CN106507355A - A kind of PMIPv6 Verification Systems of identity-based allograph and method - Google Patents

A kind of PMIPv6 Verification Systems of identity-based allograph and method Download PDF

Info

Publication number
CN106507355A
CN106507355A CN201611114302.7A CN201611114302A CN106507355A CN 106507355 A CN106507355 A CN 106507355A CN 201611114302 A CN201611114302 A CN 201611114302A CN 106507355 A CN106507355 A CN 106507355A
Authority
CN
China
Prior art keywords
mobile
mobile node
access gateway
mag1
accessed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611114302.7A
Other languages
Chinese (zh)
Other versions
CN106507355B (en
Inventor
高天寒
邓新洋
耿芳华
郭楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northeastern University China
Original Assignee
Northeastern University China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northeastern University China filed Critical Northeastern University China
Priority to CN201611114302.7A priority Critical patent/CN106507355B/en
Publication of CN106507355A publication Critical patent/CN106507355A/en
Application granted granted Critical
Publication of CN106507355B publication Critical patent/CN106507355B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention provides a kind of PMIPv6 Verification Systems of identity-based allograph and method, and the system includes:Third party's trust center STR;Local mobility anchor LMA;Mobile Access Gateway MAG.The method includes that STR is generated and issued common parameter;All entities in current network are registered to STR and obtain the public private key pair of entity itself;Monitor mobile node MN state in which in each PMIPv6 domains:Execute, if MN is in original state, the initial authentication that mobile node MN accesses PMIPv6 domains first;If mobile status of the MN in same PMIPv6 domains, execute;If mobile status of the MN in difference PMIPv6 domains, execute.The present invention applies the Proxy Signature Scheme of identity-based during the mobile management of PMIPv6 agreements, ensure that both sides are independently completed decryption or signature verification in the case where other side's identity is not considered based on local authentication, reduce the pressure of STR and LMA, the waiting time of MN is reduced, multiple attack can be resisted.

