CN106507355A - A kind of PMIPv6 Verification Systems of identity-based allograph and method - Google Patents
A kind of PMIPv6 Verification Systems of identity-based allograph and method Download PDFInfo
- Publication number
- CN106507355A CN106507355A CN201611114302.7A CN201611114302A CN106507355A CN 106507355 A CN106507355 A CN 106507355A CN 201611114302 A CN201611114302 A CN 201611114302A CN 106507355 A CN106507355 A CN 106507355A
- Authority
- CN
- China
- Prior art keywords
- mobile
- mobile node
- access gateway
- mag1
- accessed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention provides a kind of PMIPv6 Verification Systems of identity-based allograph and method, and the system includes:Third party's trust center STR;Local mobility anchor LMA;Mobile Access Gateway MAG.The method includes that STR is generated and issued common parameter;All entities in current network are registered to STR and obtain the public private key pair of entity itself;Monitor mobile node MN state in which in each PMIPv6 domains:Execute, if MN is in original state, the initial authentication that mobile node MN accesses PMIPv6 domains first;If mobile status of the MN in same PMIPv6 domains, execute;If mobile status of the MN in difference PMIPv6 domains, execute.The present invention applies the Proxy Signature Scheme of identity-based during the mobile management of PMIPv6 agreements, ensure that both sides are independently completed decryption or signature verification in the case where other side's identity is not considered based on local authentication, reduce the pressure of STR and LMA, the waiting time of MN is reduced, multiple attack can be resisted.
Description
Technical field
The invention belongs to technical field of network security, the PMIPv6 certifications system of more particularly to a kind of identity-based allograph
System and method.
Background technology
With the continuous development of mobile terminal, people are increasingly improved to the demand of any wireless network services, in order to meet people
Whenever and wherever possible, the demand of convenient and swift connection network, industry are also paid attention to all the more to the research of radio network technique, and
MIPv6 is undoubtedly a kind of important technology in wireless network research.And PMIPv6 networks are then with its shorter signaling delay, less
Signaling consumption and become study hotspot.In the face of such as Hijack Attack, Replay Attack, password guess, man-in-the-middle attack,
When threat is attacked in eavesdropping attack, camouflage, refusal service etc., if on the premise of cannot ensureing its safety, PMIPv6 extensively should
It is impossible to use network regional mobility management protocol.
In recent years, scholars have carried out substantial amounts of research for PMIPv6 access authentications problem, and have released one after another oneself
Safety approach.Document " certification and the realization for authorizing under PMIPv6 environment " proposes a kind of access authentication side of mobile IPSec
Case, the method achieve MN by the way of unified mark UID carries out the certificate of multi-stage authentication and digital signature to agency's
Registration, and the MIPSec/SA and SAH/SA, the SAH/SA for wherein being created of establishment MN to agency are for preventing while registration
Only the multilevel security network information is revealed.Both approaches are all realized by changing IKEv2.The advantage of the agreement is can be with
But the threat brought by opposing radio link opening, comparatively compares with very high safety and effectiveness its efficiency
Low;Document " SPAM:A secure password authentication mechanism for seamless handover
In proxy mobile IPv6networks " propose the security password that a kind of utilization smart cards for storage relevant information is realized
Authentication mechanism, the mechanism are more advantageous in terms of safety and efficiency, but the safety due to itself there is smart card is asked
Topic, therefore still has larger security breaches;Document " The Kerberos network authentication
The authentication service for being aimed at distributed environment that service (V5) " is proposed, by providing disposable input ID and password, just
Authority can be obtained from distributed server to go to obtain multiple services.Foundation Kerberos being applied in PMIPv6 is exactly
MAG as server.It is assumed here that being same entity for ticket server and AS.But, if the mechanism that does not recombinate,
MAG is exactly an independent server.Therefore, when MN changes its access point, MN must provide for the power of network service
Limit.It can be seen that, among above-mentioned certificate scheme, there is different degrees of lacking at the aspect such as safety of authentication delay and access procedure
Fall into, can not meet the demand of the safe and efficient access authentications of WMN very well.
Content of the invention
In view of the shortcomings of the prior art, the present invention provides a kind of PMIPv6 Verification Systems of identity-based allograph
And method.
Technical scheme is as follows:
A kind of PMIPv6 Verification Systems of identity-based allograph, including:
Third party's trust center STR:Generate and issue common parameter, entity identities in the PMIPv6 domains of place are examined
Look into, issue private key and certificate, and safeguard its all honest entity in a network public key, by its delegatability of signing right to agency
Signer;
Local mobility anchor LMA:It is connected with third party's trust center STR, Mobile Access Gateway MAG respectively, sets up two-way tunnel
Road simultaneously as the proxy signerses of third party's trust center STR, provides note for Mobile Access Gateway MAG forwarding packet
Volume and authentication service;
Mobile Access Gateway MAG:The mobile status of monitoring mobile node MN, while issued using local mobility anchor LMA
It is mutually authenticated between certificate and mobile node MN, it is ensured that carry out safety between local mobility anchor LMA and mobile node MN logical
Letter.
The method that PMIPv6 certifications are carried out using described system, including:
Step 1:Third party's trust center STR is generated and issues common parameter;
Step 2:All entities in current network are registered to third party's trust center STR and obtain the public and private of entity itself
Key pair;Third party's trust center STR is by the ID of mobile nodeMNAnd effect duration signed after as certificate authority to mobile node
MN, local mobility anchor LMA obtain allograph power from third party's trust center STR, and local mobility anchor LMA is by allograph
The certificate of authority, the ID of third party's trust center STRSTR, local mobility anchor LMA itself IDLMA, Mobile Access Gateway MAG
IDMAGCorresponding MAG is given as certificate authority after being signed;
Step 3:Monitor mobile node MN state in which in each PMIPv6 domains:If mobile node MN is in original state
State when i.e. mobile node MN accesses PMIPv6 domains first, then execution step 4;If mobile node MN is in same PMIPv6
Mobile status in domain, then execution step 5;If mobile status of the mobile node MN in difference PMIPv6 domains, executes
Step 6;
Step 4:Execute the initial authentication that mobile node MN accesses PMIPv6 domains first;
Step 5:Shared keys of the current Mobile Access Gateway MAG for connecting by oneself and mobile node MN between is sent out
Mobile Access Gateway MAG to be accessed in same PMIPv6 domains is given, is executed;
Step 6:Local mobility anchor LMA in the current domain for connecting is shared close and mobile node MN between by oneself
Key is sent to local mobility anchor LMA in another PMIPv6 domains to be accessed, executes.
