MANET中安全认证与存取控制问题的研究
|
摘要
MANET的发展已有很多年,很多相关技术都已非常成熟,但MANET中的安全问题一直都是阻碍其大规模普及应用的一个瓶颈,而MANET中存储控制方面的研究则相对较少。本文从两方面展开工作。
安全认证方面,本文将MANET网络进行分域,各个安全域相对独立进行安全认证和通信加密。引入可验证秘密共享协议(VSS)进行局部域内的密钥共享,并在安全域内进行周期的密钥更新,有效防止移动敌手攻击。在节点通信安全方面应用基于域内终端领导者(EL)的验证方案,有效防止伪终端欺骗,在通信过程中通过对方的公钥进行信息的加密,有效地保证了通信的机密性,不被外界窃听。
存取控制方面,在通过身份认证的基础上在安全域内引入基于角色的访问控制(RBAC)模型,在有备份终端领导者的前提下进行安全域内的权限集中控制,将角色与资源进行分类与分组,通过角色将用户与权限进行分离,通过对内权限管理以及对外权限管理的分割,有效保证了内部访问的及时性与灵活性以及对外访问的安全性。
MANET has developed for many years, and many of its related technologies have been very mature. But the security problem of the MANET has been a bottle-neck hindering its large-scale application and popularization, and the research works about deposit && access control in it are not so abundant. This paper will make a research about these two aspects.
About the problem of security identity authentication, the solution has divided the MANET network into several domains, with each security domain conducting its own relatively independent security authentication and communication encryption. The secrete sharing in the partial domain through introducing Verifiable Secret Sharing (VSS) Protocol and the periodic secrete sharing renewal in the security domain can prevent mobile adversary attacks effectively. As for the node communications security aspect, the verification program based on the end leader (EL) in the domain is applied to effectively prevent the false node deceit. The messages sent during the communication are encrypt by the sender using the receiver's public key, by this way, confidentiality of communication is ensured effectively, and possible attacker also can not wiretap.
As the aspect of deposit && access control, the RBAC model is imported into security domain with the basis of having finished the step of security identity authentication. First, we make a backup of the EL, then the solution choose centralized deposit && access control, roles and resources are grouped and classified, users and permissions are divided by roles, and management in security domain and within security domain are also split, with these ways, promptness and flexibility of in-domain access and security of within-domain access can be ensured effectively.
安全认证方面,本文将MANET网络进行分域,各个安全域相对独立进行安全认证和通信加密。引入可验证秘密共享协议(VSS)进行局部域内的密钥共享,并在安全域内进行周期的密钥更新,有效防止移动敌手攻击。在节点通信安全方面应用基于域内终端领导者(EL)的验证方案,有效防止伪终端欺骗,在通信过程中通过对方的公钥进行信息的加密,有效地保证了通信的机密性,不被外界窃听。
存取控制方面,在通过身份认证的基础上在安全域内引入基于角色的访问控制(RBAC)模型,在有备份终端领导者的前提下进行安全域内的权限集中控制,将角色与资源进行分类与分组,通过角色将用户与权限进行分离,通过对内权限管理以及对外权限管理的分割,有效保证了内部访问的及时性与灵活性以及对外访问的安全性。
MANET has developed for many years, and many of its related technologies have been very mature. But the security problem of the MANET has been a bottle-neck hindering its large-scale application and popularization, and the research works about deposit && access control in it are not so abundant. This paper will make a research about these two aspects.
About the problem of security identity authentication, the solution has divided the MANET network into several domains, with each security domain conducting its own relatively independent security authentication and communication encryption. The secrete sharing in the partial domain through introducing Verifiable Secret Sharing (VSS) Protocol and the periodic secrete sharing renewal in the security domain can prevent mobile adversary attacks effectively. As for the node communications security aspect, the verification program based on the end leader (EL) in the domain is applied to effectively prevent the false node deceit. The messages sent during the communication are encrypt by the sender using the receiver's public key, by this way, confidentiality of communication is ensured effectively, and possible attacker also can not wiretap.
As the aspect of deposit && access control, the RBAC model is imported into security domain with the basis of having finished the step of security identity authentication. First, we make a backup of the EL, then the solution choose centralized deposit && access control, roles and resources are grouped and classified, users and permissions are divided by roles, and management in security domain and within security domain are also split, with these ways, promptness and flexibility of in-domain access and security of within-domain access can be ensured effectively.