Description

A kind of PMIPv6 Verification Systems of identity-based allograph and method
Technical field
The invention belongs to technical field of network security, the PMIPv6 certifications system of more particularly to a kind of identity-based allograph System and method.
Background technology
With the continuous development of mobile terminal, people are increasingly improved to the demand of any wireless network services, in order to meet people Whenever and wherever possible, the demand of convenient and swift connection network, industry are also paid attention to all the more to the research of radio network technique, and MIPv6 is undoubtedly a kind of important technology in wireless network research.And PMIPv6 networks are then with its shorter signaling delay, less Signaling consumption and become study hotspot.In the face of such as Hijack Attack, Replay Attack, password guess, man-in-the-middle attack, When threat is attacked in eavesdropping attack, camouflage, refusal service etc., if on the premise of cannot ensureing its safety, PMIPv6 extensively should It is impossible to use network regional mobility management protocol.
In recent years, scholars have carried out substantial amounts of research for PMIPv6 access authentications problem, and have released one after another oneself Safety approach.Document " certification and the realization for authorizing under PMIPv6 environment " proposes a kind of access authentication side of mobile IPSec Case, the method achieve MN by the way of unified mark UID carries out the certificate of multi-stage authentication and digital signature to agency's Registration, and the MIPSec/SA and SAH/SA, the SAH/SA for wherein being created of establishment MN to agency are for preventing while registration Only the multilevel security network information is revealed.Both approaches are all realized by changing IKEv2.The advantage of the agreement is can be with But the threat brought by opposing radio link opening, comparatively compares with very high safety and effectiveness its efficiency Low;Document " SPAM:A secure password authentication mechanism for seamless handover In proxy mobile IPv6networks " propose the security password that a kind of utilization smart cards for storage relevant information is realized Authentication mechanism, the mechanism are more advantageous in terms of safety and efficiency, but the safety due to itself there is smart card is asked Topic, therefore still has larger security breaches;Document " The Kerberos network authentication The authentication service for being aimed at distributed environment that service (V5) " is proposed, by providing disposable input ID and password, just Authority can be obtained from distributed server to go to obtain multiple services.Foundation Kerberos being applied in PMIPv6 is exactly MAG as server.It is assumed here that being same entity for ticket server and AS.But, if the mechanism that does not recombinate, MAG is exactly an independent server.Therefore, when MN changes its access point, MN must provide for the power of network service Limit.It can be seen that, among above-mentioned certificate scheme, there is different degrees of lacking at the aspect such as safety of authentication delay and access procedure Fall into, can not meet the demand of the safe and efficient access authentications of WMN very well.
Content of the invention
In view of the shortcomings of the prior art, the present invention provides a kind of PMIPv6 Verification Systems of identity-based allograph And method.
Technical scheme is as follows:
A kind of PMIPv6 Verification Systems of identity-based allograph, including:
Third party's trust center STR:Generate and issue common parameter, entity identities in the PMIPv6 domains of place are examined Look into, issue private key and certificate, and safeguard its all honest entity in a network public key, by its delegatability of signing right to agency Signer;
Local mobility anchor LMA:It is connected with third party's trust center STR, Mobile Access Gateway MAG respectively, sets up two-way tunnel Road simultaneously as the proxy signerses of third party's trust center STR, provides note for Mobile Access Gateway MAG forwarding packet Volume and authentication service;
Mobile Access Gateway MAG:The mobile status of monitoring mobile node MN, while issued using local mobility anchor LMA It is mutually authenticated between certificate and mobile node MN, it is ensured that carry out safety between local mobility anchor LMA and mobile node MN logical Letter.
The method that PMIPv6 certifications are carried out using described system, including:
Step 1:Third party's trust center STR is generated and issues common parameter;
Step 2:All entities in current network are registered to third party's trust center STR and obtain the public and private of entity itself Key pair;Third party's trust center STR is by the ID of mobile nodeMNAnd effect duration signed after as certificate authority to mobile node MN, local mobility anchor LMA obtain allograph power from third party's trust center STR, and local mobility anchor LMA is by allograph The certificate of authority, the ID of third party's trust center STRSTR, local mobility anchor LMA itself IDLMA, Mobile Access Gateway MAG IDMAGCorresponding MAG is given as certificate authority after being signed;
Step 3:Monitor mobile node MN state in which in each PMIPv6 domains:If mobile node MN is in original state State when i.e. mobile node MN accesses PMIPv6 domains first, then execution step 4;If mobile node MN is in same PMIPv6 Mobile status in domain, then execution step 5;If mobile status of the mobile node MN in difference PMIPv6 domains, executes Step 6;
Step 4:Execute the initial authentication that mobile node MN accesses PMIPv6 domains first;
Step 5:Shared keys of the current Mobile Access Gateway MAG for connecting by oneself and mobile node MN between is sent out Mobile Access Gateway MAG to be accessed in same PMIPv6 domains is given, is executed;
Step 6:Local mobility anchor LMA in the current domain for connecting is shared close and mobile node MN between by oneself Key is sent to local mobility anchor LMA in another PMIPv6 domains to be accessed, executes.
The step 4, including:
Step 4.1:Mobile node MN utilizes the private key SK of oneselfMN, the certificate that will obtain from third party's trust center STR CertSTR-MN, time stamp T S1And the ID of mobile node MNMNDo containing session key agreement parameter σMN_2Signature SignMN, and By signature SignMN, certificate CertSTR-MN, time stamp T S1And the ID of mobile node MNMNIt is sent simultaneously to the shifting for preparing to access Dynamic access gateway MAG1;
Step 4.2:Time stamp T S that Mobile Access Gateway MAG1 checking mobile node MNs send1:If time stamp T S1Newly Fresh, then the access request of mobile node MN is refused in execution step 4.3, otherwise Mobile Access Gateway MAG1;
Step 4.3:The signature Sign that Mobile Access Gateway MAG1 checking mobile node MNs sendMNAnd certificate CertSTR-MN: If legal, execution step 4.4, otherwise Mobile Access Gateway MAG1The access request of refusal mobile node MN;
