10: 82-85
[9]严军. NGN网络业务NAT穿透技术探讨[J].通信世界, 2003, (37): 31-32
[10]姜华. NGN组网的安全性分析与安全策略.现代电信科技, 2003, (12): 6-8
[11]曹家琏,尚遵义.网络传输中数据安全及加密技术研究.大连铁道学院学报, 2002, (1): 63-67
[12]赵泽茂.数字签名理论[M].北京:科学出版社, 2007: 4-8
[13]张先红.数字签名原理及技术[M].北京:机械工业出版社, 2004: 15-98
[14]施荣华.基于数字签名的安全存取控制方案[J].软件学报, 2002, 13(5): 1003-06
[15]卿斯汉.安全协议的设计与逻辑分析[J].软件学报, 2003, 14(07): 1300-1309
[16]范红.互联网密钥交换协议及安全性分析[J].软件学报, 2003,14(03): 600-605
[17]王志海,童新海,沈寒辉.OpenSSL与网络信息安全[M].北京:清华大学出版社, 2007-4: 68-80
[18] Harn L. New digital signature scheme based on discrete Logarithm[J]. Electron Letters, 1994, 30(5):396-398
[18] Harn L. Group Oriented(t, n)threshold digital signature scheme and digital multisignature[J]. IEE Computers Digital Techniques, 1994, 141(5): 307-313
[19] Okamoto T. Designated confirmer signatures and public-key encryption are equivalent[A]. In: Desmendt YG, ed. Proceedings of the Advances in Cryptology(CR YPTO’94)[C]. LNCS839, Berlin: Springer-Verlag, 1994. 61-74
[20] Rivest R, Shamir A, Adleman L. A method for obtaining digital signatures and public-key cryptosystems[J]. Communication of the ACM, 1978, 21(2): 120-126
[21] He J, Dawson E. Multistage secret sharing based on one-way function[J]. Electronics letters, 1994, 30(19): 1591-1592
[22] Schoof R. Elliptic Curves Over Finite Fields and Computation of Square Roots modp[J]. Math.Comp. 1985, 44: 483-494
[23] Wong DS, Chan AH. Mutual authentication and key exchange for low power wireless communications[A]. In: Edmonds A, Yenser G, Ferrari G, eds. Proceedings of the IEEE MILCOM 2001 Confereence[C]. Washington DC: IEEE Communication Society, 2001, 39-43
[24]张健红,韦永壮,王育民.基于RSA的多重数字签名[J].通信学报, 2003, 24(8): 150-154
[25]符景云,陈鲁生.一种新的强代理签名方案及强代理多重签名方案[J].南开大学学报, 2006, 39(2): 35-39
[26] Chen X, Zhang F, Kim K. ID-based multi-proxy signature and blind muitisignat ure from bilinear pairings [C]// KIISC’03, Korea, 2003, (8): 17-19
[27]祁明,史国庆.多重盲签名方案及其应用[J].计算机工程与应用, 2001, 13(3): 91-92
[28]李斌,龚少麟,赵泽茂. Schnorr型多重数字签名方案[J].河海大学常州分校学报, 2005, 19(2): 12-15
[30]陈未临.三大运营商齐面手机支付瓶颈:技术标准不一[DB/OL]. http://www.chin anews.com.cn/it/it-txxw/news/2010/02-10/2119018.shtml, 2010-2-10