The step 4, including:
Step 4.1:Mobile node MN utilizes the private key SK of oneselfMN, the certificate that will obtain from third party's trust center STR
CertSTR-MN, time stamp T S1And the ID of mobile node MNMNDo containing session key agreement parameter σMN_2Signature SignMN, and
By signature SignMN, certificate CertSTR-MN, time stamp T S1And the ID of mobile node MNMNIt is sent simultaneously to the shifting for preparing to access
Dynamic access gateway MAG1;
Step 4.2:Time stamp T S that Mobile Access Gateway MAG1 checking mobile node MNs send1:If time stamp T S1Newly
Fresh, then the access request of mobile node MN is refused in execution step 4.3, otherwise Mobile Access Gateway MAG1;
Step 4.3:The signature Sign that Mobile Access Gateway MAG1 checking mobile node MNs sendMNAnd certificate CertSTR-MN:
If legal, execution step 4.4, otherwise Mobile Access Gateway MAG1The access request of refusal mobile node MN;
Step 4.4:Mobile Access Gateway MAG1With own private key SKMAG1, by connected from Mobile Access Gateway MAG1
The certificate Cert that local mobility anchor LMA1 is obtainedLMA1-MAG1And time stamp T S of itself2, Mobile Access Gateway MAG1 connected
Local mobility anchor LMA1 IDLMA1, Mobile Access Gateway MAG1 itselfDo containing session key agreement parameter
σMAG1_2SignatureAnd this is signedCertificate CertLMA1-MAG, time stamp T S2, and local mobility anchor
The ID of LMA1LMA1With Mobile Access Gateway MAG1'sMobile node MN is sent back, while utilizing Mobile Access Gateway
MAG1 own private key SKMAG1And the signature Sign that mobile node MN sendsMNIn the session key agreement parameter that includes, calculate movement
Shared key K between access gateway MAG1 and mobile node MNMAG1-MNAnd session key SEKMAG1-MN;
Step 4.5:Time stamp T S that mobile node MN checking Mobile Access Gateway MAG1 sends2:If time stamp T S2Newly
Fresh, then execution step 4.6, otherwise mobile node MN stop access request;
Step 4.6:The signature that mobile node MN checking Mobile Access Gateway MAG1 sends backAnd certificate
CertLMA1-MAG:If legal, execution step 4.7, otherwise mobile node MN stop access request;
Step 4.7:Mobile node MN utilizes the private key SK of oneselfMNAnd the signature that Mobile Access Gateway MAG1 sendsIn the session key agreement parameter that includes, calculate shared close between mobile node MN and Mobile Access Gateway MAG1
Key KMAG1-MNAnd session key SEKMAG1-MN, complete initial access authentication;
Step 4.8:After initial authentication is completed between mobile node MN and Mobile Access Gateway MAG1, Mobile Access Gateway
MAG1 is by session key agreement parameter σ obtained from mobile node MNMN_2This is together sent to binding update messages (PBU)
Ground mobile anchor LMA1, after local mobility anchor LMA1 is received, with DH Diffie-Hellman, local mobility anchor LMA utilizes oneself
The value that private key and the session key agreement parameter are calculated, with one-way Hash function H3Hash is carried out, local mobility anchor LMA is obtained
Shared key K between mobile node MNLMA1-MN, and store.
The step 5, including:
Step 5.1:Mobile node MN generates corresponding session key agreement parameter according to DH Diffie-Hellman first
σMN_2, then with shared key K between the Mobile Access Gateway MAG1 and mobile node MN for currently connectingMAG1-MN, will
The ID of mobile node MN itselfMN, the current ID of Mobile Access Gateway MAG1 that connectingMAG1, session key agreement parameter
σMN_2And time stamp T S3It is signature SignMN, and by signature SignMN, time stamp T S3, the currently mobile access that connecting
The ID of gateway MAG1MAG1, mobile node MN session key agreement parameter σMN_2Together it is sent to be accessed in same PMIPv6 domains
Mobile Access Gateway MAG2;
Step 5.2:Time stamp T S that Mobile Access Gateway MAG2 checking mobile node MNs to be accessed send3:The time
Stamp TS3If fresh, execution step 5.3, the access of Mobile Access Gateway MAG2 refusal mobile node MNs otherwise to be accessed please
Ask;
Step 5.3:The signature Sign that Mobile Access Gateway MAG2 checking mobile node MNs to be accessed sendMNLegal
Property:If legal, execution step 5.4, the access of Mobile Access Gateway MAG2 refusal mobile node MNs otherwise to be accessed please
Ask;
Step 5.4:Mobile Access Gateway MAG2 to be accessed generates corresponding session according to DH Diffie-Hellman first
Key agreement parameter σMAG2_2, then with being total between the Mobile Access Gateway MAG1 and mobile node MN for currently connecting
Enjoy key KMAG1-MN, by the ID of Mobile Access Gateway MAG2 to be accessedMAG2, session key agreement parameter σMAG2_2, time stamp T S4
Sign, and session key agreement parameter σ by Mobile Access Gateway MAG2 to be accessedMAG2_2, Mobile Access Network to be accessed
Close the ID of MAG2MAG2, time stamp T S4With signature SignMNIt is sent simultaneously to mobile node MN;And by obtaining from mobile node MN
Session key agreement parameter σ for obtainingMN_2Calculate new between Mobile Access Gateway MAG2 to be accessed and mobile node MN being total to
Enjoy key KMAG2-MNAnd session key SEKMAG2-MN;
Step 5.5:Mobile node MN verifies time stamp T S that Mobile Access Gateway MAG2 to be accessed sends4:If this when
Between stab TS4Fresh, then execution step 5.6, otherwise mobile node MN stop access request;
Step 5.6:Mobile node MN verifies the signature Sign that Mobile Access Gateway MAG2 to be accessed sendsMNLegal
Property:If legal, execution step 5.7, otherwise mobile node MN stop access request;
Step 5.7:Mobile node MN calculates Mobile Access Gateway MAG2 to be accessed and mobile node MN shared key
KMAG2-MNAnd session key SEKMAG2-MN, complete in PMIPv6 domains, to switch certification.