Step 4.4:Mobile Access Gateway MAG1With own private key SKMAG1, by connected from Mobile Access Gateway MAG1 The certificate Cert that local mobility anchor LMA1 is obtainedLMA1-MAG1And time stamp T S of itself2, Mobile Access Gateway MAG1 connected Local mobility anchor LMA1 IDLMA1, Mobile Access Gateway MAG1 itselfDo containing session key agreement parameter σMAG1_2SignatureAnd this is signedCertificate CertLMA1-MAG, time stamp T S2, and local mobility anchor The ID of LMA1LMA1With Mobile Access Gateway MAG1'sMobile node MN is sent back, while utilizing Mobile Access Gateway MAG1 own private key SKMAG1And the signature Sign that mobile node MN sendsMNIn the session key agreement parameter that includes, calculate movement Shared key K between access gateway MAG1 and mobile node MNMAG1-MNAnd session key SEKMAG1-MN
Step 4.5:Time stamp T S that mobile node MN checking Mobile Access Gateway MAG1 sends2:If time stamp T S2Newly Fresh, then execution step 4.6, otherwise mobile node MN stop access request;
Step 4.6:The signature that mobile node MN checking Mobile Access Gateway MAG1 sends backAnd certificate CertLMA1-MAG:If legal, execution step 4.7, otherwise mobile node MN stop access request;
Step 4.7:Mobile node MN utilizes the private key SK of oneselfMNAnd the signature that Mobile Access Gateway MAG1 sendsIn the session key agreement parameter that includes, calculate shared close between mobile node MN and Mobile Access Gateway MAG1 Key KMAG1-MNAnd session key SEKMAG1-MN, complete initial access authentication;
Step 4.8:After initial authentication is completed between mobile node MN and Mobile Access Gateway MAG1, Mobile Access Gateway MAG1 is by session key agreement parameter σ obtained from mobile node MNMN_2This is together sent to binding update messages (PBU) Ground mobile anchor LMA1, after local mobility anchor LMA1 is received, with DH Diffie-Hellman, local mobility anchor LMA utilizes oneself The value that private key and the session key agreement parameter are calculated, with one-way Hash function H3Hash is carried out, local mobility anchor LMA is obtained Shared key K between mobile node MNLMA1-MN, and store.
The step 5, including:
Step 5.1:Mobile node MN generates corresponding session key agreement parameter according to DH Diffie-Hellman first σMN_2, then with shared key K between the Mobile Access Gateway MAG1 and mobile node MN for currently connectingMAG1-MN, will The ID of mobile node MN itselfMN, the current ID of Mobile Access Gateway MAG1 that connectingMAG1, session key agreement parameter σMN_2And time stamp T S3It is signature SignMN, and by signature SignMN, time stamp T S3, the currently mobile access that connecting The ID of gateway MAG1MAG1, mobile node MN session key agreement parameter σMN_2Together it is sent to be accessed in same PMIPv6 domains Mobile Access Gateway MAG2;
Step 5.2:Time stamp T S that Mobile Access Gateway MAG2 checking mobile node MNs to be accessed send3:The time Stamp TS3If fresh, execution step 5.3, the access of Mobile Access Gateway MAG2 refusal mobile node MNs otherwise to be accessed please Ask;
Step 5.3:The signature Sign that Mobile Access Gateway MAG2 checking mobile node MNs to be accessed sendMNLegal Property:If legal, execution step 5.4, the access of Mobile Access Gateway MAG2 refusal mobile node MNs otherwise to be accessed please Ask;
Step 5.4:Mobile Access Gateway MAG2 to be accessed generates corresponding session according to DH Diffie-Hellman first Key agreement parameter σMAG2_2, then with being total between the Mobile Access Gateway MAG1 and mobile node MN for currently connecting Enjoy key KMAG1-MN, by the ID of Mobile Access Gateway MAG2 to be accessedMAG2, session key agreement parameter σMAG2_2, time stamp T S4 Sign, and session key agreement parameter σ by Mobile Access Gateway MAG2 to be accessedMAG2_2, Mobile Access Network to be accessed Close the ID of MAG2MAG2, time stamp T S4With signature SignMNIt is sent simultaneously to mobile node MN;And by obtaining from mobile node MN Session key agreement parameter σ for obtainingMN_2Calculate new between Mobile Access Gateway MAG2 to be accessed and mobile node MN being total to Enjoy key KMAG2-MNAnd session key SEKMAG2-MN
Step 5.5:Mobile node MN verifies time stamp T S that Mobile Access Gateway MAG2 to be accessed sends4:If this when Between stab TS4Fresh, then execution step 5.6, otherwise mobile node MN stop access request;
Step 5.6:Mobile node MN verifies the signature Sign that Mobile Access Gateway MAG2 to be accessed sendsMNLegal Property:If legal, execution step 5.7, otherwise mobile node MN stop access request;
Step 5.7:Mobile node MN calculates Mobile Access Gateway MAG2 to be accessed and mobile node MN shared key KMAG2-MNAnd session key SEKMAG2-MN, complete in PMIPv6 domains, to switch certification.
The step 6, including:
Step 6.1:Local mobility anchor LMA1 is by shared key K between mobile node MNLMA1-MNBy the grade of service Agreement SLA is transmitted to local mobility anchor LMA2 in mobile node MN PMIPv6 domains to be accessed;Mobile node MN passes through simultaneously Mobile Access Gateway MAG1 obtains the key agreement parameter of local mobility anchor LMA1 in the PMIPv6 domains for currently connecting, will The value that the private key of the key agreement parameter and mobile node MN is calculated carries out Hash, obtains mobile node MN and local mobility anchor Shared key K between LMA1LMA1-MN
Step 6.2:Mobile node MN is with local mobility anchor LMA1 in the PMIPv6 domains being currently accessed and mobile node Shared key K between MNLMA1-MN, by the ID of mobile node MN itselfMN, the Mobile Access Gateway MAG2 that is currently accessed IDMAG2, the ID of local mobility anchor LMA1 that connected of the Mobile Access Gateway MAG2 that is currently accessedLMA1, session key agreement parameter σMN_2And time stamp T S5It is signature SignMN;By signature SignMN, mobile node MN itself IDMN, the movement that is currently accessed The ID of access gateway MAG2MAG2, the ID of local mobility anchor LMA1 that connected of the Mobile Access Gateway MAG2 that is currently accessedLMA1, when Between stab TS5And session key agreement parameter σ of mobile node MNMN_2The shifting in be accessed another PMIPv6 domain is together sent to Dynamic access gateway MAG3;
Step 6.3:Another PMIPv6 domains to be accessed Mobile Access Gateway MAG3 checking mobile node MN send when Between stab TS5If, time stamp T S5Fresh, then execution step 6.3, the Mobile Access Gateway in another PMIPv6 domains otherwise to be accessed MAG3 refuses the access request of mobile node MN;
Step 6.4:The label that the Mobile Access Gateway MAG3 checking mobile node MNs in another PMIPv6 domains to be accessed send Name SignMNLegitimacy, if legal, execution step 6.4, the Mobile Access Gateway in another PMIPv6 domains otherwise to be accessed MAG3 refuses the access request of mobile node MN;
Step 6.5:The Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessed is first according to DH Diffie-Hellman Generate corresponding session key agreement parameter σMAG3_2, then ask simultaneously from local mobility anchor LMA2 in its place PMIPv6 domains Obtain shared key K between mobile node MN and local mobility anchor LMA1 that connectingLMA1-MN, and use the shared key KLMA1-MNID by the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessedMAG3, Mobile Access Gateway MAG3 be located The ID of local mobility anchor LMA2 in PMIPv6 domainsLMA2, session key agreement parameter σMAG3_2And time stamp T S6Sign SignMAG3;Session key agreement parameter σ by the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessedMAG3_2, the time Stamp TS6, another PMIPv6 domains to be accessed Mobile Access Gateway MAG3 IDMAG3, another PMIPv6 domains to be accessed movement The ID of local mobility anchor LMA2 connected by access gateway MAG3LMA2With signature SignMAG3It is sent simultaneously to mobile node MN; The movement that another PMIPv6 domains to be accessed are calculated finally by the session key agreement parameter obtained from mobile node MN connects New K between function Access Gateway MAG3 and mobile node MNMAG3-MNAnd session key SEKMAG3-MN