引文
[1]于宏毅等著.无线移动自组织网.北京:人民邮电出版社,2005年4月
[2]Mishra A,Nadkarni K M.Security in Wireless Ad Hoc Network.The Handbook ofAd Hoc Wireless Networks,Florida:CRC Press,2002:30-1
[3]The Mobile ad-hoc networks(M ANET) working group hap://www.ietf.org/html.charters/m-anetcharter.htmlOB
[4]Sean Colon.无线局域网802.1 1标准展望.信息技术与标准化,2002(2):19-23
[5]曹常义,程青松.Ad Hoc技术与WMANET网络体系结构.通信世界,2003.NO.98
[6]冯登国 译,Douglas.R.Stinson 著.密码学原理与实践(第二版).北京:电子工业出版社,2003.2
[7]郑少仁、王海涛等,Ad Hoc网络技术.北京,人民邮电出版社,2005.1
[8]Sandhu R.Role-based access control models.IEEE Computer,1996,29(2):34-47
[9]徐雷鸣,庞博,赵耀.NS与网络模拟.人民邮电出版社.2003
[10]B.Clifford Neuman and Theodore Ts'o.Kerberos:An Authentication Service for Computer Networks,IEEE Communications,32(9):33-38.September 1994
[11]A.Aresenault and S.Turner,Internet X.509 public key infrastructure,draft-ietf-pkixroadmap-06.txt,2000
[12]Draft Recommendation X.509.The Directory-Authentication Framework,Version7,Glouccester,1995
[13]Shamir A.How to share a secret.Communications of the ACM,1979,22(11):612-613
[14]Jiejun Kong,Haiyun Luo,et al."Adaptive Security for Multi-layer Ad-hoc Networks."2002
[15]AJiejun Kong,Mario Gerla."Providing Real-time Security Support for Multi-level Ad Hoc Networks." 2002
[16]Haiyun Luo,Songwu Lu."Ubiquitous and Robust Authentication Services for Ad Hoc Wireless Networks."UCLA Computer Science Technical Report 200030,Oct.2000
[17]Jiejun Kong,Petros Zerfos,et al."Providing Robust and Ubiquitous Security for Mobile Ad Hoc Networks."2001
[18]S.Yi and R.Kravets.MOCA:Mobile certificate authority for wireless ad hoc networks.In Proceedings of the 2nd Annual PKI Research Workshop(PKI03),2003,Apr
[19]刘宏月,范九伦,马建峰.访问控制技术研究进展.小型微型计算机系统,2004,25(1):56-59
[20]肖军模,刘军,周海刚.网络信息安全.机械工业出版社,2006:37-90
[21]张世永主编.网络安全原理与应用技术.科学出版社,2003:193-205
[22]冯登国著.网络安全原理与技术.科学出版社,2003:92.106
[23]Chor.B.,Goldwasser,S.,Micali,S.,et al,.Verifiable Secret Sharing and Achieving Simultaneity in Presence of Faults.Proc.26th IEEE Symp.On Foundations of Computer Science,Protland,OR(Otc.1985),pp.372-382
[24]FELDMAN P.A Practical Scheme for Non-interactive Verifiable Secret Sharing[A].Proceedings of the 28 IEEE Symposium on Foundation of Computer Science(FOCS).IEEE,1987.427-437
[25]PEDERSEN TENon-interactive and information-theoretic secure verifiable secret sharing.Advances in Cryptology-CRYPTO'91.Berlin:Springer,1991.129-140
[26]Gennaro R,Rabin M,Rabin T.Simplified VSS and fast-track multiparty computations with applications to threshold cryptography.Proceedings of the 1998 ACM Symposiumon Principles of Distributed Computing Puerto Vallarta,Mexico:ACM,1998
[27]Mu Yi,Varadharajan V.A fail2stop verifiable secret sharing scheme International Workshop on Cryptology and Network Security.Taipei,Taiwan:IWCNS,2001
[28]Pieprzyk J,Zhang Xian2Mo.Nonlinear secret sharing immune against cheating.International Workshop on Cryptology and Network Security.Taipei,Taiwan:IWCNS,2001
[29]Zhang Xian-Mo.Cheating immune secret sharing.3nd International Conference on Information and Communications Security,ICICS'01,LNCS,2229.China:ICICS,2001
