基于S-WAPI的无线Mesh网络认证系统研究
摘要
无线Mesh网络是一种新型的多跳无线网络,它组网灵活,部署便捷,网络容量大,健壮性好,极大地满足了当今人们的应用需求。但是这种网络中信息传输具有开放性,在应用中数据被窃听、拒绝服务、信息被篡改等安全问题日益凸显。虽然现有的802.11s/i协议及其它基于路由的安全方案对无线Mesh网络起到了一定的防护作用,但并没有彻底解决其安全问题。尽管我国针对现有网络的安全状况,提出了WAPI安全协议,较好地满足了国内用户对信息安全的需求,但将WAPI应用在无线Mesh网络上时,仍存在一些需要完善的地方。本论文针对这一问题进行研究,并开发出基于S-WAPI协议的无线Mesh网络集中式认证测试系统。
论文首先介绍无线Mesh网络产生的背景,及其网络结构和相关关键技术,并把它与其它无线网络做了对比分析,说明了其实际应用价值;其次,论文全面介绍了WAPI协议,对其中的鉴别和数据保密原理及其工作流程进行了深入分析,并着重讨论了WAPI协议的一些需要改进的地方,提出了相应的解决办法,比如:认证过程中增加数字签名可以防止抵赖行为的发生,密钥协商请求改由AP节点首先发送可以避免DoS攻击,密钥协商过程中对生成的密钥进行确认可以防止由于错误生成密钥而带来的资源浪费,以及对数字证书的结构进行了适当的优化可以提高其编码效率等。再次,论文还给出了理论分析结果,设计出能够应用于自主场合的S-WAPI认证服务器(AS)总体框架,及其认证模块、加解密模块和相关数据库等。
最后,论文开发出基于S-WAPI协议的无线Mesh网络集中式认证测试系统,并进行了多次试验,试验中利用抓包工具Netfilter获取了认证过程中的相关数据包,通过在程序中添加输出语句得到了加解密数据。试验结果和分析表明S-WAPI基本解决了WAPI应用于无线mesh网络时的不足,达到了预期目标。同时,论文也初步讨论了一种基于S-WAPI的分布式认证系统方案,将其作为未来进一步研究的一个方向。
WMN, a new type of wireless network, is capable to provide mesh clients with multiple routes featuring flexible configuration, convenient deployment, large capacity and good robustness, all of which facilitate to meet the demands of clients. However, in the application, certain security issues, for instance, wiretapping, DoS, information falsification and the like, emerge more and more, due to its openness during the data transmission. And this kind of problems is still suspended, although some solutions existing such as 802.11s/i protocol and other based-on-routing-technolo-gy ones could protect wireless mesh network in a certain way in which actually problems are not cracked thoroughly. Although, the government, considering the safe condition of the network in our country, has put forward WAPI security protocol, which is better to meet the needs of information security by the public, the WAPI still needs to be perfected when applied to wireless mesh network. To solve the problem, a centralized authentication test system based on S-WAPI is developed referring to wireless mesh network at last.
In the paper, at first, background of WMN, its structure and related critical technologies are introduced, and comparative analysis with other related networks are done to indicate its value in the application. And then, the WAPI is introduced completely, especially principle and work flow of authentication and data security, with focus on diagnosing the bugs of it, and corresponding solutions are formulated, such as making digital signature before clients sending their data packages can prevent from denying, sending key exchange request first by Ap node instead of STA node can prevent from DoS, confirming the key produced in the process of key consulting can prevent from wasting resource of the network, and optimizing the structure of digital certificate appropriately can make coding and decoding more efficiently. After that, the theoretical analysis result is given, and the framework of certification server based on S-WAPI protocol, authentication module, encryption and decryption module, and corresponding database are designed, all of which work well in independent occasions of the lab.
Finally, a centralizing authentication system based on S-WAPI referring to wireless mesh network is developed, and some tests are done. In the tests, packets in authenticating process are got with the help of Netfilter while encrypted data and decrypted data are output by adding output program. Both test result and analysis indicate that the S-WAPI basically solves the shortcomings brought about in the process of applying the WAPI in wireless mesh network, and achieves the expected goals. Meanwhile, a preliminary S-WAPI program based on distributed authentication system is discussed, which would be a direction for the research in the future.