Step 6.6:Mobile node MN verifies time stamp T S that Mobile Access Gateway MAG to be accessed sends6If, the time Stamp TS6Fresh, then execution step 6.6, otherwise mobile node MN stop access request;
Step 6.7:Mobile node MN verifies the signature Sign that Mobile Access Gateway MAG to be accessed sendsMAG3Legal Property, if legal, execution step 6.7, otherwise mobile node MN stop access request;
Step 6.8:Mobile node MN calculates the Mobile Access Gateway MAG3 and movable joint in another PMIPv6 domains to be accessed Shared key K of point MNMAG3-MNAnd session key SEKMAG3-MN, complete between PMIPv6 domains, to switch certification.
Beneficial effect:
The Proxy Signature Scheme of identity-based is applied in the middle of the mobile management process of PMIPv6 agreements, base by the present invention Ensure that both sides are independently completed decryption or signature verification in the case where other side's identity is not considered in local authentication;Stratification The design of authentication architecture, and the pressure of the negotiation minimizing STR and LMA of shared key, reduce the waiting time of MN, improve overall Authentication efficiency;Simultaneously multiple signatures and key agreement scheme with enabling the program to resist multiple attack, effectively ensure The safety of scheme.
Description of the drawings
PMIPv6 Verification System Organization Charts of the Fig. 1 for the identity-based allograph of the specific embodiment of the invention;
Schematic diagrams of the Fig. 2 for the initial access authentication process of the specific embodiment of the invention;
Schematic diagrams of the Fig. 3 for access authentication procedure in the domain of the specific embodiment of the invention;
Fig. 4 for the specific embodiment of the invention domain between access authentication procedure schematic diagram.
Specific embodiment
Below in conjunction with the accompanying drawings the specific embodiment of the present invention is elaborated.
Present embodiment is that the PMIPv6 Verification Systems and method of identity-based allograph are applied to PMIPv6 networks Access authentication link, while access authentication of user is realized, the safety of the verification process that adequately protects and efficiency are recognized in switching During card, the use of symmetric key ensure that the efficiency of switching verification process.The PMIPv6 of identity-based allograph is accessed and is recognized Card system includes:Third party's trust center STR, several PMIPv6 domains, include a local mobility anchor in each PMIPv6 domain LMA (Local Mobility Anchor, LMA) and several Mobile Access Gateways MAG (Mobile Access Gateway, MAG), several mobile node MNs for and moving in PMIPv6 domains or between difference PMIPv6 domains.
In the PMIPv6 Verification Systems of identity-based allograph as shown in Figure 1, third party's trust center STR passes through net Network is connected with two local mobility anchors LMA1, LMA2, and local mobility anchor LMA1 connects two Mobile Access Gateways MAG1, MAG2, Local mobility anchor LMA2 connects two Mobile Access Gateway MAG3, and what mobile node MN was currently connecting is Mobile Access Gateway MAG1.Proxy signerses of local mobility anchor LMA1, LMA2 as third party's trust center STR, replace third party's trust center STR is signed.
The framework of whole system is divided into four layers:Ground floor is system root of trust (System- for third party's trust center Trusted Root, STR), all entities that third party's trust center STR is given tacit consent in the network are credible, meanwhile, third party trusts Signature power can be granted to proxy signerses i.e. two local mobility anchor LMA1, LMA2 as original signer by center STR; The second layer is two local mobility anchors LMA1, LMA2, and its home agent equivalent to PMIPv6 is responsible for mobile node MN Binding state, and set up bidirectional tunnel to forward packet, the also set as proxy signerses to act on behalf of in third party's trust Heart STR signs and the mobile node MN for third layer provides corresponding registration and authentication service;Third layer is Mobile Access Gateway MAG1, MAG2, MAG3, are responsible for the mobile status of monitoring mobile node MN, replace the management of moving property of mobile node, while logical Cross and be wirelessly mutually authenticated with mobile node, it is ensured that the network insertion of legitimate mobile node;4th layer is several mobile nodes (Mobility Node, MN), which has mobility, can be in home network (such as the net that local mobility anchor LMA1 is responsible for Network) and field network (such as the network that local mobility anchor LMA2 is responsible for) internetwork roaming, it is also possible in different Mobile Access Networks Close switching movement between MAG (MAG1, MAG2, MAG3).Simultaneously mobile node MN in moving process will with newly access other Two-way authentication is carried out between Mobile Access Gateway MAG, it is ensured that the bipartite safety and reliability of certification.
For convenience of subsequent descriptions, mark as shown in table 1 and explanation is given.
1 correlated identities of table and explanation
Third party's trust center STR:Generate and issue common parameter, entity identities in the PMIPv6 domains of place are examined Look into, issue private key and certificate, and safeguard its all honest entity in a network public key, by its delegatability of signing right to agency Signer;
Local mobility anchor LMA:It is connected with third party's trust center STR, Mobile Access Gateway MAG respectively, sets up two-way tunnel Road simultaneously as the proxy signerses of third party's trust center STR, provides note for Mobile Access Gateway MAG forwarding packet Volume and authentication service;
Mobile Access Gateway MAG:The mobile status of monitoring mobile node MN, while issued using local mobility anchor LMA It is mutually authenticated between certificate and mobile node MN, it is ensured that carry out safety between local mobility anchor LMA and mobile node MN logical Letter.
Mobile node MN:Entity mobile node in PMIPv6 agreements, home network and field network internetwork roaming or Switching movement between different Mobile Access Gateway MAG;Simultaneously mobile node MN in moving process will with newly access other Two-way authentication is carried out between Mobile Access Gateway MAG, it is ensured that the bipartite safety and reliability of certification.
The Proxy Signature Scheme of the identity-based for proposing with Wu W, Mu Y, Susilo W et al. in the present embodiment, Referred to as WMS schemes, while in the middle of also participating in HMAC Message Digest 5s in the present invention and be mutually authenticated between entity. Sign is verified with Standard signaturesMN.
The method that PMIPv6 certifications are carried out using described system, including:
Step 1:Third party's trust center STR is generated and issues common parameter;
First, addition cyclic group G of two ranks for q1With multiplication loop group GTWith a Bilinear map e:G1×G1→GT