[30]张福泰.可验证秘密分享及其应用研究.西安:西安电子科技大学,2001
[31]Ayako Maeda,Atsuko Miyaji,and Mitsuru Tada.Efficient and unconditionally secure verifiable threshold changeable scheme ACISP 2001Australia:ACISP,2001
[32]卢海峰、黄本雄、莫益军.无线分布式网络认证及密钥协商机制研究.微计算机信息,2007 vol.23,NO.8:45-48
[33]孙磊,葛林东.移动自组网多层分布式认证技术研究.计算机工程与应用,2005(22) 168-170
[34]李海峰,刘云芳.移动Ad Hoc网络中应用自认证的(t,n)门限群签名方案.北京联合大学学报(自然科学版),Sep.2006 Vol.20 No.3 Sum No.65
[35]王国军、杨丽娟、施荣华.移动自组网中一种轻量型的密钥分量更新协议.计算机应用研究,2006(12),115-117
[36]卢开澄.计算机密码学.第二版.北京.清华大学出版社.1998
[37]Schneier B.应用密码学--协议、算法及实现.祝世雄,张文政译.北京:机械工业出版社,2000
[38]李腊元,李春林.计算机网络技术.北京:国防工业出版社,2004.26.125
[39]张禄林,李承恕.MANET路由选择协议的比较分析研究.电子学报,2000.28(11):88-92
[40]Padmini Misra.Routing Protocol for Ad Hoc mobile wirelesswork.http://www.Cisohiostate.edu/-jain/cis788-05/adhocrouting/index.html
[41]Mobile AdHoc Network(MANET).http://www.ietf.org/ html.charters /manet-charter.html.2006(5)
[42]吴继春.Ad Hoc网络路由协议的研究与NS2仿真[硕士学位论文].武汉:武汉理工大学计算机学院,2005
[43]张勖,程胜,冯美玉,丁炜.移动AdHoc网络路由协议性能仿真研究.计算机工程,2005年3月
[44]Information Science Institute.The Network Simulator-ns.http:www.Isi.edu/Nsnam/ns/index.html.2004(6)
[45]徐雷鸣,庞博,赵耀.NS与网络模拟.人民邮电出版社.2003
[46]ISI.Tips and Statistical Data for Running Large Simulations in NS.http://www.isi.edu/nsnam/ns-largesim.html.2006(8)
[47]ANSI INCITS 359-2004.Role Based Access Control.American National Standard for Information Technology,2004
[48]Ferraiolo D,Sandhu R,Gavrila S.Proposed KIST standard for role-based access control.ACM Transactions on Information and System Security,2001,4(3):224-274
[49]Markus Lorch,Dennis Kafura,Sumit Shah.An XACML based Policy Management and Authorization Service for Globus Resources.The 4~(th)Int Workshop on Grid Computing Grid,2003
[50]刘荫铭,李金海,刘国丽.计算机安全技术.清华大学出版社,2000
[51]冯登国,卿斯汉.信息安全--核心理论与实践.国防工业出版社,2000
[52]Zhang Guangsen,Parashar M.Dynamic Context-aware Access Control for Grid Applications Proceedings of Fourth International Workshop on Grid Computing,2003
[53]Sandhu R.S,Bhamidipati V The ARBAC97 Model for Role-Based Administration of Roles,ACM Transactions on Information and System Security,vol.2 NO.1,February 1999
[54]中国信息安全产品测评认证中心.信息安全理论与技术.人发邮电出版社,2003
[55]赵亮,茅兵,谢立.访问控制研究综述.计算机工程,2004,30(2):1-2
[56]Fabio Massacci.Reasoning about Security:a Logic and a Decision Method for Role-Based Access Control.Proceedings of the First International Joint Conference on Qualitative and Quantitative Practical Reasoning(ECSQAR U1FAPR-97).1997:421-435
[57]R.S.Sandhu,E.J.Coyne,H.L.Feinstein,C.E.Youman.Role-Based Access Control Models.IEEE Computer 29(2):38-47,IEEE Press.1996
[58]David F.Ferraiolo,D.Richard Kuhn,Ramaswamy Chandramouli.Role-Based Access Control.Artech House Publishers.2003
[59]J.Jubin,J.D.Tornow.The DARPA Packet Radio Network Protocols.In:T.Fawwaz,James Calder,ed.Proceedings of the IEEE,1987,75(1):21-32
[60]周慧华,郑明辉,陈竞.基于Kerberos变体的ad hoc网络安全认证研究.微电子学与计算机,2005,22(OS):142-145
[61]吴学成,庄毅,陈翔.分布式PKI在移动Ad Hoc网中的应用.微机发展,2006,16(02):208-211
[2]Mishra A,Nadkarni K M.Security in Wireless Ad Hoc Network.The Handbook ofAd Hoc Wireless Networks,Florida:CRC Press,2002:30-1
[3]The Mobile ad-hoc networks(M ANET) working group hap://www.ietf.org/html.charters/m-anetcharter.htmlOB
[4]Sean Colon.无线局域网802.1 1标准展望.信息技术与标准化,2002(2):19-23
[5]曹常义,程青松.Ad Hoc技术与WMANET网络体系结构.通信世界,2003.NO.98
[6]冯登国 译,Douglas.R.Stinson 著.密码学原理与实践(第二版).北京:电子工业出版社,2003.2
[7]郑少仁、王海涛等,Ad Hoc网络技术.北京,人民邮电出版社,2005.1
[8]Sandhu R.Role-based access control models.IEEE Computer,1996,29(2):34-47
[9]徐雷鸣,庞博,赵耀.NS与网络模拟.人民邮电出版社.2003
[10]B.Clifford Neuman and Theodore Ts'o.Kerberos:An Authentication Service for Computer Networks,IEEE Communications,32(9):33-38.September 1994
[11]A.Aresenault and S.Turner,Internet X.509 public key infrastructure,draft-ietf-pkixroadmap-06.txt,2000
[12]Draft Recommendation X.509.The Directory-Authentication Framework,Version7,Glouccester,1995
[13]Shamir A.How to share a secret.Communications of the ACM,1979,22(11):612-613
[14]Jiejun Kong,Haiyun Luo,et al."Adaptive Security for Multi-layer Ad-hoc Networks."2002
[15]AJiejun Kong,Mario Gerla."Providing Real-time Security Support for Multi-level Ad Hoc Networks." 2002
[16]Haiyun Luo,Songwu Lu."Ubiquitous and Robust Authentication Services for Ad Hoc Wireless Networks."UCLA Computer Science Technical Report 200030,Oct.2000
[17]Jiejun Kong,Petros Zerfos,et al."Providing Robust and Ubiquitous Security for Mobile Ad Hoc Networks."2001
[18]S.Yi and R.Kravets.MOCA:Mobile certificate authority for wireless ad hoc networks.In Proceedings of the 2nd Annual PKI Research Workshop(PKI03),2003,Apr
[19]刘宏月,范九伦,马建峰.访问控制技术研究进展.小型微型计算机系统,2004,25(1):56-59
[20]肖军模,刘军,周海刚.网络信息安全.机械工业出版社,2006:37-90
[21]张世永主编.网络安全原理与应用技术.科学出版社,2003:193-205
[22]冯登国著.网络安全原理与技术.科学出版社,2003:92.106
[23]Chor.B.,Goldwasser,S.,Micali,S.,et al,.Verifiable Secret Sharing and Achieving Simultaneity in Presence of Faults.Proc.26th IEEE Symp.On Foundations of Computer Science,Protland,OR(Otc.1985),pp.372-382
[24]FELDMAN P.A Practical Scheme for Non-interactive Verifiable Secret Sharing[A].Proceedings of the 28 IEEE Symposium on Foundation of Computer Science(FOCS).IEEE,1987.427-437
[25]PEDERSEN TENon-interactive and information-theoretic secure verifiable secret sharing.Advances in Cryptology-CRYPTO'91.Berlin:Springer,1991.129-140
[26]Gennaro R,Rabin M,Rabin T.Simplified VSS and fast-track multiparty computations with applications to threshold cryptography.Proceedings of the 1998 ACM Symposiumon Principles of Distributed Computing Puerto Vallarta,Mexico:ACM,1998
[27]Mu Yi,Varadharajan V.A fail2stop verifiable secret sharing scheme International Workshop on Cryptology and Network Security.Taipei,Taiwan:IWCNS,2001
[28]Pieprzyk J,Zhang Xian2Mo.Nonlinear secret sharing immune against cheating.International Workshop on Cryptology and Network Security.Taipei,Taiwan:IWCNS,2001
[29]Zhang Xian-Mo.Cheating immune secret sharing.3nd International Conference on Information and Communications Security,ICICS'01,LNCS,2229.China:ICICS,2001
[30]张福泰.可验证秘密分享及其应用研究.西安:西安电子科技大学,2001
[31]Ayako Maeda,Atsuko Miyaji,and Mitsuru Tada.Efficient and unconditionally secure verifiable threshold changeable scheme ACISP 2001Australia:ACISP,2001
[32]卢海峰、黄本雄、莫益军.无线分布式网络认证及密钥协商机制研究.微计算机信息,2007 vol.23,NO.8:45-48
[33]孙磊,葛林东.移动自组网多层分布式认证技术研究.计算机工程与应用,2005(22) 168-170
[34]李海峰,刘云芳.移动Ad Hoc网络中应用自认证的(t,n)门限群签名方案.北京联合大学学报(自然科学版),Sep.2006 Vol.20 No.3 Sum No.65
[35]王国军、杨丽娟、施荣华.移动自组网中一种轻量型的密钥分量更新协议.计算机应用研究,2006(12),115-117
[36]卢开澄.计算机密码学.第二版.北京.清华大学出版社.1998
[37]Schneier B.应用密码学--协议、算法及实现.祝世雄,张文政译.北京:机械工业出版社,2000
[38]李腊元,李春林.计算机网络技术.北京:国防工业出版社,2004.26.125
[39]张禄林,李承恕.MANET路由选择协议的比较分析研究.电子学报,2000.28(11):88-92
[40]Padmini Misra.Routing Protocol for Ad Hoc mobile wirelesswork.http://www.Cisohiostate.edu/-jain/cis788-05/adhocrouting/index.html
[41]Mobile AdHoc Network(MANET).http://www.ietf.org/ html.charters /manet-charter.html.2006(5)
[42]吴继春.Ad Hoc网络路由协议的研究与NS2仿真[硕士学位论文].武汉:武汉理工大学计算机学院,2005
[43]张勖,程胜,冯美玉,丁炜.移动AdHoc网络路由协议性能仿真研究.计算机工程,2005年3月
[44]Information Science Institute.The Network Simulator-ns.http:www.Isi.edu/Nsnam/ns/index.html.2004(6)
[45]徐雷鸣,庞博,赵耀.NS与网络模拟.人民邮电出版社.2003
[46]ISI.Tips and Statistical Data for Running Large Simulations in NS.http://www.isi.edu/nsnam/ns-largesim.html.2006(8)
[47]ANSI INCITS 359-2004.Role Based Access Control.American National Standard for Information Technology,2004
[48]Ferraiolo D,Sandhu R,Gavrila S.Proposed KIST standard for role-based access control.ACM Transactions on Information and System Security,2001,4(3):224-274
[49]Markus Lorch,Dennis Kafura,Sumit Shah.An XACML based Policy Management and Authorization Service for Globus Resources.The 4~(th)Int Workshop on Grid Computing Grid,2003
[50]刘荫铭,李金海,刘国丽.计算机安全技术.清华大学出版社,2000
[51]冯登国,卿斯汉.信息安全--核心理论与实践.国防工业出版社,2000
[52]Zhang Guangsen,Parashar M.Dynamic Context-aware Access Control for Grid Applications Proceedings of Fourth International Workshop on Grid Computing,2003
[53]Sandhu R.S,Bhamidipati V The ARBAC97 Model for Role-Based Administration of Roles,ACM Transactions on Information and System Security,vol.2 NO.1,February 1999
[54]中国信息安全产品测评认证中心.信息安全理论与技术.人发邮电出版社,2003
[55]赵亮,茅兵,谢立.访问控制研究综述.计算机工程,2004,30(2):1-2
[56]Fabio Massacci.Reasoning about Security:a Logic and a Decision Method for Role-Based Access Control.Proceedings of the First International Joint Conference on Qualitative and Quantitative Practical Reasoning(ECSQAR U1FAPR-97).1997:421-435
[57]R.S.Sandhu,E.J.Coyne,H.L.Feinstein,C.E.Youman.Role-Based Access Control Models.IEEE Computer 29(2):38-47,IEEE Press.1996
[58]David F.Ferraiolo,D.Richard Kuhn,Ramaswamy Chandramouli.Role-Based Access Control.Artech House Publishers.2003
[59]J.Jubin,J.D.Tornow.The DARPA Packet Radio Network Protocols.In:T.Fawwaz,James Calder,ed.Proceedings of the IEEE,1987,75(1):21-32
[60]周慧华,郑明辉,陈竞.基于Kerberos变体的ad hoc网络安全认证研究.微电子学与计算机,2005,22(OS):142-145
[61]吴学成,庄毅,陈翔.分布式PKI在移动Ad Hoc网中的应用.微机发展,2006,16(02):208-211