无线局域网认证安全基础架构研究与设计
|
摘要
无线局域网WLAN(Wireless Local Area Network)由于其安装灵活、使用方便而被广泛应用与企业、办公室、家庭、机场、医院以及抢险救灾等特殊环境,但同时开放的无线传输介质也给WLAN应用带来了诸多安全问题,如数据更容易被窃听、截获或篡改,而无线设备更容易遭到拒绝服务、假冒等攻击。
针对WLAN面临的安全问题,本文在详细分析WLAN的网络特点、安全需求的基础上,总结了WLAN面临的安全威胁,并对威胁进行分类;系统地分析了最新两大WLAN安全标准IEEE 802.11i和WAPI的安全架构,指出了它们各自存在的安全弱点或缺陷,这些安全弱点包括实体认证效率不高、密钥协商协议不完备、核心设备AP/AS计算所需资源较大、协议设计易遭拒绝服务攻击从而导致安全架构的可用性差等。分析指出802.11i存在配置不当导致认证属性丧失、密钥协商存在反射攻击、易遭拒绝服务攻击等问题;分析指出WAPI不能实现对STA的真正认证、密钥协商协议不完整、易遭拒绝服务攻击等问题;有针对性地对两个标准协议提出了改进方案或部署策略,从而提高它们的应用安全性、可用性或效率,分析比较说明了这些改进的有效性,这些改进对基于802.11i或WAPI标准部署WLAN具有指导意义。
在分析上述两大标准存在的安全问题基础上,提出了一种新的高效无线局域网认证基础架构(EWAI),设计了快速实体认证协议(IAKN)、三次握手密钥协商协议(3WAY)、组播密钥分发协议(GK)三个协议组件,定义了密钥使用体系。IAKN协议基于单向哈希链技术构造实体认证令牌,实现了“在第一时间”对WLAN主要认证实体STA的“显性”认证,并完成STA、AS和AP之间的相互认证和初始密钥协商,IAKN协议使用较少的协议交互和消息传递,无需数字签名操作,通过分析比较,所提认证架构比802.11i和WAPI具有更好的安全属性(多因子实体认证、有效抵御拒绝服务攻击)和执行效率。3WAY协议比802.11i减少一次交互,而且实现了每个协议消息源可认证、完整性保护和密钥确认,更安全地实现了密钥更新。GK协议实现了密钥确认。分析表明EWAI弥补了802.11i和WAPI的安全缺陷与不足,具有更好的安全性、更高的效率。同时,使用BAN逻辑验证了所提协议的正确性
采用Datta等人2004年提出的协议组合逻辑(PCL)全面证明了提出安全架构EWAI的安全性,针对EWAI使用的密码原语拓展了PCL系统,分别证明了IAKN、3WAY和GK协议的认证性和密钥保密性,证明它们正确地实现了安全设计目标。证明了EWAI的组合安全特性,定义EWAI协议组件顺序组合的安全环境参量以及协议安全属性保障条件,描述了EWAI协议和其他协议安全并发执行的环境要求。
As its flexibility and convenience, Wireless Local Network (WLAN) is widely used in corporations, offices, airports, hospitals, and at home, or in special environment for dealing with an emergency event. However, opening wireless transmission brings some security vulnerabilities into WLAN, such as data is easily eavesdropped, intercepted and modified, as well as Denial of Sevices and masquerading attacks are easily mounted.
In order to solve these security problems, upon analyzing the network features and security need of WLAN, vulnerabilities are summarized and classified. The infrastructures of two main standards - IEEE 802.11i and WAPI - are analyzed systematically and vulnerabilities and shortcomings of them are pointed out, which include inefficient authentication, sources-costly computation and DoS attacks brought up with the design of protocols, which influence the availability of WLAN. In 802.11i, the property of authentication can be lost if configuration is deployed incorrectly and reflection attacks are existed to key negotiation protocol. In WAPI, the STA is not authenticated by AS and the key negotiation protocol is incomplete. Furthermore, DoS attacks are easily amounted in the two standards. In order to solve these problems, some improved schemes and method are proposed that could improve the security, availability and computation efficiency of 802.1 li or WAPI.
Upon analysis of the two standards and using one-way hash chains technique, a novel and efficient WLAN authentication infrastructure (EWAI) is proposed and protocol components of it are designed, including initial authentication protocol (IAKN), 3-way key negotiation protocol (3WAY) and group key distribution (GK). The implementation architecture of keys is presented. In IAKN , no signature algorithm is needed, AS authenticates STA in the foremost time using less handshakes and less messages in protocol flows, as well as the mutual authentication of STA, AP and AS and initial key negotiation are completed. Compared with 802.11i and WAPI, the proposed infrastructure EWAI has better security properties (muli-factors entities authentication and defending against DoS effectively) and efficiency. The proposed IAKN protocol is reasoned using BAN logic and its correctness is proved. The proposed another protocol - 3WAY - does not decrease one protocol flow, but also achieves source authenticated and integrity protected for every flow and refreshes keys in a more secure manner.
The Protocol Composition Logic (PCL) is introduced and extended, which is used to
针对WLAN面临的安全问题,本文在详细分析WLAN的网络特点、安全需求的基础上,总结了WLAN面临的安全威胁,并对威胁进行分类;系统地分析了最新两大WLAN安全标准IEEE 802.11i和WAPI的安全架构,指出了它们各自存在的安全弱点或缺陷,这些安全弱点包括实体认证效率不高、密钥协商协议不完备、核心设备AP/AS计算所需资源较大、协议设计易遭拒绝服务攻击从而导致安全架构的可用性差等。分析指出802.11i存在配置不当导致认证属性丧失、密钥协商存在反射攻击、易遭拒绝服务攻击等问题;分析指出WAPI不能实现对STA的真正认证、密钥协商协议不完整、易遭拒绝服务攻击等问题;有针对性地对两个标准协议提出了改进方案或部署策略,从而提高它们的应用安全性、可用性或效率,分析比较说明了这些改进的有效性,这些改进对基于802.11i或WAPI标准部署WLAN具有指导意义。
在分析上述两大标准存在的安全问题基础上,提出了一种新的高效无线局域网认证基础架构(EWAI),设计了快速实体认证协议(IAKN)、三次握手密钥协商协议(3WAY)、组播密钥分发协议(GK)三个协议组件,定义了密钥使用体系。IAKN协议基于单向哈希链技术构造实体认证令牌,实现了“在第一时间”对WLAN主要认证实体STA的“显性”认证,并完成STA、AS和AP之间的相互认证和初始密钥协商,IAKN协议使用较少的协议交互和消息传递,无需数字签名操作,通过分析比较,所提认证架构比802.11i和WAPI具有更好的安全属性(多因子实体认证、有效抵御拒绝服务攻击)和执行效率。3WAY协议比802.11i减少一次交互,而且实现了每个协议消息源可认证、完整性保护和密钥确认,更安全地实现了密钥更新。GK协议实现了密钥确认。分析表明EWAI弥补了802.11i和WAPI的安全缺陷与不足,具有更好的安全性、更高的效率。同时,使用BAN逻辑验证了所提协议的正确性
采用Datta等人2004年提出的协议组合逻辑(PCL)全面证明了提出安全架构EWAI的安全性,针对EWAI使用的密码原语拓展了PCL系统,分别证明了IAKN、3WAY和GK协议的认证性和密钥保密性,证明它们正确地实现了安全设计目标。证明了EWAI的组合安全特性,定义EWAI协议组件顺序组合的安全环境参量以及协议安全属性保障条件,描述了EWAI协议和其他协议安全并发执行的环境要求。
As its flexibility and convenience, Wireless Local Network (WLAN) is widely used in corporations, offices, airports, hospitals, and at home, or in special environment for dealing with an emergency event. However, opening wireless transmission brings some security vulnerabilities into WLAN, such as data is easily eavesdropped, intercepted and modified, as well as Denial of Sevices and masquerading attacks are easily mounted.