Afterwards, a generation unit P ∈ G is selected1With a random key
Then, the public key P of third party's trust center STR is calculatedpub=sP, generates and preserves third party's trust center STR Private keyWhereinFor 1 to q-1 scopes positive integer;
In addition, selecting character set { 0,1 } to addition cyclic group G1Three one-way Hash functions H0:{ 0,1 }*→G1、H1: { 0,1 }*→G1、H2:{ 0,1 }*→G1One-way Hash function H with character set { 0,1 } to character set { 0,1 }3:{ 0,1 }*→ 0, 1}*
Finally, the common parameter of generation is Para={ G1, GT, q, e, P, PPub, H0, H1, H2, H3}.
Step 2:All entities in current network are registered to third party's trust center STR and obtain the public and private of entity itself Key pair;Third party's trust center STR is by the ID of mobile nodeMNAnd effect duration signed after as certificate authority to mobile node MN, local mobility anchor LMA obtain allograph power from third party's trust center STR, and local mobility anchor LMA is by allograph The certificate of authority, the ID of third party's trust center STRSTR, local mobility anchor LMA itself IDLMA, Mobile Access Gateway MAG IDMAGCorresponding MAG is given as certificate authority after being signed;
Mobile node MN is directly registered to third party's trust center STR, and obtains the public key PK of oneselfMN, private key SKMNAnd Certificate CertSTR-MN
Multiple Mobile Access Gateway MAG under same local mobility anchor LMA are concentrated to the 3rd via local mobility anchor LMA Square trust center STR is applied for the registration of, and allograph power is given local mobility anchor LMA by third party's trust center STR, and will be local The mobile anchor LMA and its private key SK of multiple Mobile Access Gateway MAGMAG, public key PKMAGLocal mobility anchor LMA is transmitted to, local shifting Dynamic anchor LMA replaces third party's trust center STR to generate respective certificate to Mobile Access Gateway MAG after message is received CertLMA-MAG, and the private key SK with Mobile Access Gateway MAGMAGCorresponding Mobile Access Gateway is handed to by secure tunnel MAG.
Step 3:Monitor mobile node MN state in which in each PMIPv6 domains:If mobile node MN is in original state State when i.e. mobile node MN accesses PMIPv6 domains first, then execution step 4;If mobile node MN is in same PMIPv6 Mobile status in domain, then execution step 5;If mobile status of the mobile node MN in difference PMIPv6 domains, executes Step 6;
Mobile status in the same PMIPv6 domains is that MN is moved, and is under same local mobility anchor LMA State when moving between different Mobile Access Gateway MAG;Mobile status in the different PMIPv6 domains is that MN occurs Mobile, and be state when moving between the different Mobile Access Gateway MAG under different local mobility anchors LMA.
Step 4:Execute the initial authentication that mobile node MN accesses PMIPv6 domains first;
By taking the Mobile Access Gateway MAG1 in mobile node MN accesses PMIPv6 domains first as an example, the step 4, such as Fig. 2 Shown, including:
Step 4.1:Mobile node MN utilizes the private key SK of oneselfMN, the certificate that will obtain from third party's trust center STR CertSTR-MN, time stamp T S1And the ID of mobile node MNMNDo containing session key agreement parameter σMN_2Signature SignMN, SignMN=Sign_WMS_SKMN{CertSTR-MN, IDMN, TS1, and by signature SignMN, certificate CertSTR-MN, time stamp T S1 And the ID of mobile node MNMNIt is sent simultaneously to the Mobile Access Gateway MAG1 for preparing to access;
Step 4.2:Time stamp T S that Mobile Access Gateway MAG1 checking mobile node MNs send1:If time stamp T S1Newly Fresh, then the access request of mobile node MN is refused in execution step 4.3, otherwise Mobile Access Gateway MAG1;
Step 4.3:The signature Sign that Mobile Access Gateway MAG1 checking mobile node MNs sendMNAnd certificate CertSTR-MN: If legal, execution step 4.4, otherwise Mobile Access Gateway MAG1The access request of refusal mobile node MN;
Step 4.4:Mobile Access Gateway MAG1With own private key SKMAG1, by connected from Mobile Access Gateway MAG1 The certificate Cert that local mobility anchor LMA1 is obtainedLMA1-MAG1And time stamp T S of itself2, Mobile Access Gateway MAG1 connected Local mobility anchor LMA1 IDLMA1, Mobile Access Gateway MAG1 itselfDo containing session key agreement parameter σMAG1_2SignatureAnd this is signed NameCertificate CertLMA1-MAG, time stamp T S2, and the ID of local mobility anchor LMA1LMA1With Mobile Access Gateway MAG1 'sMobile node MN is sent back, while utilizing Mobile Access Gateway MAG1 own private key SKMAG1And mobile node MN is sent out The signature Sign for sendingMNIn session key agreement parameter σ that includesMN_2, calculate Mobile Access Gateway MAG1 and mobile node MN it Between shared key KMAG1-MNAnd session key SEKMAG1-MN
Wherein shared key KMAG1-MNIt is according to DH Diffie-Hellman, by the session key agreement parameter of mobile node MN And the private key of oneself is carried out calculating and wants secret value, and the secret value is used one-way Hash function H3Obtained value, shares Key KMAG1-MNMobile node MN and same PMIPv6 domain in be accessed Mobile Access Gateway are participated in steps of 5 In being mutually authenticated between MAG;Session key SEKMAG1-MNIt is according to DH Diffie-Hellman, by the secret value for generating and time Stamp connects and with one-way Hash function H3Obtained value, session key SEKMAG1-MNUsing as mobile node MN with current When Mobile Access Gateway MAG carries out message exchange after the completion of certification, the key of encryption is used;
Step 4.5:Time stamp T S that mobile node MN checking Mobile Access Gateway MAG1 sends2:If time stamp T S2Newly Fresh, then execution step 4.6, otherwise mobile node MN stop access request;
Step 4.6:The signature that mobile node MN checking Mobile Access Gateway MAG1 sends backAnd certificate CertLMA1-MAG:If legal, execution step 4.7, otherwise mobile node MN stop access request;
Step 4.7:Mobile node MN utilizes the private key SK of oneselfMNAnd the signature that Mobile Access Gateway MAG1 sendsIn session key agreement parameter σ that includesMAG1_2, calculate being total between mobile node MN and Mobile Access Gateway MAG1 Enjoy key KMAG1-MNAnd session key SEKMAG1-MN, complete initial access authentication;
Step 4.8:After initial authentication is completed between mobile node MN and Mobile Access Gateway MAG1, Mobile Access Gateway MAG1 is by session key agreement parameter σ obtained from mobile node MNMN_2This is together sent to binding update messages (PBU) Ground mobile anchor LMA1, after local mobility anchor LMA1 is received, with DH Diffie-Hellman, local mobility anchor LMA utilizes oneself The value that private key and the session key agreement parameter are calculated, with one-way Hash function H3Hash is carried out, local mobility anchor LMA is obtained Shared key K between mobile node MNLMA1-MN, and store.
Step 5:Shared keys of the current Mobile Access Gateway MAG for connecting by oneself and mobile node MN between is sent out Mobile Access Gateway MAG to be accessed in same PMIPv6 domains is given, is executed;
Mobile Access Network is switched to from Mobile Access Gateway MAG1 with mobile node MN in the PMIPv6 domains being currently accessed As a example by closing MAG2, the step 5, as shown in figure 3, including:
