移动互联网中的认证、授权和计费问题研究
|
摘要
随着互联网技术和移动通信技术的不断发展,两者融合所产生的移动互联网(Mobile Internet)正在逐渐形成、发展。移动互联网是指用户采用移动终端连接互联网,它的目标是为移动中的用户提供无处不在的互联网服务。移动互联网的应用前景非常广阔。但为实现移动互联网,还有许多问题需要解决,认证、授权和计费问题就是其中之一。
AAA是指认证(Authentication)、授权(Authorization)和计费(Accounting)。就是对用户使用网络服务和资源访问时的身份进行辨别,权限进行判别,并根据使用情况进行计费的过程。认证和授权保证用户身份不被盗用,限制非授权用户的使用。计费是用户、运营商和服务提供商都非常关心的问题。安全、方便的AAA将对移动互联网的推广起到很大的作用。移动互联网的AAA与传统的AAA相比,具有移动性、异构性、安全性等方面的区别。移动性是指随着用户位置的移动,其网络接入点不断改变,并可能不断的接入不同的运营商网络。异构性是指接入网络可能包含WLAN,GSM,UMTS,卫星网络等多种形式,构成一个
统一的移动互联网。用户在异构网络中不断切换,需要解决快速、安全的AAA问题。安全性是指在无线网络出现后,用户通过无线接入,与网络之间的信号暴露,更容易遭到窃听、伪造等攻击。因此,这就对用户和网络之间的安全认证要求更加严格。
本文重点研究移动互联网AAA问题中与安全相关的认证和授权问题,主要工作和创新之处包括:
1)传统的信任模型主要用来描述静态网络中各实体间的信任关系,不能很好的描述在移动互联网环境下的信任关系。本文在提出了在移动互联网中信任模型的时变性和迁移性,并参考现有的信任模型,给出了移动环境下信任模型的描述,以及计算信任有效期和信任度的方法。并提出移动互联网对整体信任框架的需求,设计了一个三层面的认证框架。该框架利用现有的信任机制,整合并建立联系,旨在提供互联网上信任关系的服务,为AAA机制的互通创造安全保障。
2)针对计算机网络中缺乏移动IPv6安全接入协议的问题,设计了一种安全、链路层无关、不修改IPv6协议的安全接入协议和系统SECCESS(Secure Access),用于计算机网络的移动IPv6安全接入。主要包括以下几部分:移动IPv6安全接入的整体结构;移动节点和接入服务器之间三个阶段的安全认证协议;对安全协议采用形式化的方法进行了证明;设计实现了原型协议。
3)移动通信和无线网络技术的融合是研究热点,现有的各种无线网络技术各有特点,通过把WLAN,3G等技术结合在一起,能够为用户提供无处不在的网络接入服务。这就要求各种网络的AAA能够联合在一起,提供统一、互通的AAA机制。本文针对异构网络融合时跨域认证导致时延过大,效率降低的问题,
With the development of Internet and mobile communication, Mobile Internet is progressing very fast. Users could access Mobile Internet via mobile terminals and get Internet service everywhere. The prospect of Mobile Internet is very promising. In order to achieve the goals of Mobile Internet, there are many problems to solve, and AAA (Authentication, Authorization and Accounting) is one of them.
Authentication is the verification of the identity of a subject performing an action. Authorization is the verification of whether a subject is allowed to perform an action on an object, e.g., access to or use of some objects. Accounting is the collection and aggregation of information (accounting records) in relation to a customer’s service utilization. AAA is very important for users, service providers and operators. AAA in Mobile Internet is different from traditional AAA in mobility, heterogeneity and security aspects. Mobility means user may change access point and operator from time to time. Heterogeneity means the Mobile Internet comprises various wireless networks, such as WLAN, GSM, UMTS, satellite network, etc. Security means the security demands is much higher in Mobile Internet AAA, since the radio interface is open and it’s easier for hackers to attack.
Authentication and authorization issues are studied in this dissertation. The main contributions are as follows:
1) Traditional trust model is not adequate for the illustration of trust relationship in Mobile Internet. New problems including time-limited, trust-transfer are discussed in this dissertation. New methods for trust model description, trust value calculation and trust period calculation are introduced. As far as Mobile Internet is concerned, a three planes authentication framework is designed, which utilizes current trust mechanisms and provides guarantee for inter-working of different AAA system.
2) For mobile IPv6 protocol, a secure access system, named SECCESS, is designed. SECCESS has some advantages such as link-layer independent, no modification of IPv6 protocol stack, etc. It is suitable for wired computer network as well as wireless computer network. The correctness of this protocol is analyzed through the model logic AUTOLOG.