In order to solve these security problems, upon analyzing the network features and security need of WLAN, vulnerabilities are summarized and classified. The infrastructures of two main standards - IEEE 802.11i and WAPI - are analyzed systematically and vulnerabilities and shortcomings of them are pointed out, which include inefficient authentication, sources-costly computation and DoS attacks brought up with the design of protocols, which influence the availability of WLAN. In 802.11i, the property of authentication can be lost if configuration is deployed incorrectly and reflection attacks are existed to key negotiation protocol. In WAPI, the STA is not authenticated by AS and the key negotiation protocol is incomplete. Furthermore, DoS attacks are easily amounted in the two standards. In order to solve these problems, some improved schemes and method are proposed that could improve the security, availability and computation efficiency of 802.1 li or WAPI.
Upon analysis of the two standards and using one-way hash chains technique, a novel and efficient WLAN authentication infrastructure (EWAI) is proposed and protocol components of it are designed, including initial authentication protocol (IAKN), 3-way key negotiation protocol (3WAY) and group key distribution (GK). The implementation architecture of keys is presented. In IAKN , no signature algorithm is needed, AS authenticates STA in the foremost time using less handshakes and less messages in protocol flows, as well as the mutual authentication of STA, AP and AS and initial key negotiation are completed. Compared with 802.11i and WAPI, the proposed infrastructure EWAI has better security properties (muli-factors entities authentication and defending against DoS effectively) and efficiency. The proposed IAKN protocol is reasoned using BAN logic and its correctness is proved. The proposed another protocol - 3WAY - does not decrease one protocol flow, but also achieves source authenticated and integrity protected for every flow and refreshes keys in a more secure manner.
The Protocol Composition Logic (PCL) is introduced and extended, which is used to
引文
[1] IEEE Standard 802.11-1999. Information technology - Telecommunications and informa tion exchange between systems - local and metropolitan area networks - specific requirements - Part 11: Wireless LAN Medium Access Control and Physical Layer Specifications, 1999.
[2] IEEE Standard 802.11a-1999. Higher-speed Physical Layer in the 5Ghz band, supplement to IEEE standard for information technology - Telecommunications and information exchange between systems - local and metropolitan area networks - specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications, 1999.
[3] IEEE Standard 802.11b-1999. Higher-speed Physical Layer extension in the 2.4Ghz band, supplement to IEEE standard for information technology - Telecom- munications and nformation exchange between systems - local and metropolitan area networks - specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications, September 1999.
[4] IEEE Standard 802.11g-2003. Amendment 4: Further higher data rate extension in the 2.4 Ghz band, IEEE standard for information technology - Telecommunications and nformation exchange between systems - local and metropolitan area networks - specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications, 2003.
[5] H. Berghel. Wireless InFidelity I: War Driving. Communications of the ACM. 2004,47 (9):21-26.
[6] H. Berghel and J. Uecker. Wireless In Fidelity II: Airjacking. Communications of the ACM. 2004,47(12):15-20.
[7] WIRELESS LANs: Risks and Defenses. White Paper. [DB/OL] 2002.http://wireless. ittoolbox.com/pub/AM082802.pdf.
[8] T. Karygiannis and L. Owens. Wireless Network Security: 802.11, Bluetooth and Handheld Devices [DB/OL]. NIST Special Publication 800-48, 2002. http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf.
[9] K. Prashnt, J. Kabara and T. Anusas-amornkul. Security in Wireless Residential Networks. IEEE Transactions on Consumer Electronics, 2002,48(1): 157-166.
[10] J. S. Park and D. Dicoi. WLAN security: current and future. IEEE Internet Computing, 2004, 8(2):76-83.
[11] N. Borisov, I. Goldberg, and D. Wagner. Intercepting Mobile Communications: The Insecurity of 802.11. In the Proceedings of the Seventh International Conference on Mobile Computing and Networking, 2001: 16-21.
[12] W. A. Arbaugh, N. Shankar and J. Wang. Your 802.11 network has no clothes.In the first IEEE International Conference on Wireless LANs and Home Networks, 2001.131-144.
[13] C. Donald, J. Welch, M. Scott and D. Lathrop. A Survey of 802.11a Wireless Security Threats and Security Mechanisms[R/OL]. Technical Report, ITOC-TR-2003-101. 2003.
[14] J. Bellardo and S. Savage. 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions. In Proceedings of the USENIX Security Symposium, 2003: 15-27.
[15] P. Kyasanur and N. Vaidya. Detection and Handling of MAC Layer Misbehavior in Wireless Networks. In to appearin Proceedings the International Conference on Dependable Sysmtes and Networks, San Francisco, CA, 2003.
[16] V. Gupta, S. Krishnamurthy and M. Faloutsos. Denial of Service Attacks at the MAC Layer in Wireless Ad Hoc Networks. In Proceedings of 2002 MILCOM Conference, Anaheim, CA, October 2002.
[17] J. R. Walker. Unsafe at any key size: an analysis of the WEP encapsulation[DB/OL]. IEEE Document 802.11-00/362, October 2000.
[18] S. Fluhrer, I. Mantin. and A. Shamir. Weaknesses in the key scheduling algorithm of RC4. Revised Paper from the 8~(th) Annual International Workshop on Selected Areas in Cryptography, Lecture Notes in Computer Science, 2001, Vol. 2259: 1 - 24.
[19] W. A. Arbaugh. An inductive chosen plaintext attack against WEP/WEP2[DB/OL]. Presentations to IEEE 802.11 TGi, May 2001.
[20] A. Stubblefield, J. Ioannidis and A. Rubin. Using the Fluhrer, Mantin, and Shamir attack to break WEP. In the 2002 Network and Distributed Systems Symposium, February 2002.
[21] N. L. Petroni and J. Arbaugh. The dangers of mitigating security design flaws: a wireless case study. Security & Privacy Magazine, IEEE. 2003, 1(1):28-36.
[22] Wi-Fi Alliance. Wi-Fi Protected Access: Strong, standards-based, interoperable security for today's Wi-Fi networks[DB/OL]. 2004. http://www.wifialliance.com/OpenSection/pdf/ Whitepaper_Wi-Fi_Security4-29-03.pdf.
[23] Wi-Fi Alliance. Wi-Fi Protected Access~(TM) security sees strong adoption: Wi-Fi Alliance takes strong position by requiring WPA security for product certification. 2004. http://www.wi-fi.org/opensection/.
[24] R. Moskowitz. Weakness in Passphrase Choice in WPA Interface[DB/OL], 2004. http://wifinetnews.com/archives/002452.html.
[25] J. Lyman. Passphrase Flaw Exposed in WPA Wireless Security, 2004. http://www.technews world.com/story/32070.html.
[26] G. Lehembre. Wi-Fi security - WEP, WPAand WPA2. hakin9, 2006,14: 2-15.
[27] IEEE 802.11i, Medium Access Control (MAC) Security Enhancements, Amendment 6 to IEEE Standard for Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications, July, 2004.
[28] C. Chaplin, E. Qi, H. Ptasinski, J. Walker and S. Li. 802.11i Overview, 2005. www.ieee802.org/16/liaison/docs/80211-05_0123rl.pdf.
[29] N. Cam-Winge, T. Moore, D. Stanley and J. Walker. IEEE 802.11i Overview v0.1. 2005. http://csrc.nist.gov/wireless/S 10_802.11 i%20Overview-jwl.pdf.
[30] C. He, J. C. Mitchel. Analysis of the 802.11i 4-way handshake. Proceedings of the 2004 ACM workshop on Wireless security, 2004: 43-50.