Step 5.1:Mobile node MN generates corresponding session key agreement parameter according to DH Diffie-Hellman first σMN_2, then with shared key K between the Mobile Access Gateway MAG1 and mobile node MN for currently connectingMAG1-MN, will The ID of mobile node MN itselfMN, the current ID of Mobile Access Gateway MAG1 that connectingMAG1, session key agreement parameter σMN_2And time stamp T S3It is signature SignMN=Sign_HMAC_KMAG1-MN{IDMN, IDMAG1, TS3, σMN_2, and this is signed SignMN, time stamp T S3, the current ID of Mobile Access Gateway MAG1 that connectingMAG1, mobile node MN session key association Business's parameter σMN_2Same PMIPv6 domain in be accessed Mobile Access Gateway MAG2 is together sent to;
Step 5.2:Time stamp T S that Mobile Access Gateway MAG2 checking mobile node MNs to be accessed send3:The time Stamp TS3If fresh, execution step 5.3, the access of Mobile Access Gateway MAG2 refusal mobile node MNs otherwise to be accessed please Ask;
Step 5.3:The signature Sign that Mobile Access Gateway MAG2 checking mobile node MNs to be accessed sendMNLegal Property:If legal, execution step 5.4, the access of Mobile Access Gateway MAG2 refusal mobile node MNs otherwise to be accessed please Ask;
Step 5.4:Mobile Access Gateway MAG2 to be accessed generates corresponding session according to DH Diffie-Hellman first Key agreement parameter σMAG2_2, then with being total between the Mobile Access Gateway MAG1 and mobile node MN for currently connecting Enjoy key KMAG1-MN, by the ID of Mobile Access Gateway MAG2 to be accessedMAG2, session key agreement parameter σMAG2_2, time stamp T S4 It is signature SignMN=Sign_HMAC_KMAG1-MN{IDMAG2, TS4, σMAG2_2, and by Mobile Access Gateway MAG2's to be accessed Session key agreement parameter σMAG2_2, Mobile Access Gateway MAG2 to be accessed IDMAG2, time stamp T S4With signature SignMN It is sent simultaneously to mobile node MN;And session key agreement parameter σ by obtaining from mobile node MNMN_2Calculate to be accessed Mobile Access Gateway MAG2 and mobile node MN between new shared key KMAG2-MNAnd session key SEKMAG2-MN
Step 5.5:Mobile node MN verifies time stamp T S that Mobile Access Gateway MAG2 to be accessed sends4:If this when Between stab TS4Fresh, then execution step 5.6, otherwise mobile node MN stop access request;
Step 5.6:Mobile node MN verifies the signature Sign that Mobile Access Gateway MAG2 to be accessed sendsMNLegal Property:If legal, execution step 5.7, otherwise mobile node MN stop access request;
Step 5.7:Mobile node MN calculates Mobile Access Gateway MAG2 to be accessed and mobile node MN shared key KMAG2-MNAnd session key SEKMAG2-MN, complete in PMIPv6 domains, to switch certification.Now, mobile node MN and movement to be accessed Complete to be mutually authenticated between access gateway MAG2, and have bipartite shared key and session key, mobile node Interacting message can be carried out using session key message between MN and Mobile Access Gateway MAG2.
Step 6:Shared keys of the current Mobile Access Gateway MAG for connecting by oneself and mobile node MN between is sent out Mobile Access Gateway MAG to be accessed in another PMIPv6 domains is given, is executed;
Another PMIPv6 domains are switched to Mobile Access Gateway MAG2 of the mobile node MN in the PMIPv6 domains being currently accessed Mobile Access Gateway MAG3 as a example by, the step 6, as shown in figure 4, including:
Step 6.1:Local mobility anchor LMA1 is the shared key between mobile node MN obtained in step 4.8 KLMA1-MNLocal mobility anchor LMA2 in mobile node MN PMIPv6 domains to be accessed is transmitted to by service-level agreement SLA; Mobile node MN obtains the local mobility anchor in the PMIPv6 domains for currently connecting by Mobile Access Gateway MAG1 simultaneously The key agreement parameter of LMA1, according to DH Diffie-Hellman, the private key of the key agreement parameter and mobile node MN is calculated Value use one-way Hash function H3Hash is carried out, the shared key between mobile node MN and local mobility anchor LMA2 is obtained KLMA2-MN
Step 6.2:Mobile node MN is with local mobility anchor LMA1 in the PMIPv6 domains being currently accessed and mobile node Shared key K between MNLMA1-MN, by the ID of mobile node MN itselfMN, the Mobile Access Gateway MAG2 that is currently accessed IDMAG2, the ID of local mobility anchor LMA1 that connected of the Mobile Access Gateway MAG2 that is currently accessedLMA1, session key agreement parameter σMN_2And time stamp T S5It is signature SignMN=Sign_HMAC_KMAG1-MN{IDMN, IDMAG2, IDLMA1, TS5, σMN_2};This is signed Name SignMN, mobile node MN itself IDMN, the ID of Mobile Access Gateway MAG2 that is currently accessedMAG2, the movement that is currently accessed The ID of local mobility anchor LMA1 connected by access gateway MAG2LMA1, time stamp T S5And the session key association of mobile node MN Business's parameter σMN_2The Mobile Access Gateway MAG3 in be accessed another PMIPv6 domain is together sent to;
Step 6.3:Another PMIPv6 domains to be accessed Mobile Access Gateway MAG3 checking mobile node MN send when Between stab TS5If, time stamp T S5Fresh, then execution step 6.3, the Mobile Access Gateway in another PMIPv6 domains otherwise to be accessed MAG3 refuses the access request of mobile node MN;
Step 6.4:The label that the Mobile Access Gateway MAG3 checking mobile node MNs in another PMIPv6 domains to be accessed send Name SignMNLegitimacy, if legal, execution step 6.4, the Mobile Access Gateway in another PMIPv6 domains otherwise to be accessed MAG3 refuses the access request of mobile node MN;
Step 6.5:The Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessed is first according to DH Diffie-Hellman Generate corresponding session key agreement parameter σMAG3_2, then ask simultaneously from local mobility anchor LMA2 in its place PMIPv6 domains Obtain shared key K between mobile node MN and local mobility anchor LMA1 that connectingLMA1-MN, and use the shared key KLMA1-MNID by the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessedMAG3, Mobile Access Gateway MAG3 be located The ID of local mobility anchor LMA2 in PMIPv6 domainsLMA2, session key agreement parameter σMAG3_2And time stamp T S6Sign SignMAG3=Sign_HMAC_KLMA1-MN{IDLMA2, IDMAG3, TS6, σMAG3_2};By the session key obtained from mobile node MN Negotiation parameter calculates new between the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessed and mobile node MN KMAG3-MNAnd session key SEKMAG3-MN;The session key of the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessed is assisted Business's parameter σMAG3_2, time stamp T S6, another PMIPv6 domains to be accessed Mobile Access Gateway MAG3 IDMAG3, to be accessed another The ID of local mobility anchor LMA2 connected by the Mobile Access Gateway MAG3 in one PMIPv6 domainsLMA2With signature SignMAG3Send out simultaneously Give mobile node MN;
Step 6.6:Mobile node MN verifies time stamp T S that Mobile Access Gateway MAG to be accessed sends6If, the time Stamp TS6Fresh, then execution step 6.6, otherwise mobile node MN stop access request;
Step 6.7:Mobile node MN verifies the signature Sign that Mobile Access Gateway MAG to be accessed sendsMAG3Legal Property, if legal, execution step 6.7, otherwise mobile node MN stop access request;
Step 6.8:Mobile node MN calculates the Mobile Access Gateway MAG3 and movable joint in another PMIPv6 domains to be accessed Shared key K of point MNMAG3-MNAnd session key SEKMAG3-MN, complete between PMIPv6 domains, to switch certification.