The step 6, including:
Step 6.1:Local mobility anchor LMA1 is by shared key K between mobile node MNLMA1-MNBy the grade of service
Agreement SLA is transmitted to local mobility anchor LMA2 in mobile node MN PMIPv6 domains to be accessed;Mobile node MN passes through simultaneously
Mobile Access Gateway MAG1 obtains the key agreement parameter of local mobility anchor LMA1 in the PMIPv6 domains for currently connecting, will
The value that the private key of the key agreement parameter and mobile node MN is calculated carries out Hash, obtains mobile node MN and local mobility anchor
Shared key K between LMA1LMA1-MN;
Step 6.2:Mobile node MN is with local mobility anchor LMA1 in the PMIPv6 domains being currently accessed and mobile node
Shared key K between MNLMA1-MN, by the ID of mobile node MN itselfMN, the Mobile Access Gateway MAG2 that is currently accessed
IDMAG2, the ID of local mobility anchor LMA1 that connected of the Mobile Access Gateway MAG2 that is currently accessedLMA1, session key agreement parameter
σMN_2And time stamp T S5It is signature SignMN;By signature SignMN, mobile node MN itself IDMN, the movement that is currently accessed
The ID of access gateway MAG2MAG2, the ID of local mobility anchor LMA1 that connected of the Mobile Access Gateway MAG2 that is currently accessedLMA1, when
Between stab TS5And session key agreement parameter σ of mobile node MNMN_2The shifting in be accessed another PMIPv6 domain is together sent to
Dynamic access gateway MAG3;
Step 6.3:Another PMIPv6 domains to be accessed Mobile Access Gateway MAG3 checking mobile node MN send when
Between stab TS5If, time stamp T S5Fresh, then execution step 6.3, the Mobile Access Gateway in another PMIPv6 domains otherwise to be accessed
MAG3 refuses the access request of mobile node MN;
Step 6.4:The label that the Mobile Access Gateway MAG3 checking mobile node MNs in another PMIPv6 domains to be accessed send
Name SignMNLegitimacy, if legal, execution step 6.4, the Mobile Access Gateway in another PMIPv6 domains otherwise to be accessed
MAG3 refuses the access request of mobile node MN;
Step 6.5:The Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessed is first according to DH Diffie-Hellman
Generate corresponding session key agreement parameter σMAG3_2, then ask simultaneously from local mobility anchor LMA2 in its place PMIPv6 domains
Obtain shared key K between mobile node MN and local mobility anchor LMA1 that connectingLMA1-MN, and use the shared key
KLMA1-MNID by the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessedMAG3, Mobile Access Gateway MAG3 be located
The ID of local mobility anchor LMA2 in PMIPv6 domainsLMA2, session key agreement parameter σMAG3_2And time stamp T S6Sign
SignMAG3;Session key agreement parameter σ by the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessedMAG3_2, the time
Stamp TS6, another PMIPv6 domains to be accessed Mobile Access Gateway MAG3 IDMAG3, another PMIPv6 domains to be accessed movement
The ID of local mobility anchor LMA2 connected by access gateway MAG3LMA2With signature SignMAG3It is sent simultaneously to mobile node MN;
The movement that another PMIPv6 domains to be accessed are calculated finally by the session key agreement parameter obtained from mobile node MN connects
New K between function Access Gateway MAG3 and mobile node MNMAG3-MNAnd session key SEKMAG3-MN;
Step 6.6:Mobile node MN verifies time stamp T S that Mobile Access Gateway MAG to be accessed sends6If, the time
Stamp TS6Fresh, then execution step 6.6, otherwise mobile node MN stop access request;
Step 6.7:Mobile node MN verifies the signature Sign that Mobile Access Gateway MAG to be accessed sendsMAG3Legal
Property, if legal, execution step 6.7, otherwise mobile node MN stop access request;
Step 6.8:Mobile node MN calculates the Mobile Access Gateway MAG3 and movable joint in another PMIPv6 domains to be accessed
Shared key K of point MNMAG3-MNAnd session key SEKMAG3-MN, complete between PMIPv6 domains, to switch certification.
Beneficial effect:
The Proxy Signature Scheme of identity-based is applied in the middle of the mobile management process of PMIPv6 agreements, base by the present invention
Ensure that both sides are independently completed decryption or signature verification in the case where other side's identity is not considered in local authentication;Stratification
The design of authentication architecture, and the pressure of the negotiation minimizing STR and LMA of shared key, reduce the waiting time of MN, improve overall
Authentication efficiency;Simultaneously multiple signatures and key agreement scheme with enabling the program to resist multiple attack, effectively ensure
The safety of scheme.
Description of the drawings
PMIPv6 Verification System Organization Charts of the Fig. 1 for the identity-based allograph of the specific embodiment of the invention;
Schematic diagrams of the Fig. 2 for the initial access authentication process of the specific embodiment of the invention;
Schematic diagrams of the Fig. 3 for access authentication procedure in the domain of the specific embodiment of the invention;
Fig. 4 for the specific embodiment of the invention domain between access authentication procedure schematic diagram.
Specific embodiment
Below in conjunction with the accompanying drawings the specific embodiment of the present invention is elaborated.
Present embodiment is that the PMIPv6 Verification Systems and method of identity-based allograph are applied to PMIPv6 networks
Access authentication link, while access authentication of user is realized, the safety of the verification process that adequately protects and efficiency are recognized in switching
During card, the use of symmetric key ensure that the efficiency of switching verification process.The PMIPv6 of identity-based allograph is accessed and is recognized
Card system includes:Third party's trust center STR, several PMIPv6 domains, include a local mobility anchor in each PMIPv6 domain
LMA (Local Mobility Anchor, LMA) and several Mobile Access Gateways MAG (Mobile Access Gateway,
MAG), several mobile node MNs for and moving in PMIPv6 domains or between difference PMIPv6 domains.
In the PMIPv6 Verification Systems of identity-based allograph as shown in Figure 1, third party's trust center STR passes through net
Network is connected with two local mobility anchors LMA1, LMA2, and local mobility anchor LMA1 connects two Mobile Access Gateways MAG1, MAG2,
Local mobility anchor LMA2 connects two Mobile Access Gateway MAG3, and what mobile node MN was currently connecting is Mobile Access Gateway
MAG1.Proxy signerses of local mobility anchor LMA1, LMA2 as third party's trust center STR, replace third party's trust center
STR is signed.
The framework of whole system is divided into four layers:Ground floor is system root of trust (System- for third party's trust center
Trusted Root, STR), all entities that third party's trust center STR is given tacit consent in the network are credible, meanwhile, third party trusts
Signature power can be granted to proxy signerses i.e. two local mobility anchor LMA1, LMA2 as original signer by center STR;
The second layer is two local mobility anchors LMA1, LMA2, and its home agent equivalent to PMIPv6 is responsible for mobile node MN
Binding state, and set up bidirectional tunnel to forward packet, the also set as proxy signerses to act on behalf of in third party's trust
Heart STR signs and the mobile node MN for third layer provides corresponding registration and authentication service;Third layer is Mobile Access Gateway
MAG1, MAG2, MAG3, are responsible for the mobile status of monitoring mobile node MN, replace the management of moving property of mobile node, while logical
Cross and be wirelessly mutually authenticated with mobile node, it is ensured that the network insertion of legitimate mobile node;4th layer is several mobile nodes
(Mobility Node, MN), which has mobility, can be in home network (such as the net that local mobility anchor LMA1 is responsible for
Network) and field network (such as the network that local mobility anchor LMA2 is responsible for) internetwork roaming, it is also possible in different Mobile Access Networks
Close switching movement between MAG (MAG1, MAG2, MAG3).Simultaneously mobile node MN in moving process will with newly access other
Two-way authentication is carried out between Mobile Access Gateway MAG, it is ensured that the bipartite safety and reliability of certification.
For convenience of subsequent descriptions, mark as shown in table 1 and explanation is given.
1 correlated identities of table and explanation
Third party's trust center STR:Generate and issue common parameter, entity identities in the PMIPv6 domains of place are examined
Look into, issue private key and certificate, and safeguard its all honest entity in a network public key, by its delegatability of signing right to agency
Signer;
Local mobility anchor LMA:It is connected with third party's trust center STR, Mobile Access Gateway MAG respectively, sets up two-way tunnel
Road simultaneously as the proxy signerses of third party's trust center STR, provides note for Mobile Access Gateway MAG forwarding packet
Volume and authentication service;
Mobile Access Gateway MAG:The mobile status of monitoring mobile node MN, while issued using local mobility anchor LMA
It is mutually authenticated between certificate and mobile node MN, it is ensured that carry out safety between local mobility anchor LMA and mobile node MN logical
Letter.
Mobile node MN:Entity mobile node in PMIPv6 agreements, home network and field network internetwork roaming or
Switching movement between different Mobile Access Gateway MAG;Simultaneously mobile node MN in moving process will with newly access other
Two-way authentication is carried out between Mobile Access Gateway MAG, it is ensured that the bipartite safety and reliability of certification.
The Proxy Signature Scheme of the identity-based for proposing with Wu W, Mu Y, Susilo W et al. in the present embodiment,
Referred to as WMS schemes, while in the middle of also participating in HMAC Message Digest 5s in the present invention and be mutually authenticated between entity.
Sign is verified with Standard signaturesMN.
The method that PMIPv6 certifications are carried out using described system, including:
Step 1:Third party's trust center STR is generated and issues common parameter;
First, addition cyclic group G of two ranks for q1With multiplication loop group GTWith a Bilinear map e:G1×G1→GT;
Afterwards, a generation unit P ∈ G is selected1With a random key
Then, the public key P of third party's trust center STR is calculatedpub=sP, generates and preserves third party's trust center STR
Private keyWhereinFor 1 to q-1 scopes positive integer;
In addition, selecting character set { 0,1 } to addition cyclic group G1Three one-way Hash functions H0:{ 0,1 }*→G1、H1:
{ 0,1 }*→G1、H2:{ 0,1 }*→G1One-way Hash function H with character set { 0,1 } to character set { 0,1 }3:{ 0,1 }*→ 0,
1}*;
Finally, the common parameter of generation is Para={ G1, GT, q, e, P, PPub, H0, H1, H2, H3}.
Step 2:All entities in current network are registered to third party's trust center STR and obtain the public and private of entity itself
Key pair;Third party's trust center STR is by the ID of mobile nodeMNAnd effect duration signed after as certificate authority to mobile node
MN, local mobility anchor LMA obtain allograph power from third party's trust center STR, and local mobility anchor LMA is by allograph
The certificate of authority, the ID of third party's trust center STRSTR, local mobility anchor LMA itself IDLMA, Mobile Access Gateway MAG
IDMAGCorresponding MAG is given as certificate authority after being signed;
Mobile node MN is directly registered to third party's trust center STR, and obtains the public key PK of oneselfMN, private key SKMNAnd
Certificate CertSTR-MN;
Multiple Mobile Access Gateway MAG under same local mobility anchor LMA are concentrated to the 3rd via local mobility anchor LMA
Square trust center STR is applied for the registration of, and allograph power is given local mobility anchor LMA by third party's trust center STR, and will be local
The mobile anchor LMA and its private key SK of multiple Mobile Access Gateway MAGMAG, public key PKMAGLocal mobility anchor LMA is transmitted to, local shifting
Dynamic anchor LMA replaces third party's trust center STR to generate respective certificate to Mobile Access Gateway MAG after message is received
CertLMA-MAG, and the private key SK with Mobile Access Gateway MAGMAGCorresponding Mobile Access Gateway is handed to by secure tunnel
MAG.
Step 3:Monitor mobile node MN state in which in each PMIPv6 domains:If mobile node MN is in original state
State when i.e. mobile node MN accesses PMIPv6 domains first, then execution step 4;If mobile node MN is in same PMIPv6
Mobile status in domain, then execution step 5;If mobile status of the mobile node MN in difference PMIPv6 domains, executes
Step 6;
Mobile status in the same PMIPv6 domains is that MN is moved, and is under same local mobility anchor LMA
State when moving between different Mobile Access Gateway MAG;Mobile status in the different PMIPv6 domains is that MN occurs
Mobile, and be state when moving between the different Mobile Access Gateway MAG under different local mobility anchors LMA.
Step 4:Execute the initial authentication that mobile node MN accesses PMIPv6 domains first;
By taking the Mobile Access Gateway MAG1 in mobile node MN accesses PMIPv6 domains first as an example, the step 4, such as Fig. 2
Shown, including:
Step 4.1:Mobile node MN utilizes the private key SK of oneselfMN, the certificate that will obtain from third party's trust center STR
CertSTR-MN, time stamp T S1And the ID of mobile node MNMNDo containing session key agreement parameter σMN_2Signature SignMN,
SignMN=Sign_WMS_SKMN{CertSTR-MN, IDMN, TS1, and by signature SignMN, certificate CertSTR-MN, time stamp T S1
And the ID of mobile node MNMNIt is sent simultaneously to the Mobile Access Gateway MAG1 for preparing to access;
Step 4.2:Time stamp T S that Mobile Access Gateway MAG1 checking mobile node MNs send1:If time stamp T S1Newly
Fresh, then the access request of mobile node MN is refused in execution step 4.3, otherwise Mobile Access Gateway MAG1;
Step 4.3:The signature Sign that Mobile Access Gateway MAG1 checking mobile node MNs sendMNAnd certificate CertSTR-MN:
If legal, execution step 4.4, otherwise Mobile Access Gateway MAG1The access request of refusal mobile node MN;
Step 4.4:Mobile Access Gateway MAG1With own private key SKMAG1, by connected from Mobile Access Gateway MAG1
The certificate Cert that local mobility anchor LMA1 is obtainedLMA1-MAG1And time stamp T S of itself2, Mobile Access Gateway MAG1 connected
Local mobility anchor LMA1 IDLMA1, Mobile Access Gateway MAG1 itselfDo containing session key agreement parameter
σMAG1_2SignatureAnd this is signed
NameCertificate CertLMA1-MAG, time stamp T S2, and the ID of local mobility anchor LMA1LMA1With Mobile Access Gateway MAG1
'sMobile node MN is sent back, while utilizing Mobile Access Gateway MAG1 own private key SKMAG1And mobile node MN is sent out
The signature Sign for sendingMNIn session key agreement parameter σ that includesMN_2, calculate Mobile Access Gateway MAG1 and mobile node MN it
Between shared key KMAG1-MNAnd session key SEKMAG1-MN;
Wherein shared key KMAG1-MNIt is according to DH Diffie-Hellman, by the session key agreement parameter of mobile node MN
And the private key of oneself is carried out calculating and wants secret value, and the secret value is used one-way Hash function H3Obtained value, shares
Key KMAG1-MNMobile node MN and same PMIPv6 domain in be accessed Mobile Access Gateway are participated in steps of 5
In being mutually authenticated between MAG;Session key SEKMAG1-MNIt is according to DH Diffie-Hellman, by the secret value for generating and time
Stamp connects and with one-way Hash function H3Obtained value, session key SEKMAG1-MNUsing as mobile node MN with current
When Mobile Access Gateway MAG carries out message exchange after the completion of certification, the key of encryption is used;
Step 4.5:Time stamp T S that mobile node MN checking Mobile Access Gateway MAG1 sends2:If time stamp T S2Newly
Fresh, then execution step 4.6, otherwise mobile node MN stop access request;
Step 4.6:The signature that mobile node MN checking Mobile Access Gateway MAG1 sends backAnd certificate
CertLMA1-MAG:If legal, execution step 4.7, otherwise mobile node MN stop access request;
Step 4.7:Mobile node MN utilizes the private key SK of oneselfMNAnd the signature that Mobile Access Gateway MAG1 sendsIn session key agreement parameter σ that includesMAG1_2, calculate being total between mobile node MN and Mobile Access Gateway MAG1
Enjoy key KMAG1-MNAnd session key SEKMAG1-MN, complete initial access authentication;
Step 4.8:After initial authentication is completed between mobile node MN and Mobile Access Gateway MAG1, Mobile Access Gateway
MAG1 is by session key agreement parameter σ obtained from mobile node MNMN_2This is together sent to binding update messages (PBU)
Ground mobile anchor LMA1, after local mobility anchor LMA1 is received, with DH Diffie-Hellman, local mobility anchor LMA utilizes oneself
The value that private key and the session key agreement parameter are calculated, with one-way Hash function H3Hash is carried out, local mobility anchor LMA is obtained
Shared key K between mobile node MNLMA1-MN, and store.
Step 5:Shared keys of the current Mobile Access Gateway MAG for connecting by oneself and mobile node MN between is sent out
Mobile Access Gateway MAG to be accessed in same PMIPv6 domains is given, is executed;
Mobile Access Network is switched to from Mobile Access Gateway MAG1 with mobile node MN in the PMIPv6 domains being currently accessed
As a example by closing MAG2, the step 5, as shown in figure 3, including:
Step 5.1:Mobile node MN generates corresponding session key agreement parameter according to DH Diffie-Hellman first
σMN_2, then with shared key K between the Mobile Access Gateway MAG1 and mobile node MN for currently connectingMAG1-MN, will
The ID of mobile node MN itselfMN, the current ID of Mobile Access Gateway MAG1 that connectingMAG1, session key agreement parameter
σMN_2And time stamp T S3It is signature SignMN=Sign_HMAC_KMAG1-MN{IDMN, IDMAG1, TS3, σMN_2, and this is signed
SignMN, time stamp T S3, the current ID of Mobile Access Gateway MAG1 that connectingMAG1, mobile node MN session key association
Business's parameter σMN_2Same PMIPv6 domain in be accessed Mobile Access Gateway MAG2 is together sent to;
Step 5.2:Time stamp T S that Mobile Access Gateway MAG2 checking mobile node MNs to be accessed send3:The time
Stamp TS3If fresh, execution step 5.3, the access of Mobile Access Gateway MAG2 refusal mobile node MNs otherwise to be accessed please
Ask;
Step 5.3:The signature Sign that Mobile Access Gateway MAG2 checking mobile node MNs to be accessed sendMNLegal
Property:If legal, execution step 5.4, the access of Mobile Access Gateway MAG2 refusal mobile node MNs otherwise to be accessed please
Ask;
Step 5.4:Mobile Access Gateway MAG2 to be accessed generates corresponding session according to DH Diffie-Hellman first
Key agreement parameter σMAG2_2, then with being total between the Mobile Access Gateway MAG1 and mobile node MN for currently connecting
Enjoy key KMAG1-MN, by the ID of Mobile Access Gateway MAG2 to be accessedMAG2, session key agreement parameter σMAG2_2, time stamp T S4
It is signature SignMN=Sign_HMAC_KMAG1-MN{IDMAG2, TS4, σMAG2_2, and by Mobile Access Gateway MAG2's to be accessed
Session key agreement parameter σMAG2_2, Mobile Access Gateway MAG2 to be accessed IDMAG2, time stamp T S4With signature SignMN
It is sent simultaneously to mobile node MN;And session key agreement parameter σ by obtaining from mobile node MNMN_2Calculate to be accessed
Mobile Access Gateway MAG2 and mobile node MN between new shared key KMAG2-MNAnd session key SEKMAG2-MN;
Step 5.5:Mobile node MN verifies time stamp T S that Mobile Access Gateway MAG2 to be accessed sends4:If this when
Between stab TS4Fresh, then execution step 5.6, otherwise mobile node MN stop access request;
Step 5.6:Mobile node MN verifies the signature Sign that Mobile Access Gateway MAG2 to be accessed sendsMNLegal
Property:If legal, execution step 5.7, otherwise mobile node MN stop access request;
Step 5.7:Mobile node MN calculates Mobile Access Gateway MAG2 to be accessed and mobile node MN shared key
KMAG2-MNAnd session key SEKMAG2-MN, complete in PMIPv6 domains, to switch certification.Now, mobile node MN and movement to be accessed
Complete to be mutually authenticated between access gateway MAG2, and have bipartite shared key and session key, mobile node
Interacting message can be carried out using session key message between MN and Mobile Access Gateway MAG2.
Step 6:Shared keys of the current Mobile Access Gateway MAG for connecting by oneself and mobile node MN between is sent out
Mobile Access Gateway MAG to be accessed in another PMIPv6 domains is given, is executed;
Another PMIPv6 domains are switched to Mobile Access Gateway MAG2 of the mobile node MN in the PMIPv6 domains being currently accessed
Mobile Access Gateway MAG3 as a example by, the step 6, as shown in figure 4, including:
Step 6.1:Local mobility anchor LMA1 is the shared key between mobile node MN obtained in step 4.8
KLMA1-MNLocal mobility anchor LMA2 in mobile node MN PMIPv6 domains to be accessed is transmitted to by service-level agreement SLA;
Mobile node MN obtains the local mobility anchor in the PMIPv6 domains for currently connecting by Mobile Access Gateway MAG1 simultaneously
The key agreement parameter of LMA1, according to DH Diffie-Hellman, the private key of the key agreement parameter and mobile node MN is calculated
Value use one-way Hash function H3Hash is carried out, the shared key between mobile node MN and local mobility anchor LMA2 is obtained
KLMA2-MN;
Step 6.2:Mobile node MN is with local mobility anchor LMA1 in the PMIPv6 domains being currently accessed and mobile node
Shared key K between MNLMA1-MN, by the ID of mobile node MN itselfMN, the Mobile Access Gateway MAG2 that is currently accessed
IDMAG2, the ID of local mobility anchor LMA1 that connected of the Mobile Access Gateway MAG2 that is currently accessedLMA1, session key agreement parameter
σMN_2And time stamp T S5It is signature SignMN=Sign_HMAC_KMAG1-MN{IDMN, IDMAG2, IDLMA1, TS5, σMN_2};This is signed
Name SignMN, mobile node MN itself IDMN, the ID of Mobile Access Gateway MAG2 that is currently accessedMAG2, the movement that is currently accessed
The ID of local mobility anchor LMA1 connected by access gateway MAG2LMA1, time stamp T S5And the session key association of mobile node MN
Business's parameter σMN_2The Mobile Access Gateway MAG3 in be accessed another PMIPv6 domain is together sent to;
Step 6.3:Another PMIPv6 domains to be accessed Mobile Access Gateway MAG3 checking mobile node MN send when
Between stab TS5If, time stamp T S5Fresh, then execution step 6.3, the Mobile Access Gateway in another PMIPv6 domains otherwise to be accessed
MAG3 refuses the access request of mobile node MN;
Step 6.4:The label that the Mobile Access Gateway MAG3 checking mobile node MNs in another PMIPv6 domains to be accessed send
Name SignMNLegitimacy, if legal, execution step 6.4, the Mobile Access Gateway in another PMIPv6 domains otherwise to be accessed
MAG3 refuses the access request of mobile node MN;
Step 6.5:The Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessed is first according to DH Diffie-Hellman
Generate corresponding session key agreement parameter σMAG3_2, then ask simultaneously from local mobility anchor LMA2 in its place PMIPv6 domains
Obtain shared key K between mobile node MN and local mobility anchor LMA1 that connectingLMA1-MN, and use the shared key
KLMA1-MNID by the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessedMAG3, Mobile Access Gateway MAG3 be located
The ID of local mobility anchor LMA2 in PMIPv6 domainsLMA2, session key agreement parameter σMAG3_2And time stamp T S6Sign
SignMAG3=Sign_HMAC_KLMA1-MN{IDLMA2, IDMAG3, TS6, σMAG3_2};By the session key obtained from mobile node MN
Negotiation parameter calculates new between the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessed and mobile node MN
KMAG3-MNAnd session key SEKMAG3-MN;The session key of the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessed is assisted
Business's parameter σMAG3_2, time stamp T S6, another PMIPv6 domains to be accessed Mobile Access Gateway MAG3 IDMAG3, to be accessed another
The ID of local mobility anchor LMA2 connected by the Mobile Access Gateway MAG3 in one PMIPv6 domainsLMA2With signature SignMAG3Send out simultaneously
Give mobile node MN;
Step 6.6:Mobile node MN verifies time stamp T S that Mobile Access Gateway MAG to be accessed sends6If, the time
Stamp TS6Fresh, then execution step 6.6, otherwise mobile node MN stop access request;
Step 6.7:Mobile node MN verifies the signature Sign that Mobile Access Gateway MAG to be accessed sendsMAG3Legal
Property, if legal, execution step 6.7, otherwise mobile node MN stop access request;
Step 6.8:Mobile node MN calculates the Mobile Access Gateway MAG3 and movable joint in another PMIPv6 domains to be accessed
Shared key K of point MNMAG3-MNAnd session key SEKMAG3-MN, complete between PMIPv6 domains, to switch certification.
Claims (5)
1. a kind of PMIPv6 Verification Systems of identity-based allograph, it is characterised in that include:
Third party's trust center STR:Generate and issue common parameter, entity identities in the PMIPv6 domains of place are examined, issue
Send out private key and certificate, and safeguard its all honest entity in a network public key, by its delegatability of signing right to allograph
Person;
Local mobility anchor LMA:It is connected with third party's trust center STR, Mobile Access Gateway MAG respectively, sets up bidirectional tunnel
Forward packet, simultaneously as the proxy signerses of third party's trust center STR, for Mobile Access Gateway MAG provides registration with
Authentication service;
Mobile Access Gateway MAG:The mobile status of monitoring mobile node MN, while the certificate that is issued using local mobility anchor LMA
It is mutually authenticated between mobile node MN, it is ensured that securely communicate between local mobility anchor LMA and mobile node MN.
2. the method for carrying out PMIPv6 certifications using the system described in claim 1, it is characterised in that include:
Step 1:Third party's trust center STR is generated and issues common parameter;
Step 2:All entities in current network are registered to third party's trust center STR and obtain the public and private key of entity itself
Right;Third party's trust center STR is by the ID of mobile nodeMNAnd effect duration signed after as certificate authority to mobile node
MN, local mobility anchor LMA obtain allograph power from third party's trust center STR, and local mobility anchor LMA is by allograph
The certificate of authority, the ID of third party's trust center STRSTR, local mobility anchor LMA itself IDLMA, Mobile Access Gateway MAG
IDMAGCorresponding MAG is given as certificate authority after being signed;
Step 3:Monitor mobile node MN state in which in each PMIPv6 domains:If mobile node MN is moved in original state
Dynamic node M N accesses state during PMIPv6 domains first, then execution step 4;If mobile node MN is in same PMIPv6 domains
Mobile status, then execution step 5;If mobile status of the mobile node MN in difference PMIPv6 domains, execution step
6;
Step 4:Execute the initial authentication that mobile node MN accesses PMIPv6 domains first;
Step 5:Shared keys of the current Mobile Access Gateway MAG for connecting by oneself and mobile node MN between is sent to
Mobile Access Gateway MAG to be accessed in same PMIPv6 domains, executes;
Step 6:Local mobility anchor LMA in the current PMIPv6 domains for connecting is shared and mobile node MN between by oneself
Key is sent to local mobility anchor LMA in another PMIPv6 domains to be accessed, executes.
3. method according to claim 2, it is characterised in that the step 4, including:
Step 4.1:Mobile node MN utilizes the private key SK of oneselfMN, the certificate that will obtain from third party's trust center STR
CertSTR-MN, time stamp T S1And the ID of mobile node MNMNDo containing session key agreement parameter σMN_2Signature SignMN, and
By signature SignMN, certificate CertSTR-MN, time stamp T S1And the ID of mobile node MNMNIt is sent simultaneously to the shifting for preparing to access
Dynamic access gateway MAG1;
Step 4.2:Time stamp T S that Mobile Access Gateway MAG1 checking mobile node MNs send1:If time stamp T S1Fresh, then
Execution step 4.3, otherwise Mobile Access Gateway MAG1 refuse the access request of mobile node MN;
Step 4.3:The signature Sign that Mobile Access Gateway MAG1 checking mobile node MNs sendMNAnd certificate CertSTR-MN:If
Legal, then execution step 4.4, otherwise Mobile Access Gateway MAG1The access request of refusal mobile node MN;
Step 4.4:Mobile Access Gateway MAG1With own private key SKMAG1, local by connected from Mobile Access Gateway MAG1
The certificate Cert that mobile anchor LMA1 is obtainedLMA1-MAG1And time stamp T S of itself2, the sheets that connected of Mobile Access Gateway MAG1
The ID of ground mobile anchor LMA1LMA1, Mobile Access Gateway MAG1 ID of itselfMAG1Do containing session key agreement parameter σMAG1_2Label
NameAnd this is signedCertificate CertLMA1-MAG, time stamp T S2, and the ID of local mobility anchor LMA1LMA1
With Mobile Access Gateway MAG1'sMobile node MN is sent back, while utilizing Mobile Access Gateway MAG1 own private keys
SKMAG1And the signature Sign that mobile node MN sendsMNIn the session key agreement parameter that includes, calculate Mobile Access Gateway MAG1
Shared key K between mobile node MNMAG1-MNAnd session key SEKMAG1-MN;
Step 4.5:Time stamp T S that mobile node MN checking Mobile Access Gateway MAG1 sends2:If time stamp T S2Fresh, then
Execution step 4.6, otherwise mobile node MN stop access request;
Step 4.6:The signature that mobile node MN checking Mobile Access Gateway MAG1 sends backAnd certificate CertLMA1-MAG:
If legal, execution step 4.7, otherwise mobile node MN stop access request;
Step 4.7:Mobile node MN utilizes the private key SK of oneselfMNAnd the signature that Mobile Access Gateway MAG1 sendsIn
Comprising session key agreement parameter, calculate shared key K between mobile node MN and Mobile Access Gateway MAG1MAG1-MNAnd
Session key SEKMAG1-MN, complete initial access authentication;
Step 4.8:After initial authentication is completed between mobile node MN and Mobile Access Gateway MAG1, Mobile Access Gateway MAG1
By session key agreement parameter σ obtained from mobile node MNMN_2Local shifting is together sent to binding update messages (PBU)
Dynamic anchor LMA1, after local mobility anchor LMA1 is received, with DH Diffie-Hellman, local mobility anchor LMA utilizes the private key of oneself
The value calculated with the session key agreement parameter, with one-way Hash function H3Hash is carried out, local mobility anchor LMA and shifting is obtained
Shared key K between dynamic node M NLMA1-MN, and store.
4. method according to claim 2, it is characterised in that the step 5, including:
Step 5.1:Mobile node MN generates corresponding session key agreement parameter σ according to DH Diffie-Hellman firstMN_2, so
Afterwards using shared key K between the Mobile Access Gateway MAG1 and mobile node MN for currently connectingMAG1-MN, by movable joint
The ID of point MN itselfMN, the current ID of Mobile Access Gateway MAG1 that connectingMAG1, session key agreement parameter σMN_2And
Time stamp T S3It is signature SignMN, while and by signature SignMN, time stamp T S3, the current Mobile Access Gateway that connecting
The ID of MAG1MAG1, mobile node MN IDMN, mobile node MN session key agreement parameter σMN_2Together it is sent to same
Mobile Access Gateway MAG2 to be accessed in PMIPv6 domains;
Step 5.2:Time stamp T S that Mobile Access Gateway MAG2 checking mobile node MNs to be accessed send3:Time stamp T S3
If fresh, execution step 5.3, Mobile Access Gateway MAG2 otherwise to be accessed refuse the access request of mobile node MN;
Step 5.3:The signature Sign that Mobile Access Gateway MAG2 checking mobile node MNs to be accessed sendMNLegitimacy:Such as
Really legal, then the access request of mobile node MN is refused in execution step 5.4, Mobile Access Gateway MAG2 otherwise to be accessed;
Step 5.4:Mobile Access Gateway MAG2 to be accessed generates corresponding session key according to DH Diffie-Hellman first
Consult parameter σMAG2_2, then with shared close between the Mobile Access Gateway MAG1 and mobile node MN for currently connecting
Key KMAG1-MN, by the ID of Mobile Access Gateway MAG2 to be accessedMAG2, time stamp T S4, session key agreement parameter σMAG2_2Sign
Name, and session key agreement parameter σ by Mobile Access Gateway MAG2 to be accessedMAG2_2, Mobile Access Gateway to be accessed
The ID of MAG2MAG2, time stamp T S4With signature SignMNIt is sent simultaneously to mobile node MN;And by obtaining from mobile node MN
Session key agreement parameter σMN_2Calculate new between Mobile Access Gateway MAG2 to be accessed and mobile node MN sharing
Key KMAG2-MNAnd session key SEKMAG2-MN;
Step 5.5:Mobile node MN verifies time stamp T S that Mobile Access Gateway MAG2 to be accessed sends4:If the timestamp
TS4Fresh, then execution step 5.6, otherwise mobile node MN stop access request;
Step 5.6:Mobile node MN verifies the signature Sign that Mobile Access Gateway MAG2 to be accessed sendsMNLegitimacy:Such as
Really legal, then execution step 5.7, otherwise mobile node MN stop access request;
Step 5.7:Mobile node MN calculates Mobile Access Gateway MAG2 to be accessed and mobile node MN shared key KMAG2-MNAnd
Session key SEKMAG2-MN, complete in PMIPv6 domains, to switch certification.