3) The integration of mobile communication and wireless network is important for a unified Mobile Internet. Current AAA mechanism in integration has large latency due to inter-domain AAA messages. The hierarchal AAA architecture is created to reduce the latency. A Diameter HAA protocol is designed to facilitate the integration of WLAN and 3G networks.
4) After the user has accessed the network, service oriented AAA is also needed. With the
AAA是指认证(Authentication)、授权(Authorization)和计费(Accounting)。就是对用户使用网络服务和资源访问时的身份进行辨别,权限进行判别,并根据使用情况进行计费的过程。认证和授权保证用户身份不被盗用,限制非授权用户的使用。计费是用户、运营商和服务提供商都非常关心的问题。安全、方便的AAA将对移动互联网的推广起到很大的作用。移动互联网的AAA与传统的AAA相比,具有移动性、异构性、安全性等方面的区别。移动性是指随着用户位置的移动,其网络接入点不断改变,并可能不断的接入不同的运营商网络。异构性是指接入网络可能包含WLAN,GSM,UMTS,卫星网络等多种形式,构成一个
统一的移动互联网。用户在异构网络中不断切换,需要解决快速、安全的AAA问题。安全性是指在无线网络出现后,用户通过无线接入,与网络之间的信号暴露,更容易遭到窃听、伪造等攻击。因此,这就对用户和网络之间的安全认证要求更加严格。
本文重点研究移动互联网AAA问题中与安全相关的认证和授权问题,主要工作和创新之处包括:
1)传统的信任模型主要用来描述静态网络中各实体间的信任关系,不能很好的描述在移动互联网环境下的信任关系。本文在提出了在移动互联网中信任模型的时变性和迁移性,并参考现有的信任模型,给出了移动环境下信任模型的描述,以及计算信任有效期和信任度的方法。并提出移动互联网对整体信任框架的需求,设计了一个三层面的认证框架。该框架利用现有的信任机制,整合并建立联系,旨在提供互联网上信任关系的服务,为AAA机制的互通创造安全保障。
2)针对计算机网络中缺乏移动IPv6安全接入协议的问题,设计了一种安全、链路层无关、不修改IPv6协议的安全接入协议和系统SECCESS(Secure Access),用于计算机网络的移动IPv6安全接入。主要包括以下几部分:移动IPv6安全接入的整体结构;移动节点和接入服务器之间三个阶段的安全认证协议;对安全协议采用形式化的方法进行了证明;设计实现了原型协议。
3)移动通信和无线网络技术的融合是研究热点,现有的各种无线网络技术各有特点,通过把WLAN,3G等技术结合在一起,能够为用户提供无处不在的网络接入服务。这就要求各种网络的AAA能够联合在一起,提供统一、互通的AAA机制。本文针对异构网络融合时跨域认证导致时延过大,效率降低的问题,
With the development of Internet and mobile communication, Mobile Internet is progressing very fast. Users could access Mobile Internet via mobile terminals and get Internet service everywhere. The prospect of Mobile Internet is very promising. In order to achieve the goals of Mobile Internet, there are many problems to solve, and AAA (Authentication, Authorization and Accounting) is one of them.
Authentication is the verification of the identity of a subject performing an action. Authorization is the verification of whether a subject is allowed to perform an action on an object, e.g., access to or use of some objects. Accounting is the collection and aggregation of information (accounting records) in relation to a customer’s service utilization. AAA is very important for users, service providers and operators. AAA in Mobile Internet is different from traditional AAA in mobility, heterogeneity and security aspects. Mobility means user may change access point and operator from time to time. Heterogeneity means the Mobile Internet comprises various wireless networks, such as WLAN, GSM, UMTS, satellite network, etc. Security means the security demands is much higher in Mobile Internet AAA, since the radio interface is open and it’s easier for hackers to attack.
Authentication and authorization issues are studied in this dissertation. The main contributions are as follows:
1) Traditional trust model is not adequate for the illustration of trust relationship in Mobile Internet. New problems including time-limited, trust-transfer are discussed in this dissertation. New methods for trust model description, trust value calculation and trust period calculation are introduced. As far as Mobile Internet is concerned, a three planes authentication framework is designed, which utilizes current trust mechanisms and provides guarantee for inter-working of different AAA system.
2) For mobile IPv6 protocol, a secure access system, named SECCESS, is designed. SECCESS has some advantages such as link-layer independent, no modification of IPv6 protocol stack, etc. It is suitable for wired computer network as well as wireless computer network. The correctness of this protocol is analyzed through the model logic AUTOLOG.
3) The integration of mobile communication and wireless network is important for a unified Mobile Internet. Current AAA mechanism in integration has large latency due to inter-domain AAA messages. The hierarchal AAA architecture is created to reduce the latency. A Diameter HAA protocol is designed to facilitate the integration of WLAN and 3G networks.