Claims (5)

1. a kind of PMIPv6 Verification Systems of identity-based allograph, it is characterised in that include:
Third party's trust center STR:Generate and issue common parameter, entity identities in the PMIPv6 domains of place are examined, issue Send out private key and certificate, and safeguard its all honest entity in a network public key, by its delegatability of signing right to allograph Person;
Local mobility anchor LMA:It is connected with third party's trust center STR, Mobile Access Gateway MAG respectively, sets up bidirectional tunnel Forward packet, simultaneously as the proxy signerses of third party's trust center STR, for Mobile Access Gateway MAG provides registration with Authentication service;
Mobile Access Gateway MAG:The mobile status of monitoring mobile node MN, while the certificate that is issued using local mobility anchor LMA It is mutually authenticated between mobile node MN, it is ensured that securely communicate between local mobility anchor LMA and mobile node MN.
2. the method for carrying out PMIPv6 certifications using the system described in claim 1, it is characterised in that include:
Step 1:Third party's trust center STR is generated and issues common parameter;
Step 2:All entities in current network are registered to third party's trust center STR and obtain the public and private key of entity itself Right;Third party's trust center STR is by the ID of mobile nodeMNAnd effect duration signed after as certificate authority to mobile node MN, local mobility anchor LMA obtain allograph power from third party's trust center STR, and local mobility anchor LMA is by allograph The certificate of authority, the ID of third party's trust center STRSTR, local mobility anchor LMA itself IDLMA, Mobile Access Gateway MAG IDMAGCorresponding MAG is given as certificate authority after being signed;
Step 3:Monitor mobile node MN state in which in each PMIPv6 domains:If mobile node MN is moved in original state Dynamic node M N accesses state during PMIPv6 domains first, then execution step 4;If mobile node MN is in same PMIPv6 domains Mobile status, then execution step 5;If mobile status of the mobile node MN in difference PMIPv6 domains, execution step 6;
Step 4:Execute the initial authentication that mobile node MN accesses PMIPv6 domains first;
Step 5:Shared keys of the current Mobile Access Gateway MAG for connecting by oneself and mobile node MN between is sent to Mobile Access Gateway MAG to be accessed in same PMIPv6 domains, executes;
Step 6:Local mobility anchor LMA in the current PMIPv6 domains for connecting is shared and mobile node MN between by oneself Key is sent to local mobility anchor LMA in another PMIPv6 domains to be accessed, executes.
3. method according to claim 2, it is characterised in that the step 4, including:
Step 4.1:Mobile node MN utilizes the private key SK of oneselfMN, the certificate that will obtain from third party's trust center STR CertSTR-MN, time stamp T S1And the ID of mobile node MNMNDo containing session key agreement parameter σMN_2Signature SignMN, and By signature SignMN, certificate CertSTR-MN, time stamp T S1And the ID of mobile node MNMNIt is sent simultaneously to the shifting for preparing to access Dynamic access gateway MAG1;
Step 4.2:Time stamp T S that Mobile Access Gateway MAG1 checking mobile node MNs send1:If time stamp T S1Fresh, then Execution step 4.3, otherwise Mobile Access Gateway MAG1 refuse the access request of mobile node MN;
Step 4.3:The signature Sign that Mobile Access Gateway MAG1 checking mobile node MNs sendMNAnd certificate CertSTR-MN:If Legal, then execution step 4.4, otherwise Mobile Access Gateway MAG1The access request of refusal mobile node MN;
Step 4.4:Mobile Access Gateway MAG1With own private key SKMAG1, local by connected from Mobile Access Gateway MAG1 The certificate Cert that mobile anchor LMA1 is obtainedLMA1-MAG1And time stamp T S of itself2, the sheets that connected of Mobile Access Gateway MAG1 The ID of ground mobile anchor LMA1LMA1, Mobile Access Gateway MAG1 ID of itselfMAG1Do containing session key agreement parameter σMAG1_2Label NameAnd this is signedCertificate CertLMA1-MAG, time stamp T S2, and the ID of local mobility anchor LMA1LMA1 With Mobile Access Gateway MAG1'sMobile node MN is sent back, while utilizing Mobile Access Gateway MAG1 own private keys SKMAG1And the signature Sign that mobile node MN sendsMNIn the session key agreement parameter that includes, calculate Mobile Access Gateway MAG1 Shared key K between mobile node MNMAG1-MNAnd session key SEKMAG1-MN
Step 4.5:Time stamp T S that mobile node MN checking Mobile Access Gateway MAG1 sends2:If time stamp T S2Fresh, then Execution step 4.6, otherwise mobile node MN stop access request;
Step 4.6:The signature that mobile node MN checking Mobile Access Gateway MAG1 sends backAnd certificate CertLMA1-MAG: If legal, execution step 4.7, otherwise mobile node MN stop access request;
Step 4.7:Mobile node MN utilizes the private key SK of oneselfMNAnd the signature that Mobile Access Gateway MAG1 sendsIn Comprising session key agreement parameter, calculate shared key K between mobile node MN and Mobile Access Gateway MAG1MAG1-MNAnd Session key SEKMAG1-MN, complete initial access authentication;
Step 4.8:After initial authentication is completed between mobile node MN and Mobile Access Gateway MAG1, Mobile Access Gateway MAG1 By session key agreement parameter σ obtained from mobile node MNMN_2Local shifting is together sent to binding update messages (PBU) Dynamic anchor LMA1, after local mobility anchor LMA1 is received, with DH Diffie-Hellman, local mobility anchor LMA utilizes the private key of oneself The value calculated with the session key agreement parameter, with one-way Hash function H3Hash is carried out, local mobility anchor LMA and shifting is obtained Shared key K between dynamic node M NLMA1-MN, and store.
4. method according to claim 2, it is characterised in that the step 5, including:
Step 5.1:Mobile node MN generates corresponding session key agreement parameter σ according to DH Diffie-Hellman firstMN_2, so Afterwards using shared key K between the Mobile Access Gateway MAG1 and mobile node MN for currently connectingMAG1-MN, by movable joint The ID of point MN itselfMN, the current ID of Mobile Access Gateway MAG1 that connectingMAG1, session key agreement parameter σMN_2And Time stamp T S3It is signature SignMN, while and by signature SignMN, time stamp T S3, the current Mobile Access Gateway that connecting The ID of MAG1MAG1, mobile node MN IDMN, mobile node MN session key agreement parameter σMN_2Together it is sent to same Mobile Access Gateway MAG2 to be accessed in PMIPv6 domains;
Step 5.2:Time stamp T S that Mobile Access Gateway MAG2 checking mobile node MNs to be accessed send3:Time stamp T S3 If fresh, execution step 5.3, Mobile Access Gateway MAG2 otherwise to be accessed refuse the access request of mobile node MN;
Step 5.3:The signature Sign that Mobile Access Gateway MAG2 checking mobile node MNs to be accessed sendMNLegitimacy:Such as Really legal, then the access request of mobile node MN is refused in execution step 5.4, Mobile Access Gateway MAG2 otherwise to be accessed;
Step 5.4:Mobile Access Gateway MAG2 to be accessed generates corresponding session key according to DH Diffie-Hellman first Consult parameter σMAG2_2, then with shared close between the Mobile Access Gateway MAG1 and mobile node MN for currently connecting Key KMAG1-MN, by the ID of Mobile Access Gateway MAG2 to be accessedMAG2, time stamp T S4, session key agreement parameter σMAG2_2Sign Name, and session key agreement parameter σ by Mobile Access Gateway MAG2 to be accessedMAG2_2, Mobile Access Gateway to be accessed The ID of MAG2MAG2, time stamp T S4With signature SignMNIt is sent simultaneously to mobile node MN;And by obtaining from mobile node MN Session key agreement parameter σMN_2Calculate new between Mobile Access Gateway MAG2 to be accessed and mobile node MN sharing Key KMAG2-MNAnd session key SEKMAG2-MN
Step 5.5:Mobile node MN verifies time stamp T S that Mobile Access Gateway MAG2 to be accessed sends4:If the timestamp TS4Fresh, then execution step 5.6, otherwise mobile node MN stop access request;
Step 5.6:Mobile node MN verifies the signature Sign that Mobile Access Gateway MAG2 to be accessed sendsMNLegitimacy:Such as Really legal, then execution step 5.7, otherwise mobile node MN stop access request;
Step 5.7:Mobile node MN calculates Mobile Access Gateway MAG2 to be accessed and mobile node MN shared key KMAG2-MNAnd Session key SEKMAG2-MN, complete in PMIPv6 domains, to switch certification.
5. method according to claim 2, it is characterised in that the step 6, including:
Step 6.1:Local mobility anchor LMA1 is by shared key K between mobile node MNLMA1-MNBy service-level agreement SLA is transmitted to local mobility anchor LMA2 in mobile node MN PMIPv6 domains to be accessed;Mobile node MN is by movement simultaneously Access gateway MAG1 obtains the key agreement parameter of local mobility anchor LMA1 in the PMIPv6 domains for currently connecting, and this is close The value that the private key of parameter and mobile node MN calculates consulted by key carries out Hash, obtain mobile node MN and local mobility anchor LMA1 it Between shared key KLMA1-MN
Step 6.2:Mobile node MN with local mobility anchor LMA1 in the PMIPv6 domains that are currently accessed and mobile node MN it Between shared key KLMA1-MN, by the ID of mobile node MN itselfMN, the ID of Mobile Access Gateway MAG2 that is currently accessedMAG2, when The ID of local mobility anchor LMA1 connected by the Mobile Access Gateway MAG2 of front accessLMA1, session key agreement parameter σMN_2And Time stamp T S5It is signature SignMN;By signature SignMN, mobile node MN itself IDMN, the Mobile Access Network that is currently accessed Close the ID of MAG2MAG2, the ID of local mobility anchor LMA1 that connected of the Mobile Access Gateway MAG2 that is currently accessedLMA1, timestamp TS5And session key agreement parameter σ of mobile node MNMN_2The movement for being together sent to another PMIPv6 domains to be accessed connects Function Access Gateway MAG3;
Step 6.3:The timestamp that the Mobile Access Gateway MAG3 checking mobile node MNs in another PMIPv6 domains to be accessed send TS5If, time stamp T S5Fresh, then execution step 6.3, the Mobile Access Gateway MAG3 in another PMIPv6 domains otherwise to be accessed The access request of refusal mobile node MN;
Step 6.4:The signature that the Mobile Access Gateway MAG3 checking mobile node MNs in another PMIPv6 domains to be accessed send SignMNLegitimacy, if legal, execution step 6.4, the Mobile Access Gateway in another PMIPv6 domains otherwise to be accessed MAG3 refuses the access request of mobile node MN;
Step 6.5:The Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessed is generated according to DH Diffie-Hellman first Corresponding session key agreement parameter σMAG3_2, then ask from local mobility anchor LMA2 in its place PMIPv6 domains and obtain Shared key K between mobile node MN and local mobility anchor LMA1 that connectingLMA1-MN, and use the shared key KLMA1-MNID by the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessedMAG3, Mobile Access Gateway MAG3 be located The ID of local mobility anchor LMA2 in PMIPv6 domainsLMA2, session key agreement parameter σMAG3_2And time stamp T S6Sign SignMAG3;Session key agreement parameter σ by the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessedMAG3_2, the time Stamp TS6, another PMIPv6 domains to be accessed Mobile Access Gateway MAG3 IDMAG3, another PMIPv6 domains to be accessed movement The ID of local mobility anchor LMA2 connected by access gateway MAG3LMA2With signature SignMAG3It is sent simultaneously to mobile node MN; The movement that another PMIPv6 domains to be accessed are calculated finally by the session key agreement parameter obtained from mobile node MN connects New K between function Access Gateway MAG3 and mobile node MNMAG3-MNAnd session key SEKMAG3-MN
Step 6.6:Mobile node MN verifies time stamp T S that Mobile Access Gateway MAG to be accessed sends6If, time stamp T S6 Fresh, then execution step 6.6, otherwise mobile node MN stop access request;
Step 6.7:Mobile node MN verifies the signature Sign that Mobile Access Gateway MAG to be accessed sendsMAG3Legitimacy, such as Really legal, then execution step 6.7, otherwise mobile node MN stop access request;
Step 6.8:Mobile node MN calculates the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessed and mobile node MN Shared key KMAG3-MNAnd session key SEKMAG3-MN, complete between PMIPv6 domains, to switch certification.
CN201611114302.7A 2016-12-07 2016-12-07 A kind of the PMIPv6 Verification System and method of identity-based allograph Active CN106507355B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611114302.7A CN106507355B (en) 2016-12-07 2016-12-07 A kind of the PMIPv6 Verification System and method of identity-based allograph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611114302.7A CN106507355B (en) 2016-12-07 2016-12-07 A kind of the PMIPv6 Verification System and method of identity-based allograph