[31] C. He. Analysis of security protocols for wireless networks. Doctoral Thesis. Advisers John C. Mitchell, Stanford University Stanford, CA, USA .2006.
[32] C. He, M. Sundararajan, A. Datta, A. Derek and J. C. Mitchell. A modular correctness proof of IEEE 802.11i and TLS. Proceedings of the 12th ACM conference on Computer and communications security CCS'05, 2005:2-15.
[33] Z. Furqan, S. Muhammad and R. K. Guha. Formal Verification of 802.11i using Strand Space Formalism. Proceedings of the International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06), 2006.
[34] E. Sithirasenan, S. Zafar and V. Muthukkumarasamy. Formal Verification of the IEEE 802.11i WLAN Security Protocol. Proceedings of the Australian Software Engineering Conference (ASWEC'06), 2006:181-190.
[35] GB 15629.11-2003《信息技术 系统间远程通信和信息交换局域网和城域网 特定要求第11部分:无线局域网媒体访问控制和物理层规范》,2003.
[36] WAPI国际标准提案相关工作专栏.http://www.chinabwips.org/gzdt-52.HTM.2006-4-1.
[37] 李勤,张浩军,杨峰,张全林.无线局域网安全协议的研究和实现.计算机应用,2005,25(1):160-162.
[38] 杨寅春,张世明,张瑞山,陈克非.WAPI安全机制分析.计算机工程,2005,31(10):135-136,170.
[39] 张浩军,陈莉,祝跃飞.WAPI数字证书应用研究.计算机应用,2004,24(12):67-69.
[40] 张帆,马建峰.WAPI认证机制的性能和安全性分析.西安电子科技大学学报(自然科学版).2005,32(2):210-215.
[41] N. Cam-Winget, R. Housley, D. Wagner, and J. Walker. Security flaws in 802.11 data link protocols. SPECIAL ISSUE: Wireless networking security, Communications of the ACM, 2003, 46(5):35-39.
[42] B. Fleck and J. Dimov. Wireless access points and ARP poisoning: wireless vulnerabilities that expose the wired network. White paper by Cigital Inc., 2001.
[42] M. Lynn and R. Baird. Advanced 802.11 attack. Black Hat Briefings, July 2002.
[44] T. Marshall. Antennas enhance WLAN security. In BYTE.com, 2001, http://www.trevormarshall.com/byte_articles/bytel.htm
[45] D. B. Faria and D. R. Cheriton. No long-term secrets: Location-based security in over provisioned wireless LANs. In Proceedings of the Third ACM Workshop on Hot Topics in Networks (HotNets-III), 2004.
[46] F. Scott, I. Mantin and A. Shamir. Attacks on RC4 and WEP. Cryptobytes. 2002,5(2):26-34.
[47] F. Scott, I. Mantin and A. Shamir. Weaknesses in the Key Scheduling Algorithm of RC4. In the Eighth Annual Workshop on Selected Areas in Cryptography. 2001:23.
[48] IEEE Standard 802.1X-2001, IEEE Standard for Local and metropolitan area networks - Port-Based Network Access Control, June, 2001.
[49] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson and H. Levkowetz. Extensible Authentication Protocol. RFC 3748. The Internet Engineering Task Force. 2004-07-01.
[50] B. Aboba, and D. Simon. PPP EAP TLS authentication protocol[S/OL]. IETF RFC 2716, October, 1999.
[51] V. Moen, H. Raddum, and K. J. Hole. Weakness in the Temporal Key Hash of WPA. ACM SIGMOBILE Mobile Computing and Communications Review, 2004, 8(2):76-83.
[52] AusCERT AA-2004.02. Denial of Service vulnerability in IEEE 802.11 wireless devices[R/OL]. Technical Report, May 13 2004. http://www.auscert.org.au/render.html.
[53] D. Chen, J. Deng and P. K. Varshney. Protecting wireless networks against a Denial of Service attack based on virtual jamming. In Poster Session of MobiCom2003, September 2003.
[54] B. Fleck and J. Dimov. Wireless access points and ARP poisoning: wireless vulnerabilities that expose the wired network. White paper by Cigital Inc., 2001.
[55] D. Neoh. GSEC version 1.4b option 1, Corporate Wireless LAN: Know the risks and best practices to mitigate them, December 2003. http://www.sans.org/reading_room/whitepapers /wireless/1350.
[56] D. Whiting, R. Housley, and N. Ferguson. Counter with CBC-MAC (CCM) [S/OL]. IETF RFC 3610,2003-09-01.
[57] National Institute of Standards and Technology. FIPS Pub 197: Advanced Encryption Standard (AES) [S/OL]. NIST, 2001-11-26.
[58] P. Rogaway and D. Wagner. A critique of CCM. Unpublished manuscript, 2003-02-02. http://eprint.iacr.org/2003/070.
[59] J. Jonsson. On the security of CTR + CBC-MAC. In Lecture Notes In Computer Science, Revised Paper from the 9th Annual International Workshop on Selected Areas in Cryptography, 2002: 76-93.
[60] C. Rigney, S. Willens, A. Rubens, and W. Simpson. Remote Authentication Dial In User Service (RADIUS)[S/OL]. IETF RFC 2865,2000-07-01.
[61] S. Blake-Wilson, M. Nystrom, D. Hopwood, J. Mikkelsen and T. Wright. Transport Layer Security (TLS) Extensions[S/OL]. IETF RFC 3546,2003-06-01.
[62] Dierks, T. and C. Allen. The TLS Protocol Version 1.0[S/OL]. IETF RFC 2246, 1999-01.
[63] T. Dierks. The TLS Protocol Version 1.1[EB/OL]. IETF draft-ietf-tls-rfc2246-bis-13.txt. 2005. http://www3.ietf.org/proceedings/06mar/IDs/draft-ietf-tls-rfc2246-bis-13.txt.
[64] ITU-T Recommendation X.509 (2000) | ISO/IEC 9594-8:2001, Information Systems - Open Systems Interconnection - The Directory: Public key and attribute certificate frameworks. 2001.
[65] R. Housley, W. Polk, W. Ford and D. Solo. Internet Public Key Infrastructure - Certificate and Certificate Revocation List (CRL) Profile[S/OL]. IETF RFC 3280, 2002-04.
[66] M. Myers, R. Ankney, A. Malpani, S. Galperin and C. Adams. Internet X.509 Public Key Infrastructure: Online Certificate Status Protocol - OCSP[S/OL]. IETF RFC 2560, 1999-06.
[67] C. Wullems, K. Tham, J. Smith, and M. Looi. Technical summary of Denial of Service attack against IEEE 802.11 DSSS based Wireless LAN's. 2003.
[68] P. Ding, J. Holliday, and A. Celik. Improving the security of Wireless LANs by managing 802.1X Disassociation. In the IEEE Consumer Communications and Networking Conference (CCNC'04), January 2004.
[69] D. B. Faria and D. R. Cheriton. DoS and authentication in wireless public access networks. In the first ACM Workshop on Wireless Security (WiSe'02), September 2002.
[70] C. He and J. C. Mitchell. Security analysis and improvements for IEEE 802.lli.In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS'05), 2005.
[71] N. Asokan, V. Niemi, and K. Nyberg. Man-in-the-Middle in tunneled authentication protocols. Technical Report 2002/163, October 2002.
[72] 财政部,国家发展和改革委员会,信息产业部.关于印发《无线局域网产品政府采购实施意见》的通知.2005.12.31.http://www.mii.gov.cn/art/2006/01/06/art-541-4521.html.
[73] RSA Laboratories. PKCS 12: Personal Information Exchange Syntax, 1999.
[74] M. Burrows, M.Abadi, R. Needham. A logic of authentication. ACM Transactions on Computer Systems (TOCS), 1990, 8(1):18-36.