4) After the user has accessed the network, service oriented AAA is also needed. With the
引文
[1] Tyrki Kivimaki, Mobile Internet Technical Architecture, FINLAND, Published by IT Press, 2001
[2] 袁满,“移动 Internet 的服务管理研究”,北京航空航天大学博士论文,2003年 9 月
[3] Chengyuan Peng, “GSM and GPRS Security”, Seminar of Network Security, http://www.tml.hut.fi/Opinnot/Tik-110.501/ 2000/papers/peng.pdf
[4] G. Sch?fer,"Current Approaches to Authentication in Wireless and Mobile Communications Networks", TKN Technical Report TKN-01-002, Institute of Telecommunication Systems, Technische Universit?t Berlin, Mar 2001
[5] FIPS (Federal Information Processing Standard) Publication 46-1: Data Encryption Standard, 1988. Aktualisiert FIPS Publication 46
[6] W. Stallings. Cryptography and Network Security – Principles and Practice. Prentice Hall, 1999
[7] Schneier, 《应用密码学》,第二版,北京,机械工业出版社,2000
[8] A.Menezes, P. Van Oorschot, and S. Vanstone. Handbook of Applied Cryptography. CRC Press LLC, 1997.
[9] H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication, RFC 2104, February 1997.
[10] R. M. Needham and M. D. Schroeder. Using Encryption for Authentication in Large Networks of Computers. Communications of the ACM, 21(12):993–999, 1978.
[11] J. Kohl, B. Neuman, and T. Ts’o, The Evolution of the Kerberos Authentication Service, Distributed Open Systems, IEEE Computer Society Press, 1994.
[12] 无 线 局 域 网 安 全 解 决 方 案 , 捷 通 通 信 IWNCOMM , 2002 ,http://www.iwncomm.com/wlan
[13] IEEE Standard for Local and metropolitan area networks—Port-Based Network Access Control, October 2001
[14] 孟伟松,中国无线局域网技术国家标准 WAPI 技术详解,人民邮电报,2004年 2 月 18 日
[15] 张大江,Nokia 技术报告,“3G 安全技术的研究”,2003 年 10 月
[16] N. Haller, A One-Time Password System, RFC1938, May 1996
[17] W. Simpson, PPP Challenge Handshake Authentication Protocol (CHAP), RFC1994, Aug 1996
[18] C. Rigney, Remote Authentication Dial In User Service (RADIUS), RFC 2865, June 2000
[19] P. Calhoun, "Diameter Base Protocol", RFC 3588, Sept 2003
[20] Interlink Networks Technical Report, Introduction to Diameter, 2002, http://whitepapers.zdnet.co.uk/0,39025945,60055331p-39000375q,00.htm
[21] R. Stewart, Stream Control Transmission Protocol, RFC 2960, October 2000
[22] Pat R. Calhoun, Diameter Mobile IPv4 Application, IETF Draft draft-ietf-aaa-diameter-mobileip-16.txt, Feb 2004
[23] Pat R. Calhoun, Diameter CMS Security Application, IETF Draft, draft-ietf-aaa-diameter-cms-sec-04.txt, March 2002
[24] Pat R. Calhoun, Diameter Network Access Server application, IETF Draft, draft-ietf-aaa-diameter-nasreq-14.txt, Feb 2004
[25] L. Blunk, PPP Extensible Authentication Protocol (EAP), RFC 2284, Mar 1998
[26] P. Eronen, Diameter Extensible Authentication Protocol (EAP) Application, IETF Draft, draft-ietf-aaa-eap-05.txt, April 2004
[27] Pradip Lamsal, Understanding Trust and Security, October 2001, http://www.cs.helsinki.fi/u/lamsal/asgn/trust/UnderstandingTrustAndSecurity.pdf
[28] Hornby, A. S, Oxford Advanced Learner’s Dictionary of Current English, Oxford University Press, Oxford, UK, 1988
[29] ITU-T X.509 Recommendation, “Information Technology – Open Systems Interconnection – The Directory Public Key and Attribute Certificate Frameworks”, June 2000 (Equivalent to ISO/IEC 9594-8, 2000)
[30] BETH, T., BORCHERDING, M., AND KLEIN, B. 1994. Valuation of trust in open networks. In Proceedings of the Conference on Computer Security. Springer-Verlag, New York, 3–18.
[31] ZIMMERMANN, P. R. ,The Official PGP User’s Guide. MIT Press, Cambridge, MA, 1995
[32] STALLINGS, W. Protect Your Privacy: A Guide for PGP Users. Prentice-Hall, Inc., Upper Saddle River, NJ, 1995.
[33] MAURER, U, Modeling a public-key infrastructure, In Proceedings of the Conference on Computer Security (ESORICS 96, Rome, Italy), 1996.
[34] REITER, M. K. AND STUBBLEBINE, S. G. 1998. Resilient authentication using path independence. IEEE Trans. Comput. 47, 12 (Dec.), 1351–1362.
[35] MICHAEL K. REITER, Authentication Metric Analysis and Design, May 1999 ACM Transactions on Information and System Security (TISSEC) archive Volume 2 , Issue 2, Pages: 138 - 158,1999
[36] Huafei Zhu, Computing of Trust in Distributed Networks, 2003, http://venona.antioffline.com/2003/056.pdf
[37] J. Loughney, Context Transfer Protocol, IETF Draft, draft-ietf-seamoby-ctp-08.txt, Jan 2004
[38] Radia Perlman, An overview of PKI Trust Models, IEEE Network Trans, 38-43, Nov 1999
[39] S. Kent, R. Atkinson, IP authentication header (AH). RFC 2402, November 1998.
[40] S. Kent, R. Atkinson, IP encapsulating security payload (ESP), RFC 2406, November 1998.
[41] D. Harkins, D. Carrel, The Internet key exchange (IKE), RFC 2409, November 1998
[42] D. Maughan, M. Schertler, M. Schneider, J. Turner, Internet security association and key management protocol (ISAKMP), RFC 2408, November 1998.
[43] D. Piper, The Internet IP security domain of interpretation for ISAKMP, RFC 2407, November 1998.
[44] J. Zhou, Further analysis of the Internet key exchange protocol, Computer Communications, 23(17): 1606--1612, 2000.
[45] 3GPP TR 33.810, 3G Security; Network Domain Security / Authentication Framework (NDS/AF); Feasibility Study to support NDS/IP evolution, Dec 2002
[46] 3GPP TS 33.310 V0.6.0, 3rd Generation Partnership Project; Technical Specification Group Service and System Aspects; Network Domain Security; Authentication Framework, Oct 2003
[47] 3GPP TS 33.210, 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Network domain security; IP network layer security
[48] M. Nystrom, “PKCS#10 Certification Request Syntax Specification Version 1.7”, IETF RFC 2986, Nov 2000
[49] R. Housley, “Internet X.509 Public Key Infrastructure Certificate and CRL Profile ”, IETF RFC 3280, April 2002
[50] C. Adams, “Internet X.509 Public Key Infrastructure Certificate Management Protocol”, IETF Draft, draft-ietf-pkix-rfc2510bis-08.txt, April 2003
[51] Shashi Kiran, PKI basics – A Technical Perspective, November 2002, www.pkiforum.org/ pdfs/PKI_Basics-A_technical_perspective.pdf
[52] David B. Johnson, Mobility Support in IPv6, IETF Draft, draft-ietf-mobileip-ipv6, Oct 2002
[53] Charles E. Perkins, Mobile IP and the IETF, ACM SIGMOBILE Mobile Computing and Communications Review archive Volume 6, Issue 1, 2002, Pages: 5 – 8
[54] G. Dommety, Fast Handovers for Mobile IPv6, IETF Draft, draft-ietf-mobileip-fast-mipv6.txt, March 2002
[55] L. Blunk, Extensible Authentication Protocol (EAP), IETF Draft, draft-ietf-eap-rfc2284bis-09.txt,August 2004
[56] B. Aboba, PPP EAP TLS Authentication Protocol, RFC 2716, October 1999
[57] H. Andersson, Protected EAP Protocol (PEAP), IETF Draft ,draft-josefsson-pppext-eap-tls-eap-02.txt, February 2002
[58] Arunesh Mishra, "An Initial Security Analysis of IEEE802.1X Standard", Feb 2002
[59] D. Forsberg, Protocol for Carrying Authentication for Network Access (PANA), IETF Draft , draft-ietf-pana-pana-03, Feb 2004
[60] Alper E. Yegin, Protocol for Carrying Authentication for Network Access (PANA) Requirements, IETF Draft, Draft-ietf-pana-requirements-07.txt ,June 2003
[61] Yoshihiro Ohba, Problem Statement and Usage Scenarios for PANA, IETF Draft, draft-ietf-pana-usage-scenarios-06.txt, April 2003
[62] N. Asokan, AAA for IPv6 Network Access, IETF Draft, draft-perkins-aaav6-02.txt, January 2000
[63] Jari Arkko, Using IPsec to Protect Mobile IPv6 Signaling between Mobile Nodes and Home Agents, IETF DRAFT, 2002
[64] 张鸿,一种增强移动 IPv6 安全性的改进返回路由性过程,小型微型计算机,已录用
[65] D. Johnson, Reserved IPv6 Subnet Anycast Addresses, RFC2526, March 1999
[66] R. Hinden, IP Version 6 Addressing Architecture, RFC2373, July 1998
[67] Stefano M. Faccin, Diameter Mobile IPv6 Application, IETF Draft, draft-le-aaa-diameter-mobileipv6-03.txt,October 2003
[68] Kessler, AUTLOG-An advanced logic of authentication, Proceedings of IEEE Computer Security Foundations Workshop IV, 1994, pp. 90--99
[69] Volker Kessler, Heike Neumann. A Sound Logic for Analysing Electronic Commerce Protocols. Computer Security - ESORICS 98, Springer LNCS 1485, 345-360.