Publications (2)

Publication Number Publication Date
CN106507355A true CN106507355A (en) 2017-03-15
CN106507355B CN106507355B (en) 2019-05-21

Family

ID=58329699

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611114302.7A Active CN106507355B (en) 2016-12-07 2016-12-07 A kind of the PMIPv6 Verification System and method of identity-based allograph

Country Status (1)

Country Link
CN (1) CN106507355B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107181597A (en) * 2017-06-30 2017-09-19 东北大学 A kind of identity-based acts on behalf of the PMIPv6 Verification Systems and method of group ranking
CN107493570A (en) * 2017-07-18 2017-12-19 东北大学 A kind of the PMIPV6 anonymous access authentication systems and method of identity-based group label
CN110213245A (en) * 2019-05-15 2019-09-06 如般量子科技有限公司 Application system short distance energy-saving communication method and system based on unsymmetrical key pond and allograph
CN110855615A (en) * 2019-10-14 2020-02-28 云深互联(北京)科技有限公司 Equipment binding method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2426956A1 (en) * 2009-04-27 2012-03-07 China Mobile Communications Corporation Data transferring method, system and related network device based on proxy mobile (pm) ipv6
CN102547890A (en) * 2012-01-11 2012-07-04 中山大学 Intra-domain switching method for proxy mobile IPv6 (Internet protocol version 6) based on AAA server
CN103841610A (en) * 2014-03-18 2014-06-04 山东大学 Quick and efficient agent mobile IPv6 switching method
CN103957524A (en) * 2014-04-23 2014-07-30 东北大学 PMIPv6 network bidirectional access authentication system and method based on classification identity signature

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2426956A1 (en) * 2009-04-27 2012-03-07 China Mobile Communications Corporation Data transferring method, system and related network device based on proxy mobile (pm) ipv6
CN102547890A (en) * 2012-01-11 2012-07-04 中山大学 Intra-domain switching method for proxy mobile IPv6 (Internet protocol version 6) based on AAA server
CN103841610A (en) * 2014-03-18 2014-06-04 山东大学 Quick and efficient agent mobile IPv6 switching method
CN103957524A (en) * 2014-04-23 2014-07-30 东北大学 PMIPv6 network bidirectional access authentication system and method based on classification identity signature

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107181597A (en) * 2017-06-30 2017-09-19 东北大学 A kind of identity-based acts on behalf of the PMIPv6 Verification Systems and method of group ranking
WO2019001169A1 (en) * 2017-06-30 2019-01-03 东北大学 Pmipv6 authentication system and method for identity-based proxy group signature
CN107181597B (en) * 2017-06-30 2020-02-07 东北大学 PMIPv6 authentication system and method based on identity agent group signature
CN107493570A (en) * 2017-07-18 2017-12-19 东北大学 A kind of the PMIPV6 anonymous access authentication systems and method of identity-based group label
WO2019015387A1 (en) * 2017-07-18 2019-01-24 东北大学 Group identity signature based pmipv6 anonymous access authentication system and method
CN110213245A (en) * 2019-05-15 2019-09-06 如般量子科技有限公司 Application system short distance energy-saving communication method and system based on unsymmetrical key pond and allograph
CN110213245B (en) * 2019-05-15 2021-06-22 如般量子科技有限公司 Application system short-distance energy-saving communication method and system based on asymmetric key pool and proxy signature
CN110855615A (en) * 2019-10-14 2020-02-28 云深互联(北京)科技有限公司 Equipment binding method and device

Also Published As

Publication number Publication date
CN106507355B (en) 2019-05-21

Similar Documents

Publication Publication Date Title
Yang et al. Efficient handover authentication with user anonymity and untraceability for mobile cloud computing
Cao et al. A simple and robust handover authentication between HeNB and eNB in LTE networks
Wang et al. SDN-based handover authentication scheme for mobile edge computing in cyber-physical systems
CN101222331B (en) Authentication server, method and system for bidirectional authentication in mesh network
CN111885602B (en) Heterogeneous network-oriented batch switching authentication and key agreement method
CN107181597B (en) PMIPv6 authentication system and method based on identity agent group signature
CN107493570B (en) A kind of the PMIPV6 anonymous access authentication system and method for identity-based group label
Sun et al. Privacy-preserving device discovery and authentication scheme for D2D communication in 3GPP 5G HetNet
CN106507355B (en) A kind of the PMIPv6 Verification System and method of identity-based allograph
CN107920350A (en) Privacy protection switching authentication method based on SDN and 5G heterogeneous network
Shashidhara et al. A robust user authentication protocol with privacy-preserving for roaming service in mobility environments
Nguyen et al. Enhanced EAP-based pre-authentication for fast and secure inter-ASN handovers in mobile WiMAX networks
Gharsallah et al. An efficient authentication and key agreement protocol for a group of vehicles devices in 5G cellular networks
Fu et al. Fast and secure handover authentication scheme based on ticket for WiMAX and WiFi heterogeneous networks
CN103781067A (en) Authentication switching method with privacy protection in LTE (long term evolution)/LTE-A (LTE-advanced) network
CN103957524A (en) PMIPv6 network bidirectional access authentication system and method based on classification identity signature
Kumar et al. Design of a USIM and ECC based handover authentication scheme for 5G-WLAN heterogeneous networks
Ren et al. Fast and Universal Inter‐Slice Handover Authentication with Privacy Protection in 5G Network
Kim et al. MoTH: mobile terminal handover security protocol for HUB switching based on 5G and beyond (5GB) P2MP backhaul environment
Haddad et al. Secure and efficient AKA scheme and uniform handover protocol for 5G network using blockchain
Roy et al. FastHand: A fast handover authentication protocol for densely deployed small-cell networks
Zhu et al. Research on authentication mechanism of cognitive radio networks based on certification authority
Lin et al. A fast iterative localized re-authentication protocol for heterogeneous mobile networks
CN105119832A (en) MIPv6 security mobility management system based on identification cryptology and mobility authentication method
Li et al. A novel re-authentication scheme based on tickets in wireless local area networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant