以代理簽章為基礎的異質網路認證機制

Abstract

無線網路相較於傳統有線網路具備了架設容易、高度可擴充性、使用便利性等特質，在使用者市場的高度需求下，近年來各類無線網路技術快速發展，如：GPRS (General Packet Radio Service)、3G network、Bluetooth、IEEE 802.11…等，然而每一種無線網路技術皆有其優缺點及適用的情境 － GPRS及3G network的訊號覆蓋率較廣，但其傳輸速度較低 (384 Kbps)；反之，雖然IEEE 802.11的訊號覆蓋率較小，卻提供了較高的傳輸速度 (54 Mbps)。因此，有效整合各類無線網路技術，在不同的情境下提供最適合使用者需求的網路服務，將是無線網路持續發展的一個重要趨勢 [4][5]。 本論文中，以3GPP (3rd Generation Partnership Project)所規範的異質網路整合架構及情境為基礎 [1]，透過「公開金鑰密碼系統」 [14][15]、「單向雜湊鏈」 [11][12]及「代理簽章」 [13]等技術，提出一套在整合3G及IEEE 802.11的異質網路環境下的認證機制。該機制除可達到原有EAP-AKA所提供的認證服務，並進一步改善序號 (SQN, Sequence Number)重新同步及認證向量 (Authentication Vector)可能被破解的問題。此外，透過單向雜湊鏈的特性，提升當移動終端機 (Mobile Station)與HSS / HLR兩者間距離很遠時的認證效率。 相較於其他認證機制，本機制加強了使用者身分隱私性 (identity privacy)及完整雙方認證 (complete mutual authentication)等能力，並簡化目前的訊息交換量。比起以「公開金鑰密碼系統」[14][15]為基礎的認證機制，移動終端機的運算負載及相對的金鑰管理複雜度也較低。不可否認性 (Non-repudiation)也涵蓋在本機制之中，用以提供未來公平帳務機制的建立。 此外，針對惡意網路使用者的各類攻擊，本機制也具備良好的防禦功能，以減少資訊外洩的可能性。

In comparison with traditional wired network, it has characteristics such as easy deployment, high scalability, and ease of use, etc, in wireless network. Under high demand of end-user, a variety of wireless technologies, e.g. GPRS (General Packet Radio Service), 3G network, Bluetooth, IEEE 802.11, etc, develop rapidly in recent years. Nevertheless, each wireless technology has its pros & cons and suitable situation. For example, GPRS and 3G network have a large coverage but they only provide services with transmission rate from 144Kbps to 2Mbps. On the contrary, IEEE 802.11 provides higher transmission rate though it has limited (only hot spot) coverage. As a result, it’s an important trend to integrate various wireless technologies to provide end users best network selection based on his / her service needs [4][5]. In this thesis, under the definition of 3GPP (3rd Generation Partnership Project) [1], we propose an authentication protocol in heterogeneous (3G-WLAN) networks using techniques like public-key cryptosystems [14][15], one-way hash chain [11][12], and proxy-signature [13]. It not only provides authentication services as EAP-AKA but also improves the issues of SQN resynchronization and possible Authentication Vector compromise. Also, the characteristic of one-way hash chain value is utilized to provide fast re-authentication to enhance the authentication efficiency of EAP-AKA while the MS is far away from HLR / HSS. In comparison with other proposed authentication protocols, we have enhanced the capabilities such as identity (IMSI) privacy, complete mutual authentication, and decreased the amount of exchange messages during authentication. The computational load of MS and the complexity of key management are much lower while compared with Public-key based authentication protocols. The non-repudiation property is included to provide fair billing mechanism in the future. Besides, our proposed protocol has stronger capabilities to withstand various attack patterns to decrease the possibility of information disclosure.