[70] M. Burrows, A logic of authentication, ACM Transactions on Computer Systems, Vol. 8, No. 1, Feb 1990, pp. 18-36
[71] Gabriele Wedel, Volker Kessler. Formal Semantics for Authentication Logics. Computer Security - ESORICS 96, Springer LNCS 1146, 218-241.
[72] 3GPP TR 33.902 V4.0.0, Formal Analysis of the 3G Authentication Protocol, Sept 2001
[73] Kan Zhigang, Project Document, Nokia Research Center, Diameter Implementer’s Guide, Dec 2002
[74] Apostolis K Salkintzis, WLAN-GPRS Integration for next-generation mobile data network, IEEE Wireless Communication, Oct 2002, 112-124
[75] Heikki H?mm?inen, Networks of the Future, NETS 2001-2005 TEKES Technology Programme Midterm Review, 2003
[76] Kaven Pahlavan, Handoff in hybrid Mobile Data Network, IEEE Personal Communications, 2000,34-46
[77] J. Ala-Laurila, J. Mikkonen, and J. Rinnemaa. Wireless lan access network architecture for mobile operators. IEEE Communications Magazine, November 2001, pages 82–89
[78] M. Buddhikot, Integration of 802.11 and Third-Generation Wireless Data Networks, Infocomm 2003, http://www.ieee-infocom.org/2003/papers /13_01.PDF
[79] 3GPP TSG SA WG3 Security — S3#25 S3-020523, "3G-WLAN – Trust Model", October 2002
[80] 3GPP TS 33.cde V0.1.0, Wireless Local Area Network (WLAN) Interworking Security, October 2002
[81] 3GPP TR 23.934, 3GPP system to Wireless Local Area Network (WLAN) Interworking; Functional and architectural definition, Aug 2002
[82] A. Hess, PERFORMANCE EVALUATION OF AAA / MOBILE IP AUTHENTICATION, Techinical Report, Technical University Berlin, 2001.
[83] J. Arkko, EAP AKA Authentication, IETF Draft, draft-arkko-pppext-eap-aka- 03.txt, August 2002
[84] B. Aboba, “The Network Access Identifier”, RFC2486, January 1999
[85] P. Calhoun, “Mobile IP Network Access Identifier Extension for IPv4”, RFC2794, March 2000
[86] Liberty Alliance Project,“Liberty Architecture Overview” Version 1.1 ,15 January 2003
[87] Liberty Alliance Project,“Liberty Authentication Context Specification”Version 1.1,15 January 2003
[88] C. de Laat, “Generic AAA Architecture”, RFC 2903 ,August 2000
[89] C. Rensing, “A Survey on AAA Mechanisims, Protocols, and Architectures and a Policy-based Approach beyond:Ax”, 2001, http://www.tik.ee.ethz.ch/~mobydick/papers.html
[90] Hasan, “Authentication, Authorization, Accounting, and Charging for the Mobile Internet”, TIK-Report No. 114, Computer Engineering and Networks Laboratory TIK, Switzerland, June 2001, http://www.tik.ee.ethz.ch/~mobydick/papers.html
[91] Liberty Alliance Project,“Liberty ID-FF Implementation Guidelines”,Version 1.2-11,2003
[92] Liberty Alliance Project,“Liberty ID-FF Bindings & Profiles Specification”,Version 1.1, 2003
[93] John Hughes, “Technical Overview of the OASIS Security Assertion Markup Language (SAML)” V1.1 , Working Draft 02, 22 February 2004, http://www.oasis-open.org/committees/download.php/6193/sstc-saml-tech- overview-1.1-draft-04.pdf
[94] Box, "Simple Object Access Protocol (SOAP) 1.1," ,World Wide Web Consortium W3C Note,http://www.w3.org/TR/2000/NOTE-SOAP- 20000508/,May 2000
[95] 金键, 张鸿等,“Web 服务安全性分析” ,微电子学与计算机 2004 v21 第 3期, 2004
[96] Radovan Seman,“Internet applications security”, November 2002, http://storm.alert.sk/work/papers/phd-exam-work-november-2002.pdf
[97] Liberty Alliance Project ,“ Liberty SASL-based SOAP Authentication Specification”,Version 1.0-03, 2003
[98] 郝辉等,“PID 项目设计文档”,CNNIC 技术文档,2004
[2] 袁满,“移动 Internet 的服务管理研究”,北京航空航天大学博士论文,2003年 9 月
[3] Chengyuan Peng, “GSM and GPRS Security”, Seminar of Network Security, http://www.tml.hut.fi/Opinnot/Tik-110.501/ 2000/papers/peng.pdf
[4] G. Sch?fer,"Current Approaches to Authentication in Wireless and Mobile Communications Networks", TKN Technical Report TKN-01-002, Institute of Telecommunication Systems, Technische Universit?t Berlin, Mar 2001
[5] FIPS (Federal Information Processing Standard) Publication 46-1: Data Encryption Standard, 1988. Aktualisiert FIPS Publication 46
[6] W. Stallings. Cryptography and Network Security – Principles and Practice. Prentice Hall, 1999
[7] Schneier, 《应用密码学》,第二版,北京,机械工业出版社,2000
[8] A.Menezes, P. Van Oorschot, and S. Vanstone. Handbook of Applied Cryptography. CRC Press LLC, 1997.
[9] H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication, RFC 2104, February 1997.
[10] R. M. Needham and M. D. Schroeder. Using Encryption for Authentication in Large Networks of Computers. Communications of the ACM, 21(12):993–999, 1978.
[11] J. Kohl, B. Neuman, and T. Ts’o, The Evolution of the Kerberos Authentication Service, Distributed Open Systems, IEEE Computer Society Press, 1994.
[12] 无 线 局 域 网 安 全 解 决 方 案 , 捷 通 通 信 IWNCOMM , 2002 ,http://www.iwncomm.com/wlan
[13] IEEE Standard for Local and metropolitan area networks—Port-Based Network Access Control, October 2001
[14] 孟伟松,中国无线局域网技术国家标准 WAPI 技术详解,人民邮电报,2004年 2 月 18 日
[15] 张大江,Nokia 技术报告,“3G 安全技术的研究”,2003 年 10 月
[16] N. Haller, A One-Time Password System, RFC1938, May 1996
[17] W. Simpson, PPP Challenge Handshake Authentication Protocol (CHAP), RFC1994, Aug 1996
[18] C. Rigney, Remote Authentication Dial In User Service (RADIUS), RFC 2865, June 2000
[19] P. Calhoun, "Diameter Base Protocol", RFC 3588, Sept 2003
[20] Interlink Networks Technical Report, Introduction to Diameter, 2002, http://whitepapers.zdnet.co.uk/0,39025945,60055331p-39000375q,00.htm
[21] R. Stewart, Stream Control Transmission Protocol, RFC 2960, October 2000
[22] Pat R. Calhoun, Diameter Mobile IPv4 Application, IETF Draft draft-ietf-aaa-diameter-mobileip-16.txt, Feb 2004
[23] Pat R. Calhoun, Diameter CMS Security Application, IETF Draft, draft-ietf-aaa-diameter-cms-sec-04.txt, March 2002
[24] Pat R. Calhoun, Diameter Network Access Server application, IETF Draft, draft-ietf-aaa-diameter-nasreq-14.txt, Feb 2004
[25] L. Blunk, PPP Extensible Authentication Protocol (EAP), RFC 2284, Mar 1998
[26] P. Eronen, Diameter Extensible Authentication Protocol (EAP) Application, IETF Draft, draft-ietf-aaa-eap-05.txt, April 2004
[27] Pradip Lamsal, Understanding Trust and Security, October 2001, http://www.cs.helsinki.fi/u/lamsal/asgn/trust/UnderstandingTrustAndSecurity.pdf
[28] Hornby, A. S, Oxford Advanced Learner’s Dictionary of Current English, Oxford University Press, Oxford, UK, 1988
[29] ITU-T X.509 Recommendation, “Information Technology – Open Systems Interconnection – The Directory Public Key and Attribute Certificate Frameworks”, June 2000 (Equivalent to ISO/IEC 9594-8, 2000)
[30] BETH, T., BORCHERDING, M., AND KLEIN, B. 1994. Valuation of trust in open networks. In Proceedings of the Conference on Computer Security. Springer-Verlag, New York, 3–18.
[31] ZIMMERMANN, P. R. ,The Official PGP User’s Guide. MIT Press, Cambridge, MA, 1995
[32] STALLINGS, W. Protect Your Privacy: A Guide for PGP Users. Prentice-Hall, Inc., Upper Saddle River, NJ, 1995.
[33] MAURER, U, Modeling a public-key infrastructure, In Proceedings of the Conference on Computer Security (ESORICS 96, Rome, Italy), 1996.
[34] REITER, M. K. AND STUBBLEBINE, S. G. 1998. Resilient authentication using path independence. IEEE Trans. Comput. 47, 12 (Dec.), 1351–1362.
[35] MICHAEL K. REITER, Authentication Metric Analysis and Design, May 1999 ACM Transactions on Information and System Security (TISSEC) archive Volume 2 , Issue 2, Pages: 138 - 158,1999
[36] Huafei Zhu, Computing of Trust in Distributed Networks, 2003, http://venona.antioffline.com/2003/056.pdf
[37] J. Loughney, Context Transfer Protocol, IETF Draft, draft-ietf-seamoby-ctp-08.txt, Jan 2004
[38] Radia Perlman, An overview of PKI Trust Models, IEEE Network Trans, 38-43, Nov 1999
[39] S. Kent, R. Atkinson, IP authentication header (AH). RFC 2402, November 1998.
[40] S. Kent, R. Atkinson, IP encapsulating security payload (ESP), RFC 2406, November 1998.
[41] D. Harkins, D. Carrel, The Internet key exchange (IKE), RFC 2409, November 1998
[42] D. Maughan, M. Schertler, M. Schneider, J. Turner, Internet security association and key management protocol (ISAKMP), RFC 2408, November 1998.
[43] D. Piper, The Internet IP security domain of interpretation for ISAKMP, RFC 2407, November 1998.
[44] J. Zhou, Further analysis of the Internet key exchange protocol, Computer Communications, 23(17): 1606--1612, 2000.
[45] 3GPP TR 33.810, 3G Security; Network Domain Security / Authentication Framework (NDS/AF); Feasibility Study to support NDS/IP evolution, Dec 2002
[46] 3GPP TS 33.310 V0.6.0, 3rd Generation Partnership Project; Technical Specification Group Service and System Aspects; Network Domain Security; Authentication Framework, Oct 2003
[47] 3GPP TS 33.210, 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Network domain security; IP network layer security
[48] M. Nystrom, “PKCS#10 Certification Request Syntax Specification Version 1.7”, IETF RFC 2986, Nov 2000
[49] R. Housley, “Internet X.509 Public Key Infrastructure Certificate and CRL Profile ”, IETF RFC 3280, April 2002
[50] C. Adams, “Internet X.509 Public Key Infrastructure Certificate Management Protocol”, IETF Draft, draft-ietf-pkix-rfc2510bis-08.txt, April 2003
[51] Shashi Kiran, PKI basics – A Technical Perspective, November 2002, www.pkiforum.org/ pdfs/PKI_Basics-A_technical_perspective.pdf
[52] David B. Johnson, Mobility Support in IPv6, IETF Draft, draft-ietf-mobileip-ipv6, Oct 2002
[53] Charles E. Perkins, Mobile IP and the IETF, ACM SIGMOBILE Mobile Computing and Communications Review archive Volume 6, Issue 1, 2002, Pages: 5 – 8
[54] G. Dommety, Fast Handovers for Mobile IPv6, IETF Draft, draft-ietf-mobileip-fast-mipv6.txt, March 2002
[55] L. Blunk, Extensible Authentication Protocol (EAP), IETF Draft, draft-ietf-eap-rfc2284bis-09.txt,August 2004
[56] B. Aboba, PPP EAP TLS Authentication Protocol, RFC 2716, October 1999
[57] H. Andersson, Protected EAP Protocol (PEAP), IETF Draft ,draft-josefsson-pppext-eap-tls-eap-02.txt, February 2002
[58] Arunesh Mishra, "An Initial Security Analysis of IEEE802.1X Standard", Feb 2002
[59] D. Forsberg, Protocol for Carrying Authentication for Network Access (PANA), IETF Draft , draft-ietf-pana-pana-03, Feb 2004
[60] Alper E. Yegin, Protocol for Carrying Authentication for Network Access (PANA) Requirements, IETF Draft, Draft-ietf-pana-requirements-07.txt ,June 2003
[61] Yoshihiro Ohba, Problem Statement and Usage Scenarios for PANA, IETF Draft, draft-ietf-pana-usage-scenarios-06.txt, April 2003
[62] N. Asokan, AAA for IPv6 Network Access, IETF Draft, draft-perkins-aaav6-02.txt, January 2000
[63] Jari Arkko, Using IPsec to Protect Mobile IPv6 Signaling between Mobile Nodes and Home Agents, IETF DRAFT, 2002
[64] 张鸿,一种增强移动 IPv6 安全性的改进返回路由性过程,小型微型计算机,已录用
[65] D. Johnson, Reserved IPv6 Subnet Anycast Addresses, RFC2526, March 1999
[66] R. Hinden, IP Version 6 Addressing Architecture, RFC2373, July 1998
[67] Stefano M. Faccin, Diameter Mobile IPv6 Application, IETF Draft, draft-le-aaa-diameter-mobileipv6-03.txt,October 2003
[68] Kessler, AUTLOG-An advanced logic of authentication, Proceedings of IEEE Computer Security Foundations Workshop IV, 1994, pp. 90--99
[69] Volker Kessler, Heike Neumann. A Sound Logic for Analysing Electronic Commerce Protocols. Computer Security - ESORICS 98, Springer LNCS 1485, 345-360.
[70] M. Burrows, A logic of authentication, ACM Transactions on Computer Systems, Vol. 8, No. 1, Feb 1990, pp. 18-36
[71] Gabriele Wedel, Volker Kessler. Formal Semantics for Authentication Logics. Computer Security - ESORICS 96, Springer LNCS 1146, 218-241.
[72] 3GPP TR 33.902 V4.0.0, Formal Analysis of the 3G Authentication Protocol, Sept 2001
[73] Kan Zhigang, Project Document, Nokia Research Center, Diameter Implementer’s Guide, Dec 2002
[74] Apostolis K Salkintzis, WLAN-GPRS Integration for next-generation mobile data network, IEEE Wireless Communication, Oct 2002, 112-124
[75] Heikki H?mm?inen, Networks of the Future, NETS 2001-2005 TEKES Technology Programme Midterm Review, 2003
[76] Kaven Pahlavan, Handoff in hybrid Mobile Data Network, IEEE Personal Communications, 2000,34-46
[77] J. Ala-Laurila, J. Mikkonen, and J. Rinnemaa. Wireless lan access network architecture for mobile operators. IEEE Communications Magazine, November 2001, pages 82–89
[78] M. Buddhikot, Integration of 802.11 and Third-Generation Wireless Data Networks, Infocomm 2003, http://www.ieee-infocom.org/2003/papers /13_01.PDF
[79] 3GPP TSG SA WG3 Security — S3#25 S3-020523, "3G-WLAN – Trust Model", October 2002
[80] 3GPP TS 33.cde V0.1.0, Wireless Local Area Network (WLAN) Interworking Security, October 2002
[81] 3GPP TR 23.934, 3GPP system to Wireless Local Area Network (WLAN) Interworking; Functional and architectural definition, Aug 2002
[82] A. Hess, PERFORMANCE EVALUATION OF AAA / MOBILE IP AUTHENTICATION, Techinical Report, Technical University Berlin, 2001.
[83] J. Arkko, EAP AKA Authentication, IETF Draft, draft-arkko-pppext-eap-aka- 03.txt, August 2002
[84] B. Aboba, “The Network Access Identifier”, RFC2486, January 1999
[85] P. Calhoun, “Mobile IP Network Access Identifier Extension for IPv4”, RFC2794, March 2000
[86] Liberty Alliance Project,“Liberty Architecture Overview” Version 1.1 ,15 January 2003
[87] Liberty Alliance Project,“Liberty Authentication Context Specification”Version 1.1,15 January 2003
[88] C. de Laat, “Generic AAA Architecture”, RFC 2903 ,August 2000
[89] C. Rensing, “A Survey on AAA Mechanisims, Protocols, and Architectures and a Policy-based Approach beyond:Ax”, 2001, http://www.tik.ee.ethz.ch/~mobydick/papers.html
[90] Hasan, “Authentication, Authorization, Accounting, and Charging for the Mobile Internet”, TIK-Report No. 114, Computer Engineering and Networks Laboratory TIK, Switzerland, June 2001, http://www.tik.ee.ethz.ch/~mobydick/papers.html
[91] Liberty Alliance Project,“Liberty ID-FF Implementation Guidelines”,Version 1.2-11,2003
[92] Liberty Alliance Project,“Liberty ID-FF Bindings & Profiles Specification”,Version 1.1, 2003
[93] John Hughes, “Technical Overview of the OASIS Security Assertion Markup Language (SAML)” V1.1 , Working Draft 02, 22 February 2004, http://www.oasis-open.org/committees/download.php/6193/sstc-saml-tech- overview-1.1-draft-04.pdf
[94] Box, "Simple Object Access Protocol (SOAP) 1.1," ,World Wide Web Consortium W3C Note,http://www.w3.org/TR/2000/NOTE-SOAP- 20000508/,May 2000
[95] 金键, 张鸿等,“Web 服务安全性分析” ,微电子学与计算机 2004 v21 第 3期, 2004
[96] Radovan Seman,“Internet applications security”, November 2002, http://storm.alert.sk/work/papers/phd-exam-work-november-2002.pdf
[97] Liberty Alliance Project ,“ Liberty SASL-based SOAP Authentication Specification”,Version 1.0-03, 2003
[98] 郝辉等,“PID 项目设计文档”,CNNIC 技术文档,2004