[75] S. Xu, G. Zhang and H. Zhu. On the properties of cryptographic protocols and the weaknesses of the BAN-like logics. ACM SIGOPS Operating Systems Review, 1997,31 (4): 12-23.
[76] P. Oorschot. Extending cryptographic logics of belief to key agreement protocols. Proceedings of the 1st ACM conference on Computer and communications security. Conference on Computer and Communications Security. 1993:232-243
[77] J. Wen, M. Zhang, X. Li. The study on the application of BAN logic in formal analysis of authentication protocols. Proceedings of the 7th international conference on Electronic commerce. ACM International Conference Proceeding Series; Vol. 113. 2005:744-747
[78] 范红,冯登国.安全协议理论与方法.科学出版社.北京.2003-10
[79] 顾存祥.椭圆曲线密码体制设计与实现.技术报告.信息工程大学信息工程学网络安全实验室.2006-03.
[80] 张亚娟.椭圆曲线公钥密码体制的设计与分析.博士论文.信息工程大学信息工程学网络安全实验室.2004.11.
[81] D. Dolev, A. Yao. On the security of public-key protocols. IEEE Transactions on Information Theory, 1988,2(29).
[82] R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. In Proc. 42nd IEEE Symposium on Foundations of Computer Science (FOCS), IEEE Computer Society, 2001: 136-145. Full version at http://eccc.uni-trier.de/eccc-reports/2001/TR01-016.
[83] R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. The latest update version at http://eprint.iacr.org/2000/067. 2005-12.
[84] R. Canetti. Univerally Composable Signature, Certification, and Authentication. 17th Computer Security Foundations Workshop (CSFW), 2004. Full version at http://eprint.iacr.org/2003/239.
[85] Datta A., Derek A., Mitchell, J. C, Pavlovic D.: A derivation system and compositional logic for security protocols. Journal of Computer Security, 2005,13: 428-482.
[86] Datta A. Security analysis of network protocols: compositional reasoning and complexity-theoretic foundations. Doctoral Thesis. Advisers John C. Mitchell. Stanford University Stanford, CA, USA .2006.
[87] Durgin N., Mitchell J. C, Pavlovic D.: A compositional logic for proving security properties of protocols. Journal of Computer Security, 2003,11:677-721.
[88] N. Durgin, J. C. Mitchell, and D. Pavlovic. A compositional logic for protocol correctness. In Proceedings of 14th IEEE Computer Security Foundations Workshop, IEEE, 2001: 241-255.
[89] A. Datta, A. Derek, J. C. Mitchell, and D. Pavlovic. A derivation system for security protocols and its logical formalization. In Proceedings of 16th IEEE Computer Security Foundations Workshop, IEEE, 2003: 109-125.
[90] A. Datta, A. Derek, J. C. Mitchell, and D. Pavlovic. Secure protocol composition (Extended abstract). In Proceedings of ACM Workshop on Formal Methods in Security Engineering,, 2003:11-23.
[91] A. Datta, A. Derek, J. C. Mitchell, and D. Pavlovic. Secure protocol composition. In Proceedings of 19th Annual Conference on Mathematical Foundations of Programming Semantics, Electronic Notes in Theoretical Computer Science, 2004, volume 83.
[92] L. C. Paulson. Inductive analysis of the Internet protocol TLS. ACM Transactions on Computer and System Security, 1999,2(3):332-351.
[93] C. Meadows. A model of computation for the NRL protocol analyzer. In Proceedings of 7th IEEE Computer Security Foundations Workshop, IEEE, 1994:84-89.
[94] O. Goldreich, S. Micali and A. Wigderson. How to Play any Mental Game. 19th Symposium on Theory of Computing (STOC). ACM, 1987:218-229.
[95] S. Goldwasser and L. Levin. Fair Computation of General Functions in Presence of Immoral Majority. CRYPTO'90, LNCS 537, 1990.
[96] N. Lynch, R. Segala and E Vandeager. Compositionality for Probabilistic Automata. 14th CONCUR, LNCS, 2003, Vol. 2761:208-221.
[97] P. Lincoln, J. Mitechell, M. Mitchell and A. Scedrov. A Probabilistiv Poly-time Framework for Protocol Analysis. 5th ACM Conf. on Computer and Conmmunication Security. 1998:112-121.
[98] E Lincoln, J. Mitechell, M. Mitchell and A. Scedrov. A Probabilistic Polynomial-time equivalence and security analysis. World Congress on Formal Methods. 1999:776-793.
[99] J. F. Almansa. The full abstraction of the UC framework[EB/OL]. 2004. http://citeseer.ist.psu.edu/almansa04full.html
[100] M. Backes, B. Pfitzmann and M. Waidner. A composable cryptogrraphic library with nested operations. In 10th ACM conference on computer and communications security (CCS03), 2003.
[101] L. Lamport. Password Authentication with Insecure Communication. Communications of the ACM., 1981,24 (11): 770-772.
[102] Hailer N, Metz C and Nesser P, et al. A One-Time Password System [DB/OL]. IETF. RFC 2289. http://www.ietf.org. 2004-03
[103] Ramkumar M, Memon N. An Efficient Key Pre-distribution Scheme for MANET Security. IEEE Journal on Selected Areas of Communication, 2005, 23(3): 611-621.
[104] Patil V, Shyamasundar R K. An Efficient, Secure and Delegable Micro-Payment System. Information Systems Frontiers, 2005 7(4-5):371-389.
[105] A. Perrig, R. Canetti, J. D. Tygar, and D. X. Song. Efficient authentication and signing of multicast streams over lossy channels. In IEEE Symposium on Security and Privacy, 2000: 56-73.
[106] A. Perrig, R. Canetti, D. X. Song, and J. D. Yygar. Efficient and secure source authentication for multicast. NDSS: Proceedings of the ISOC Symposium on Network and Distributed System Security, 2001.
[107] 张浩军,祝跃飞.无线局域网认证基础架构研究与设计.第11届全国青年通信学术会议.北京:北京邮电大学出版社,2006:913-918.
[108] J. Deng, R. Han and S. Mishra. Secure code distribution in dynamically programmable wireless sensor networks. Proceedings of the fifth international conference on Information processing in sensor networks (IPSN'06). New York, NY, USA: ACM Press. 2006: 292-300.
[109] K. Bicakci, N. Baykal. Infinite Length Hash Chains and Their Applications. Proceedings of IEEE 11th International Workshops on Enabling Technologies (WETICE2002). Washington, DC, USA: IEEE Computer Society. 2002: 56-61.
[110] R. D. Pietro, A. Durante and L. V. Mancini. Addressing the Shortcomings of One-Way Chains [C]//Proceedings of the 2006 ACM Symposium on Information, computer and communications security (ASIACCS'06). New York, NY, USA: ACM Press. 2006: 289-296.
[111] V. Goyal. How To Re-initialize a Hash Chain [DB/OL]. [2005-01-10]. http://eprint.iacr.org/2004/097.pdf.
[112] G. Brassard, D. Chaum, and C. Crepeau. Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences, Academic Press, 1988, 37(2): 156-189.
[113] X. Chen, F. Zhang, and K. Kim. Chameleon hashing without key exposure. ISC: Information Security, 7th International Conference, Springer-Verlag, LNCS, 2004, Vol.3225:87-98.
[114] G. Ateniese and B. de Medeiros. On the key exposure problem in chameleon hashes. SCN: Security in Communication Networks, 4th International Conference, Springer-Verlag, LNCS, 2004 Vol. 3352:165-179.
[115] H. Krawczyk and T. Rabin. Chameleon hashing and signatures. NDSS: Proceedings of the ISOC Symposium on Network and Distributed System Security, 2000:143-154.
[116] A. Shamir and Y. Tauman. Improved online/offline signature schemes. CRYPTO: Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, Springer-Verlag, LNCS, 2001 Vol. 2139: 355-367.
[117] G. Ateniese and B. de Medeiros. Identity-based chameleon hash and applications. FC: Financial Cryptography, 8th International Conference, Springer-Verlag, LNCS, 2004, Vol. 3110:164-180.
[118] R.C.Merkle. A certified digital signature [C]// Proceedings of the CRYPTO 89. Berlin Germany: Springer-Verlag, LNCS, 1990, Vlol.435:218-238.
[119] G.. Oded. Foundations of Cryptography: Basic Tools. Cambridge University Press. 2001: 64-74.
[120] National Institute of Standards and Technology (NIST). Announcing the Secure Hash Standard, FIPS 180-1, U.S.Department of Commerce, 1995.
[121] National Institute of Standards and Technology (NIST). Announcing the Secure Hash Standard, FIPS 180-2, U.S.Department of Commerce, 2002.
[122] Asokan N., Tsudik G., Waidners M.: Server-supported signatures. Journal of Computer Security, 1997.
[123] Salem N B, Buttyan L, Hubaux J, et al. Node Cooperation in Hybrid Ad Hoc Networks [J]. IEEE Transactions on Mobile Computing, 2006, 5(4):365-376.
[124] 薛锐,冯登国.安全协议的形式化分析技术与方法.计算机学报,2006,29(1):1-20.
[125] Abadi. M. Security by typing in security protocols. Journal of the ACM, 1999, 46(5):749-786.
[126] 陈原,王育民,肖国镇.公钥密码体制与选择密文安全性.西安电子科技大学学报(自然科学版).2004,31(1):136-139.
[127] 冯登国,范红.安全协议形式化分析理论与方法研究综述[J]中国科学院研究生院学报,2003,(04):389-406.
[128] 范红,冯登国,邹良惠.安全协议形式化分析方法综述之一:基于推理结构性方法[J]网络安全技术与应用,2003,(05):52-56.
[129] 范红,冯登国.安全协议形式化分析方法综述之二——基于攻击结构性方法[J]网络安全技术与应用,2003,(06):15-18.
[130] 周永彬;张振峰;冯登国;一种认证密钥协商协议的安全分析及改进.软件学报.2006,17(4):868-875.
[131] 冯登国;可证明安全性理论与方法研究.软件学报,2005,16(10):1743-1756.
[132] 王汝传.密码协议形式化分析方法研究.信息网络安全,2005,07:24-26.
[133] 孙海波,林东岱,李莉.基于理想的协议安全性分析,软件学报,2005,16(12):2150-2156.
[134] Y. Lindell. General composition and universal composability in secure multi-party computation. In IEEE Symposium on Foundations of Computer Science, 2003:394-403.http://citeseer.ist.psu.edu/lindell03general.html.
[135] M. Prabhakaran, A. Sahai. New Notions of Security: Achieving Universal Composability without Trusted Setup. 36th STOC, 2004:242-251.http://eprint.iacr.org/2004/139.pdf.
[136] A. Datta, R. Kusters, J. C. Mitchell, and A. Ramanathan. On the relationships between notions of simulation-based security. In Proc. 2nd Theory of Cryptography Conference (TCC), LNCS, Springer, 2005 Vol. 3378:476-494.
[137] R. Canetti and T. Rabin. Universal Composition with Joint State. In CRYPTO'03, 2003.
[138] M. Bellare, P. Rogaway, Optimal Asymmetric Encryption - How to Encrypt with RSA, in Advances in Cryptology Eurocrypt 94 Proceedings, Lecture in Computer Science Springer-Verlag, 1994, Vol. 950.
[139] D. Dolev, C. Dwork and M. Naor, "Non-malleable cryptography," Proceedings of the 23rd Annual Symposium on Thoery of Computing, ACM, 1991.
[140] S.Goldwasser, S. Micali and R. Rivest, "A digit signature scheme secure against adaptive chosen-message attacks," SIAM Journal of Computing, 1988,17(2):281-308.
[141] Moni Naor, Moti Yung, Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. 1995-07-13.
[142] S. Even, O. Goldreich, and S. Micali. On-line/off-line digital signatures. CRYPTO 1989, LNCS, Springer-Verlag, 1990, Vol. 435.
[143] Bellare. Random Oracles are Practical - A paradigm for Designing Efficient Protocols. 1995.
[144] R. Gennaro, S. Halevi and T. Rabin. Secure hash-and-sign signatures without the random oracle. In Jacques Stern, editor, Advances in Cryptology--EUROCRYPT'99, Lecture Notes in Computer Science, Springer-Verlag, 1999 Vol. 1592: 123-139.
[145] K.l Bicakci, B. Tung and G. Tsudik: On constructing optimal one-time signatures. Proceedings of Fifteenth International Symposium on Computer and Information Sciences, ISCIS 2000, Istanbul, Turkey, October 2000.
[2] IEEE Standard 802.11a-1999. Higher-speed Physical Layer in the 5Ghz band, supplement to IEEE standard for information technology - Telecommunications and information exchange between systems - local and metropolitan area networks - specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications, 1999.
[3] IEEE Standard 802.11b-1999. Higher-speed Physical Layer extension in the 2.4Ghz band, supplement to IEEE standard for information technology - Telecom- munications and nformation exchange between systems - local and metropolitan area networks - specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications, September 1999.
[4] IEEE Standard 802.11g-2003. Amendment 4: Further higher data rate extension in the 2.4 Ghz band, IEEE standard for information technology - Telecommunications and nformation exchange between systems - local and metropolitan area networks - specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications, 2003.
[5] H. Berghel. Wireless InFidelity I: War Driving. Communications of the ACM. 2004,47 (9):21-26.
[6] H. Berghel and J. Uecker. Wireless In Fidelity II: Airjacking. Communications of the ACM. 2004,47(12):15-20.
[7] WIRELESS LANs: Risks and Defenses. White Paper. [DB/OL] 2002.http://wireless. ittoolbox.com/pub/AM082802.pdf.
[8] T. Karygiannis and L. Owens. Wireless Network Security: 802.11, Bluetooth and Handheld Devices [DB/OL]. NIST Special Publication 800-48, 2002. http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf.
[9] K. Prashnt, J. Kabara and T. Anusas-amornkul. Security in Wireless Residential Networks. IEEE Transactions on Consumer Electronics, 2002,48(1): 157-166.
[10] J. S. Park and D. Dicoi. WLAN security: current and future. IEEE Internet Computing, 2004, 8(2):76-83.
[11] N. Borisov, I. Goldberg, and D. Wagner. Intercepting Mobile Communications: The Insecurity of 802.11. In the Proceedings of the Seventh International Conference on Mobile Computing and Networking, 2001: 16-21.
[12] W. A. Arbaugh, N. Shankar and J. Wang. Your 802.11 network has no clothes.In the first IEEE International Conference on Wireless LANs and Home Networks, 2001.131-144.
[13] C. Donald, J. Welch, M. Scott and D. Lathrop. A Survey of 802.11a Wireless Security Threats and Security Mechanisms[R/OL]. Technical Report, ITOC-TR-2003-101. 2003.
[14] J. Bellardo and S. Savage. 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions. In Proceedings of the USENIX Security Symposium, 2003: 15-27.
[15] P. Kyasanur and N. Vaidya. Detection and Handling of MAC Layer Misbehavior in Wireless Networks. In to appearin Proceedings the International Conference on Dependable Sysmtes and Networks, San Francisco, CA, 2003.
[16] V. Gupta, S. Krishnamurthy and M. Faloutsos. Denial of Service Attacks at the MAC Layer in Wireless Ad Hoc Networks. In Proceedings of 2002 MILCOM Conference, Anaheim, CA, October 2002.
[17] J. R. Walker. Unsafe at any key size: an analysis of the WEP encapsulation[DB/OL]. IEEE Document 802.11-00/362, October 2000.
[18] S. Fluhrer, I. Mantin. and A. Shamir. Weaknesses in the key scheduling algorithm of RC4. Revised Paper from the 8~(th) Annual International Workshop on Selected Areas in Cryptography, Lecture Notes in Computer Science, 2001, Vol. 2259: 1 - 24.
[19] W. A. Arbaugh. An inductive chosen plaintext attack against WEP/WEP2[DB/OL]. Presentations to IEEE 802.11 TGi, May 2001.
[20] A. Stubblefield, J. Ioannidis and A. Rubin. Using the Fluhrer, Mantin, and Shamir attack to break WEP. In the 2002 Network and Distributed Systems Symposium, February 2002.
[21] N. L. Petroni and J. Arbaugh. The dangers of mitigating security design flaws: a wireless case study. Security & Privacy Magazine, IEEE. 2003, 1(1):28-36.
[22] Wi-Fi Alliance. Wi-Fi Protected Access: Strong, standards-based, interoperable security for today's Wi-Fi networks[DB/OL]. 2004. http://www.wifialliance.com/OpenSection/pdf/ Whitepaper_Wi-Fi_Security4-29-03.pdf.
[23] Wi-Fi Alliance. Wi-Fi Protected Access~(TM) security sees strong adoption: Wi-Fi Alliance takes strong position by requiring WPA security for product certification. 2004. http://www.wi-fi.org/opensection/.
[24] R. Moskowitz. Weakness in Passphrase Choice in WPA Interface[DB/OL], 2004. http://wifinetnews.com/archives/002452.html.
[25] J. Lyman. Passphrase Flaw Exposed in WPA Wireless Security, 2004. http://www.technews world.com/story/32070.html.
[26] G. Lehembre. Wi-Fi security - WEP, WPAand WPA2. hakin9, 2006,14: 2-15.
[27] IEEE 802.11i, Medium Access Control (MAC) Security Enhancements, Amendment 6 to IEEE Standard for Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications, July, 2004.
[28] C. Chaplin, E. Qi, H. Ptasinski, J. Walker and S. Li. 802.11i Overview, 2005. www.ieee802.org/16/liaison/docs/80211-05_0123rl.pdf.
[29] N. Cam-Winge, T. Moore, D. Stanley and J. Walker. IEEE 802.11i Overview v0.1. 2005. http://csrc.nist.gov/wireless/S 10_802.11 i%20Overview-jwl.pdf.
[30] C. He, J. C. Mitchel. Analysis of the 802.11i 4-way handshake. Proceedings of the 2004 ACM workshop on Wireless security, 2004: 43-50.
[31] C. He. Analysis of security protocols for wireless networks. Doctoral Thesis. Advisers John C. Mitchell, Stanford University Stanford, CA, USA .2006.
[32] C. He, M. Sundararajan, A. Datta, A. Derek and J. C. Mitchell. A modular correctness proof of IEEE 802.11i and TLS. Proceedings of the 12th ACM conference on Computer and communications security CCS'05, 2005:2-15.
[33] Z. Furqan, S. Muhammad and R. K. Guha. Formal Verification of 802.11i using Strand Space Formalism. Proceedings of the International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06), 2006.
[34] E. Sithirasenan, S. Zafar and V. Muthukkumarasamy. Formal Verification of the IEEE 802.11i WLAN Security Protocol. Proceedings of the Australian Software Engineering Conference (ASWEC'06), 2006:181-190.
[35] GB 15629.11-2003《信息技术 系统间远程通信和信息交换局域网和城域网 特定要求第11部分:无线局域网媒体访问控制和物理层规范》,2003.
[36] WAPI国际标准提案相关工作专栏.http://www.chinabwips.org/gzdt-52.HTM.2006-4-1.
[37] 李勤,张浩军,杨峰,张全林.无线局域网安全协议的研究和实现.计算机应用,2005,25(1):160-162.
[38] 杨寅春,张世明,张瑞山,陈克非.WAPI安全机制分析.计算机工程,2005,31(10):135-136,170.
[39] 张浩军,陈莉,祝跃飞.WAPI数字证书应用研究.计算机应用,2004,24(12):67-69.
[40] 张帆,马建峰.WAPI认证机制的性能和安全性分析.西安电子科技大学学报(自然科学版).2005,32(2):210-215.
[41] N. Cam-Winget, R. Housley, D. Wagner, and J. Walker. Security flaws in 802.11 data link protocols. SPECIAL ISSUE: Wireless networking security, Communications of the ACM, 2003, 46(5):35-39.
[42] B. Fleck and J. Dimov. Wireless access points and ARP poisoning: wireless vulnerabilities that expose the wired network. White paper by Cigital Inc., 2001.
[42] M. Lynn and R. Baird. Advanced 802.11 attack. Black Hat Briefings, July 2002.
[44] T. Marshall. Antennas enhance WLAN security. In BYTE.com, 2001, http://www.trevormarshall.com/byte_articles/bytel.htm
[45] D. B. Faria and D. R. Cheriton. No long-term secrets: Location-based security in over provisioned wireless LANs. In Proceedings of the Third ACM Workshop on Hot Topics in Networks (HotNets-III), 2004.
[46] F. Scott, I. Mantin and A. Shamir. Attacks on RC4 and WEP. Cryptobytes. 2002,5(2):26-34.
[47] F. Scott, I. Mantin and A. Shamir. Weaknesses in the Key Scheduling Algorithm of RC4. In the Eighth Annual Workshop on Selected Areas in Cryptography. 2001:23.
[48] IEEE Standard 802.1X-2001, IEEE Standard for Local and metropolitan area networks - Port-Based Network Access Control, June, 2001.
[49] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson and H. Levkowetz. Extensible Authentication Protocol. RFC 3748. The Internet Engineering Task Force. 2004-07-01.
[50] B. Aboba, and D. Simon. PPP EAP TLS authentication protocol[S/OL]. IETF RFC 2716, October, 1999.
[51] V. Moen, H. Raddum, and K. J. Hole. Weakness in the Temporal Key Hash of WPA. ACM SIGMOBILE Mobile Computing and Communications Review, 2004, 8(2):76-83.
[52] AusCERT AA-2004.02. Denial of Service vulnerability in IEEE 802.11 wireless devices[R/OL]. Technical Report, May 13 2004. http://www.auscert.org.au/render.html.
[53] D. Chen, J. Deng and P. K. Varshney. Protecting wireless networks against a Denial of Service attack based on virtual jamming. In Poster Session of MobiCom2003, September 2003.
[54] B. Fleck and J. Dimov. Wireless access points and ARP poisoning: wireless vulnerabilities that expose the wired network. White paper by Cigital Inc., 2001.
[55] D. Neoh. GSEC version 1.4b option 1, Corporate Wireless LAN: Know the risks and best practices to mitigate them, December 2003. http://www.sans.org/reading_room/whitepapers /wireless/1350.
[56] D. Whiting, R. Housley, and N. Ferguson. Counter with CBC-MAC (CCM) [S/OL]. IETF RFC 3610,2003-09-01.
[57] National Institute of Standards and Technology. FIPS Pub 197: Advanced Encryption Standard (AES) [S/OL]. NIST, 2001-11-26.
[58] P. Rogaway and D. Wagner. A critique of CCM. Unpublished manuscript, 2003-02-02. http://eprint.iacr.org/2003/070.
[59] J. Jonsson. On the security of CTR + CBC-MAC. In Lecture Notes In Computer Science, Revised Paper from the 9th Annual International Workshop on Selected Areas in Cryptography, 2002: 76-93.
[60] C. Rigney, S. Willens, A. Rubens, and W. Simpson. Remote Authentication Dial In User Service (RADIUS)[S/OL]. IETF RFC 2865,2000-07-01.
[61] S. Blake-Wilson, M. Nystrom, D. Hopwood, J. Mikkelsen and T. Wright. Transport Layer Security (TLS) Extensions[S/OL]. IETF RFC 3546,2003-06-01.
[62] Dierks, T. and C. Allen. The TLS Protocol Version 1.0[S/OL]. IETF RFC 2246, 1999-01.
[63] T. Dierks. The TLS Protocol Version 1.1[EB/OL]. IETF draft-ietf-tls-rfc2246-bis-13.txt. 2005. http://www3.ietf.org/proceedings/06mar/IDs/draft-ietf-tls-rfc2246-bis-13.txt.
[64] ITU-T Recommendation X.509 (2000) | ISO/IEC 9594-8:2001, Information Systems - Open Systems Interconnection - The Directory: Public key and attribute certificate frameworks. 2001.
[65] R. Housley, W. Polk, W. Ford and D. Solo. Internet Public Key Infrastructure - Certificate and Certificate Revocation List (CRL) Profile[S/OL]. IETF RFC 3280, 2002-04.
[66] M. Myers, R. Ankney, A. Malpani, S. Galperin and C. Adams. Internet X.509 Public Key Infrastructure: Online Certificate Status Protocol - OCSP[S/OL]. IETF RFC 2560, 1999-06.
[67] C. Wullems, K. Tham, J. Smith, and M. Looi. Technical summary of Denial of Service attack against IEEE 802.11 DSSS based Wireless LAN's. 2003.
[68] P. Ding, J. Holliday, and A. Celik. Improving the security of Wireless LANs by managing 802.1X Disassociation. In the IEEE Consumer Communications and Networking Conference (CCNC'04), January 2004.
[69] D. B. Faria and D. R. Cheriton. DoS and authentication in wireless public access networks. In the first ACM Workshop on Wireless Security (WiSe'02), September 2002.
[70] C. He and J. C. Mitchell. Security analysis and improvements for IEEE 802.lli.In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS'05), 2005.
[71] N. Asokan, V. Niemi, and K. Nyberg. Man-in-the-Middle in tunneled authentication protocols. Technical Report 2002/163, October 2002.
[72] 财政部,国家发展和改革委员会,信息产业部.关于印发《无线局域网产品政府采购实施意见》的通知.2005.12.31.http://www.mii.gov.cn/art/2006/01/06/art-541-4521.html.
[73] RSA Laboratories. PKCS 12: Personal Information Exchange Syntax, 1999.
[74] M. Burrows, M.Abadi, R. Needham. A logic of authentication. ACM Transactions on Computer Systems (TOCS), 1990, 8(1):18-36.
[75] S. Xu, G. Zhang and H. Zhu. On the properties of cryptographic protocols and the weaknesses of the BAN-like logics. ACM SIGOPS Operating Systems Review, 1997,31 (4): 12-23.
[76] P. Oorschot. Extending cryptographic logics of belief to key agreement protocols. Proceedings of the 1st ACM conference on Computer and communications security. Conference on Computer and Communications Security. 1993:232-243
[77] J. Wen, M. Zhang, X. Li. The study on the application of BAN logic in formal analysis of authentication protocols. Proceedings of the 7th international conference on Electronic commerce. ACM International Conference Proceeding Series; Vol. 113. 2005:744-747
[78] 范红,冯登国.安全协议理论与方法.科学出版社.北京.2003-10
[79] 顾存祥.椭圆曲线密码体制设计与实现.技术报告.信息工程大学信息工程学网络安全实验室.2006-03.
[80] 张亚娟.椭圆曲线公钥密码体制的设计与分析.博士论文.信息工程大学信息工程学网络安全实验室.2004.11.
[81] D. Dolev, A. Yao. On the security of public-key protocols. IEEE Transactions on Information Theory, 1988,2(29).
[82] R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. In Proc. 42nd IEEE Symposium on Foundations of Computer Science (FOCS), IEEE Computer Society, 2001: 136-145. Full version at http://eccc.uni-trier.de/eccc-reports/2001/TR01-016.
[83] R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. The latest update version at http://eprint.iacr.org/2000/067. 2005-12.
[84] R. Canetti. Univerally Composable Signature, Certification, and Authentication. 17th Computer Security Foundations Workshop (CSFW), 2004. Full version at http://eprint.iacr.org/2003/239.
[85] Datta A., Derek A., Mitchell, J. C, Pavlovic D.: A derivation system and compositional logic for security protocols. Journal of Computer Security, 2005,13: 428-482.
[86] Datta A. Security analysis of network protocols: compositional reasoning and complexity-theoretic foundations. Doctoral Thesis. Advisers John C. Mitchell. Stanford University Stanford, CA, USA .2006.
[87] Durgin N., Mitchell J. C, Pavlovic D.: A compositional logic for proving security properties of protocols. Journal of Computer Security, 2003,11:677-721.
[88] N. Durgin, J. C. Mitchell, and D. Pavlovic. A compositional logic for protocol correctness. In Proceedings of 14th IEEE Computer Security Foundations Workshop, IEEE, 2001: 241-255.
[89] A. Datta, A. Derek, J. C. Mitchell, and D. Pavlovic. A derivation system for security protocols and its logical formalization. In Proceedings of 16th IEEE Computer Security Foundations Workshop, IEEE, 2003: 109-125.
[90] A. Datta, A. Derek, J. C. Mitchell, and D. Pavlovic. Secure protocol composition (Extended abstract). In Proceedings of ACM Workshop on Formal Methods in Security Engineering,, 2003:11-23.
[91] A. Datta, A. Derek, J. C. Mitchell, and D. Pavlovic. Secure protocol composition. In Proceedings of 19th Annual Conference on Mathematical Foundations of Programming Semantics, Electronic Notes in Theoretical Computer Science, 2004, volume 83.
[92] L. C. Paulson. Inductive analysis of the Internet protocol TLS. ACM Transactions on Computer and System Security, 1999,2(3):332-351.
[93] C. Meadows. A model of computation for the NRL protocol analyzer. In Proceedings of 7th IEEE Computer Security Foundations Workshop, IEEE, 1994:84-89.
[94] O. Goldreich, S. Micali and A. Wigderson. How to Play any Mental Game. 19th Symposium on Theory of Computing (STOC). ACM, 1987:218-229.
[95] S. Goldwasser and L. Levin. Fair Computation of General Functions in Presence of Immoral Majority. CRYPTO'90, LNCS 537, 1990.
[96] N. Lynch, R. Segala and E Vandeager. Compositionality for Probabilistic Automata. 14th CONCUR, LNCS, 2003, Vol. 2761:208-221.
[97] P. Lincoln, J. Mitechell, M. Mitchell and A. Scedrov. A Probabilistiv Poly-time Framework for Protocol Analysis. 5th ACM Conf. on Computer and Conmmunication Security. 1998:112-121.
[98] E Lincoln, J. Mitechell, M. Mitchell and A. Scedrov. A Probabilistic Polynomial-time equivalence and security analysis. World Congress on Formal Methods. 1999:776-793.
[99] J. F. Almansa. The full abstraction of the UC framework[EB/OL]. 2004. http://citeseer.ist.psu.edu/almansa04full.html
[100] M. Backes, B. Pfitzmann and M. Waidner. A composable cryptogrraphic library with nested operations. In 10th ACM conference on computer and communications security (CCS03), 2003.
[101] L. Lamport. Password Authentication with Insecure Communication. Communications of the ACM., 1981,24 (11): 770-772.