论文首先介绍无线Mesh网络产生的背景,及其网络结构和相关关键技术,并把它与其它无线网络做了对比分析,说明了其实际应用价值;其次,论文全面介绍了WAPI协议,对其中的鉴别和数据保密原理及其工作流程进行了深入分析,并着重讨论了WAPI协议的一些需要改进的地方,提出了相应的解决办法,比如:认证过程中增加数字签名可以防止抵赖行为的发生,密钥协商请求改由AP节点首先发送可以避免DoS攻击,密钥协商过程中对生成的密钥进行确认可以防止由于错误生成密钥而带来的资源浪费,以及对数字证书的结构进行了适当的优化可以提高其编码效率等。再次,论文还给出了理论分析结果,设计出能够应用于自主场合的S-WAPI认证服务器(AS)总体框架,及其认证模块、加解密模块和相关数据库等。
最后,论文开发出基于S-WAPI协议的无线Mesh网络集中式认证测试系统,并进行了多次试验,试验中利用抓包工具Netfilter获取了认证过程中的相关数据包,通过在程序中添加输出语句得到了加解密数据。试验结果和分析表明S-WAPI基本解决了WAPI应用于无线mesh网络时的不足,达到了预期目标。同时,论文也初步讨论了一种基于S-WAPI的分布式认证系统方案,将其作为未来进一步研究的一个方向。
WMN, a new type of wireless network, is capable to provide mesh clients with multiple routes featuring flexible configuration, convenient deployment, large capacity and good robustness, all of which facilitate to meet the demands of clients. However, in the application, certain security issues, for instance, wiretapping, DoS, information falsification and the like, emerge more and more, due to its openness during the data transmission. And this kind of problems is still suspended, although some solutions existing such as 802.11s/i protocol and other based-on-routing-technolo-gy ones could protect wireless mesh network in a certain way in which actually problems are not cracked thoroughly. Although, the government, considering the safe condition of the network in our country, has put forward WAPI security protocol, which is better to meet the needs of information security by the public, the WAPI still needs to be perfected when applied to wireless mesh network. To solve the problem, a centralized authentication test system based on S-WAPI is developed referring to wireless mesh network at last.
In the paper, at first, background of WMN, its structure and related critical technologies are introduced, and comparative analysis with other related networks are done to indicate its value in the application. And then, the WAPI is introduced completely, especially principle and work flow of authentication and data security, with focus on diagnosing the bugs of it, and corresponding solutions are formulated, such as making digital signature before clients sending their data packages can prevent from denying, sending key exchange request first by Ap node instead of STA node can prevent from DoS, confirming the key produced in the process of key consulting can prevent from wasting resource of the network, and optimizing the structure of digital certificate appropriately can make coding and decoding more efficiently. After that, the theoretical analysis result is given, and the framework of certification server based on S-WAPI protocol, authentication module, encryption and decryption module, and corresponding database are designed, all of which work well in independent occasions of the lab.
Finally, a centralizing authentication system based on S-WAPI referring to wireless mesh network is developed, and some tests are done. In the tests, packets in authenticating process are got with the help of Netfilter while encrypted data and decrypted data are output by adding output program. Both test result and analysis indicate that the S-WAPI basically solves the shortcomings brought about in the process of applying the WAPI in wireless mesh network, and achieves the expected goals. Meanwhile, a preliminary S-WAPI program based on distributed authentication system is discussed, which would be a direction for the research in the future.
引文
[1]Akyildiz.I. A Survey on Wireless Mesh Networks. IEEE Communication Magazine. 2002(2).40.
[2]Jun.J, Sichitiu.L. The Nominal Capacity of Wireless Mesh Networks. Wireless Communication IEEE.2003(5).8-14.
[3]雷瑞林.无线mesh网络及其路由安全研究.网络安全技术与应用.2009(2).79-80.
[4]董瑞峰.无线Mesh网络的起源与演进.科技资讯.2010(2).15.
[5]王英杰.城域无线nesh网络的网络控制与资源管理算法研究.北京邮电大学.2007.7-10.
[6]Mosko.M, Garcia-Luna-ceves. Multipath Route in Wireless Mesh Networks. Proeeedings of IEEE Workshop on Wireless Mesh Networks (WiMesh).2005.3-5.
[7]Bruno.R, Conti.M, Gregori.E. Mesh Networks:Commodity Multihop ad hoc Networks. IEEE Communications Magazine.2005(3).123-131.
[8]Esehenauer.L, Gligor.V. A Key-management Scheme for Distributed Networks. The 9th ACM Conference on Computer and Communication Security Washington USA.2002.6-8.
[9]Chan.H, Perrig.A, Song.D. Random Key Predistribution Schemes for Wireless Mesh Networks. IEEE Symp on Research in Security and Privacy Los Alamitos USA.2003.4-6.
[10]Perrig.A, Szewczyk.R, Wne.V. SPINS:Security Protocols for Mesh Networks. The 7th nnual Int'l Conference on Mobile Computing nd Networks Rome Italy.2001.10-13.
[11]傅坚IPsee VPN中关键技术的研究与实现.北京邮电大学.2003.15-18.
[12]陈琳琳,刘乃安.无线Mesh网络与IEEE802系列标准.2008.8-12.
[13]方旭明.下一代无线因特网技术:无线Mesh网络.第一版.北京.机械工业出版社2006.5.40-43.
[14]英春,史美林.自组网体系结构研究.通信学报.1999(9).47-54.
[15]赵志锋,郑少仁.Ad Hoc网络.中国数据通信.2002(9).1-5.
[16]赵志峰,郑少仁.Ad Hoc网络体系结构研究.电信科学.2001(1).14-17.
[17]Wang Yulei. Analysis of the key Technology of Wireless Mesh Networks. Network Security Technology & Application.2007(4).92-94.
[18]姜欣,杜建凤Mesh核心关键技术现状分析.现代电信科学.2009(6).51-52.
[19]刘元安等.宽带无线接人和无线局域网.第一版.北京.北京邮电大学出版社.2000.50-53.
[20]张浩军,祝跃飞.无线局域网认证基础架构研究与设计.第11届中国青年通信学术会议.2006.3-5.
[21]黄振海,铁满霞,张变玲,庞辽军.无线局域网鉴别与保密基础结构WAPI综述.移动通信.2006.2-5.
[22]赖晓龙等GB 15629.11-2003/XGI-2006信息技术系统间远程通信和信息交换局域网和城域网特定要求第11部分:无线局域网媒体访问控制和物理层规范第一号修改单.北京.中国标准出版社.2006.48-53.
[23]宽带无线IP标准工作组WAPI实施指南.2006.1.5-6.
[24]余斌霄,王新梅.移动通信网中的认证与密钥建立协议.西安电子科技大学学报.2004(11).124-128.
[25]秦兴桥,赵龙WAPI安全性分析.光盘技术.2007(1).23-33.
[26]赵玉娟,张浩军,秦兴桥WAPI发展与安全性研究.信息网络安全.2006(11).32-33.
[27]赵玉娟,张浩军,秦兴桥WAPI鉴别与保密基础架构的研究.网络安全技术与应用.2006(12).93-94.
[28]Standard Specifications for Public Key cryptography [DB/OL].IEEE.P1363.http:// grouper, ieee.org/group/1363.1999(12).20.
[29]Zhang Haojun, Chen Li, Zhu Yuefei. Research of digital certificates application in WAPI Computer Applications.2004(12).Vol.24.20-23.
[30]McAuley.A, Morera.R. LNS-SID mobility management in dynamic adhocnetworks. Vehieular Technology Conference.2003(10).Vol.3.1994-1998.
[31]Draves.R, Padhye.J, Zill.B. Routing in multi-radio, multi-hop, wireless mesh networks[C]. ACM Annual International Conference on Mobile Computing and Networking (MOBICOM).USA.2004.31-34.
[32]Bruno.R, Conti.M, Gregori.E. Mesh Networks:Commodity Multihop Ad Hoc Networks. IEEE Communications Magazine.2005.Vol.43.123-131.
[33]付江.无线Mesh网络路由技术的设计与实现.西安电子科技大学.2009.35-38.
[34]马骥.无线Mesh的网络安全性研究.北京邮电大学.2009.37-40.
[35]Chen Li, Shi Mingxia, Wang Weixian. Research of Certificate Management System Based on PKI. Journal of Henan Institute of Education (Natural Science).2005. Vol.14.65-67.
[36]Netfilter.netfilter/iptables project homepage.//www.netfilter.org/August 2007.
[37]李博.无线Mesh网络监控管理系统的分析和设计.西南交通大学.2009.36-39.
[2]Jun.J, Sichitiu.L. The Nominal Capacity of Wireless Mesh Networks. Wireless Communication IEEE.2003(5).8-14.
[3]雷瑞林.无线mesh网络及其路由安全研究.网络安全技术与应用.2009(2).79-80.
[4]董瑞峰.无线Mesh网络的起源与演进.科技资讯.2010(2).15.
[5]王英杰.城域无线nesh网络的网络控制与资源管理算法研究.北京邮电大学.2007.7-10.
[6]Mosko.M, Garcia-Luna-ceves. Multipath Route in Wireless Mesh Networks. Proeeedings of IEEE Workshop on Wireless Mesh Networks (WiMesh).2005.3-5.
[7]Bruno.R, Conti.M, Gregori.E. Mesh Networks:Commodity Multihop ad hoc Networks. IEEE Communications Magazine.2005(3).123-131.
[8]Esehenauer.L, Gligor.V. A Key-management Scheme for Distributed Networks. The 9th ACM Conference on Computer and Communication Security Washington USA.2002.6-8.
[9]Chan.H, Perrig.A, Song.D. Random Key Predistribution Schemes for Wireless Mesh Networks. IEEE Symp on Research in Security and Privacy Los Alamitos USA.2003.4-6.
[10]Perrig.A, Szewczyk.R, Wne.V. SPINS:Security Protocols for Mesh Networks. The 7th nnual Int'l Conference on Mobile Computing nd Networks Rome Italy.2001.10-13.
[11]傅坚IPsee VPN中关键技术的研究与实现.北京邮电大学.2003.15-18.
[12]陈琳琳,刘乃安.无线Mesh网络与IEEE802系列标准.2008.8-12.
[13]方旭明.下一代无线因特网技术:无线Mesh网络.第一版.北京.机械工业出版社2006.5.40-43.
[14]英春,史美林.自组网体系结构研究.通信学报.1999(9).47-54.
[15]赵志锋,郑少仁.Ad Hoc网络.中国数据通信.2002(9).1-5.
[16]赵志峰,郑少仁.Ad Hoc网络体系结构研究.电信科学.2001(1).14-17.
[17]Wang Yulei. Analysis of the key Technology of Wireless Mesh Networks. Network Security Technology & Application.2007(4).92-94.
[18]姜欣,杜建凤Mesh核心关键技术现状分析.现代电信科学.2009(6).51-52.
[19]刘元安等.宽带无线接人和无线局域网.第一版.北京.北京邮电大学出版社.2000.50-53.
[20]张浩军,祝跃飞.无线局域网认证基础架构研究与设计.第11届中国青年通信学术会议.2006.3-5.
[21]黄振海,铁满霞,张变玲,庞辽军.无线局域网鉴别与保密基础结构WAPI综述.移动通信.2006.2-5.
[22]赖晓龙等GB 15629.11-2003/XGI-2006信息技术系统间远程通信和信息交换局域网和城域网特定要求第11部分:无线局域网媒体访问控制和物理层规范第一号修改单.北京.中国标准出版社.2006.48-53.
[23]宽带无线IP标准工作组WAPI实施指南.2006.1.5-6.
[24]余斌霄,王新梅.移动通信网中的认证与密钥建立协议.西安电子科技大学学报.2004(11).124-128.
[25]秦兴桥,赵龙WAPI安全性分析.光盘技术.2007(1).23-33.
[26]赵玉娟,张浩军,秦兴桥WAPI发展与安全性研究.信息网络安全.2006(11).32-33.
[27]赵玉娟,张浩军,秦兴桥WAPI鉴别与保密基础架构的研究.网络安全技术与应用.2006(12).93-94.
[28]Standard Specifications for Public Key cryptography [DB/OL].IEEE.P1363.http:// grouper, ieee.org/group/1363.1999(12).20.
[29]Zhang Haojun, Chen Li, Zhu Yuefei. Research of digital certificates application in WAPI Computer Applications.2004(12).Vol.24.20-23.
[30]McAuley.A, Morera.R. LNS-SID mobility management in dynamic adhocnetworks. Vehieular Technology Conference.2003(10).Vol.3.1994-1998.
[31]Draves.R, Padhye.J, Zill.B. Routing in multi-radio, multi-hop, wireless mesh networks[C]. ACM Annual International Conference on Mobile Computing and Networking (MOBICOM).USA.2004.31-34.
[32]Bruno.R, Conti.M, Gregori.E. Mesh Networks:Commodity Multihop Ad Hoc Networks. IEEE Communications Magazine.2005.Vol.43.123-131.
[33]付江.无线Mesh网络路由技术的设计与实现.西安电子科技大学.2009.35-38.
[34]马骥.无线Mesh的网络安全性研究.北京邮电大学.2009.37-40.
[35]Chen Li, Shi Mingxia, Wang Weixian. Research of Certificate Management System Based on PKI. Journal of Henan Institute of Education (Natural Science).2005. Vol.14.65-67.
[36]Netfilter.netfilter/iptables project homepage.//www.netfilter.org/August 2007.
[37]李博.无线Mesh网络监控管理系统的分析和设计.西南交通大学.2009.36-39.