[102] Hailer N, Metz C and Nesser P, et al. A One-Time Password System [DB/OL]. IETF. RFC 2289. http://www.ietf.org. 2004-03
[103] Ramkumar M, Memon N. An Efficient Key Pre-distribution Scheme for MANET Security. IEEE Journal on Selected Areas of Communication, 2005, 23(3): 611-621.
[104] Patil V, Shyamasundar R K. An Efficient, Secure and Delegable Micro-Payment System. Information Systems Frontiers, 2005 7(4-5):371-389.
[105] A. Perrig, R. Canetti, J. D. Tygar, and D. X. Song. Efficient authentication and signing of multicast streams over lossy channels. In IEEE Symposium on Security and Privacy, 2000: 56-73.
[106] A. Perrig, R. Canetti, D. X. Song, and J. D. Yygar. Efficient and secure source authentication for multicast. NDSS: Proceedings of the ISOC Symposium on Network and Distributed System Security, 2001.
[107] 张浩军,祝跃飞.无线局域网认证基础架构研究与设计.第11届全国青年通信学术会议.北京:北京邮电大学出版社,2006:913-918.
[108] J. Deng, R. Han and S. Mishra. Secure code distribution in dynamically programmable wireless sensor networks. Proceedings of the fifth international conference on Information processing in sensor networks (IPSN'06). New York, NY, USA: ACM Press. 2006: 292-300.
[109] K. Bicakci, N. Baykal. Infinite Length Hash Chains and Their Applications. Proceedings of IEEE 11th International Workshops on Enabling Technologies (WETICE2002). Washington, DC, USA: IEEE Computer Society. 2002: 56-61.
[110] R. D. Pietro, A. Durante and L. V. Mancini. Addressing the Shortcomings of One-Way Chains [C]//Proceedings of the 2006 ACM Symposium on Information, computer and communications security (ASIACCS'06). New York, NY, USA: ACM Press. 2006: 289-296.
[111] V. Goyal. How To Re-initialize a Hash Chain [DB/OL]. [2005-01-10]. http://eprint.iacr.org/2004/097.pdf.
[112] G. Brassard, D. Chaum, and C. Crepeau. Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences, Academic Press, 1988, 37(2): 156-189.
[113] X. Chen, F. Zhang, and K. Kim. Chameleon hashing without key exposure. ISC: Information Security, 7th International Conference, Springer-Verlag, LNCS, 2004, Vol.3225:87-98.
[114] G. Ateniese and B. de Medeiros. On the key exposure problem in chameleon hashes. SCN: Security in Communication Networks, 4th International Conference, Springer-Verlag, LNCS, 2004 Vol. 3352:165-179.
[115] H. Krawczyk and T. Rabin. Chameleon hashing and signatures. NDSS: Proceedings of the ISOC Symposium on Network and Distributed System Security, 2000:143-154.
[116] A. Shamir and Y. Tauman. Improved online/offline signature schemes. CRYPTO: Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, Springer-Verlag, LNCS, 2001 Vol. 2139: 355-367.
[117] G. Ateniese and B. de Medeiros. Identity-based chameleon hash and applications. FC: Financial Cryptography, 8th International Conference, Springer-Verlag, LNCS, 2004, Vol. 3110:164-180.
[118] R.C.Merkle. A certified digital signature [C]// Proceedings of the CRYPTO 89. Berlin Germany: Springer-Verlag, LNCS, 1990, Vlol.435:218-238.
[119] G.. Oded. Foundations of Cryptography: Basic Tools. Cambridge University Press. 2001: 64-74.
[120] National Institute of Standards and Technology (NIST). Announcing the Secure Hash Standard, FIPS 180-1, U.S.Department of Commerce, 1995.
[121] National Institute of Standards and Technology (NIST). Announcing the Secure Hash Standard, FIPS 180-2, U.S.Department of Commerce, 2002.
[122] Asokan N., Tsudik G., Waidners M.: Server-supported signatures. Journal of Computer Security, 1997.
[123] Salem N B, Buttyan L, Hubaux J, et al. Node Cooperation in Hybrid Ad Hoc Networks [J]. IEEE Transactions on Mobile Computing, 2006, 5(4):365-376.
[124] 薛锐,冯登国.安全协议的形式化分析技术与方法.计算机学报,2006,29(1):1-20.
[125] Abadi. M. Security by typing in security protocols. Journal of the ACM, 1999, 46(5):749-786.
[126] 陈原,王育民,肖国镇.公钥密码体制与选择密文安全性.西安电子科技大学学报(自然科学版).2004,31(1):136-139.
[127] 冯登国,范红.安全协议形式化分析理论与方法研究综述[J]中国科学院研究生院学报,2003,(04):389-406.
[128] 范红,冯登国,邹良惠.安全协议形式化分析方法综述之一:基于推理结构性方法[J]网络安全技术与应用,2003,(05):52-56.
[129] 范红,冯登国.安全协议形式化分析方法综述之二——基于攻击结构性方法[J]网络安全技术与应用,2003,(06):15-18.
[130] 周永彬;张振峰;冯登国;一种认证密钥协商协议的安全分析及改进.软件学报.2006,17(4):868-875.
[131] 冯登国;可证明安全性理论与方法研究.软件学报,2005,16(10):1743-1756.
[132] 王汝传.密码协议形式化分析方法研究.信息网络安全,2005,07:24-26.
[133] 孙海波,林东岱,李莉.基于理想的协议安全性分析,软件学报,2005,16(12):2150-2156.
[134] Y. Lindell. General composition and universal composability in secure multi-party computation. In IEEE Symposium on Foundations of Computer Science, 2003:394-403.http://citeseer.ist.psu.edu/lindell03general.html.
[135] M. Prabhakaran, A. Sahai. New Notions of Security: Achieving Universal Composability without Trusted Setup. 36th STOC, 2004:242-251.http://eprint.iacr.org/2004/139.pdf.
[136] A. Datta, R. Kusters, J. C. Mitchell, and A. Ramanathan. On the relationships between notions of simulation-based security. In Proc. 2nd Theory of Cryptography Conference (TCC), LNCS, Springer, 2005 Vol. 3378:476-494.
[137] R. Canetti and T. Rabin. Universal Composition with Joint State. In CRYPTO'03, 2003.
[138] M. Bellare, P. Rogaway, Optimal Asymmetric Encryption - How to Encrypt with RSA, in Advances in Cryptology Eurocrypt 94 Proceedings, Lecture in Computer Science Springer-Verlag, 1994, Vol. 950.
[139] D. Dolev, C. Dwork and M. Naor, "Non-malleable cryptography," Proceedings of the 23rd Annual Symposium on Thoery of Computing, ACM, 1991.
[140] S.Goldwasser, S. Micali and R. Rivest, "A digit signature scheme secure against adaptive chosen-message attacks," SIAM Journal of Computing, 1988,17(2):281-308.
[141] Moni Naor, Moti Yung, Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. 1995-07-13.
[142] S. Even, O. Goldreich, and S. Micali. On-line/off-line digital signatures. CRYPTO 1989, LNCS, Springer-Verlag, 1990, Vol. 435.
[143] Bellare. Random Oracles are Practical - A paradigm for Designing Efficient Protocols. 1995.
[144] R. Gennaro, S. Halevi and T. Rabin. Secure hash-and-sign signatures without the random oracle. In Jacques Stern, editor, Advances in Cryptology--EUROCRYPT'99, Lecture Notes in Computer Science, Springer-Verlag, 1999 Vol. 1592: 123-139.
[145] K.l Bicakci, B. Tung and G. Tsudik: On constructing optimal one-time signatures. Proceedings of Fifteenth International Symposium on Computer and Information Sciences, ISCIS 2000, Istanbul, Turkey, October 2000.