5. method according to claim 2, it is characterised in that the step 6, including:
Step 6.1:Local mobility anchor LMA1 is by shared key K between mobile node MNLMA1-MNBy service-level agreement
SLA is transmitted to local mobility anchor LMA2 in mobile node MN PMIPv6 domains to be accessed;Mobile node MN is by movement simultaneously
Access gateway MAG1 obtains the key agreement parameter of local mobility anchor LMA1 in the PMIPv6 domains for currently connecting, and this is close
The value that the private key of parameter and mobile node MN calculates consulted by key carries out Hash, obtain mobile node MN and local mobility anchor LMA1 it
Between shared key KLMA1-MN;
Step 6.2:Mobile node MN with local mobility anchor LMA1 in the PMIPv6 domains that are currently accessed and mobile node MN it
Between shared key KLMA1-MN, by the ID of mobile node MN itselfMN, the ID of Mobile Access Gateway MAG2 that is currently accessedMAG2, when
The ID of local mobility anchor LMA1 connected by the Mobile Access Gateway MAG2 of front accessLMA1, session key agreement parameter σMN_2And
Time stamp T S5It is signature SignMN;By signature SignMN, mobile node MN itself IDMN, the Mobile Access Network that is currently accessed
Close the ID of MAG2MAG2, the ID of local mobility anchor LMA1 that connected of the Mobile Access Gateway MAG2 that is currently accessedLMA1, timestamp
TS5And session key agreement parameter σ of mobile node MNMN_2The movement for being together sent to another PMIPv6 domains to be accessed connects
Function Access Gateway MAG3;
Step 6.3:The timestamp that the Mobile Access Gateway MAG3 checking mobile node MNs in another PMIPv6 domains to be accessed send
TS5If, time stamp T S5Fresh, then execution step 6.3, the Mobile Access Gateway MAG3 in another PMIPv6 domains otherwise to be accessed
The access request of refusal mobile node MN;
Step 6.4:The signature that the Mobile Access Gateway MAG3 checking mobile node MNs in another PMIPv6 domains to be accessed send
SignMNLegitimacy, if legal, execution step 6.4, the Mobile Access Gateway in another PMIPv6 domains otherwise to be accessed
MAG3 refuses the access request of mobile node MN;
Step 6.5:The Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessed is generated according to DH Diffie-Hellman first
Corresponding session key agreement parameter σMAG3_2, then ask from local mobility anchor LMA2 in its place PMIPv6 domains and obtain
Shared key K between mobile node MN and local mobility anchor LMA1 that connectingLMA1-MN, and use the shared key
KLMA1-MNID by the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessedMAG3, Mobile Access Gateway MAG3 be located
The ID of local mobility anchor LMA2 in PMIPv6 domainsLMA2, session key agreement parameter σMAG3_2And time stamp T S6Sign
SignMAG3;Session key agreement parameter σ by the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessedMAG3_2, the time
Stamp TS6, another PMIPv6 domains to be accessed Mobile Access Gateway MAG3 IDMAG3, another PMIPv6 domains to be accessed movement
The ID of local mobility anchor LMA2 connected by access gateway MAG3LMA2With signature SignMAG3It is sent simultaneously to mobile node MN;
The movement that another PMIPv6 domains to be accessed are calculated finally by the session key agreement parameter obtained from mobile node MN connects
New K between function Access Gateway MAG3 and mobile node MNMAG3-MNAnd session key SEKMAG3-MN;
Step 6.6:Mobile node MN verifies time stamp T S that Mobile Access Gateway MAG to be accessed sends6If, time stamp T S6
Fresh, then execution step 6.6, otherwise mobile node MN stop access request;
Step 6.7:Mobile node MN verifies the signature Sign that Mobile Access Gateway MAG to be accessed sendsMAG3Legitimacy, such as
Really legal, then execution step 6.7, otherwise mobile node MN stop access request;
Step 6.8:Mobile node MN calculates the Mobile Access Gateway MAG3 in another PMIPv6 domains to be accessed and mobile node MN
Shared key KMAG3-MNAnd session key SEKMAG3-MN, complete between PMIPv6 domains, to switch certification.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611114302.7A CN106507355B (en) | 2016-12-07 | 2016-12-07 | A kind of the PMIPv6 Verification System and method of identity-based allograph |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611114302.7A CN106507355B (en) | 2016-12-07 | 2016-12-07 | A kind of the PMIPv6 Verification System and method of identity-based allograph |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106507355A true CN106507355A (en) | 2017-03-15 |
CN106507355B CN106507355B (en) | 2019-05-21 |
Family
ID=58329699
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611114302.7A Active CN106507355B (en) | 2016-12-07 | 2016-12-07 | A kind of the PMIPv6 Verification System and method of identity-based allograph |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106507355B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107181597A (en) * | 2017-06-30 | 2017-09-19 | 东北大学 | A kind of identity-based acts on behalf of the PMIPv6 Verification Systems and method of group ranking |
CN107493570A (en) * | 2017-07-18 | 2017-12-19 | 东北大学 | A kind of the PMIPV6 anonymous access authentication systems and method of identity-based group label |
CN110213245A (en) * | 2019-05-15 | 2019-09-06 | 如般量子科技有限公司 | Application system short distance energy-saving communication method and system based on unsymmetrical key pond and allograph |
CN110855615A (en) * | 2019-10-14 | 2020-02-28 | 云深互联(北京)科技有限公司 | Equipment binding method and device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2426956A1 (en) * | 2009-04-27 | 2012-03-07 | China Mobile Communications Corporation | Data transferring method, system and related network device based on proxy mobile (pm) ipv6 |
CN102547890A (en) * | 2012-01-11 | 2012-07-04 | 中山大学 | Intra-domain switching method for proxy mobile IPv6 (Internet protocol version 6) based on AAA server |
CN103841610A (en) * | 2014-03-18 | 2014-06-04 | 山东大学 | Quick and efficient agent mobile IPv6 switching method |
CN103957524A (en) * | 2014-04-23 | 2014-07-30 | 东北大学 | PMIPv6 network bidirectional access authentication system and method based on classification identity signature |
-
2016
- 2016-12-07 CN CN201611114302.7A patent/CN106507355B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2426956A1 (en) * | 2009-04-27 | 2012-03-07 | China Mobile Communications Corporation | Data transferring method, system and related network device based on proxy mobile (pm) ipv6 |
CN102547890A (en) * | 2012-01-11 | 2012-07-04 | 中山大学 | Intra-domain switching method for proxy mobile IPv6 (Internet protocol version 6) based on AAA server |
CN103841610A (en) * | 2014-03-18 | 2014-06-04 | 山东大学 | Quick and efficient agent mobile IPv6 switching method |
CN103957524A (en) * | 2014-04-23 | 2014-07-30 | 东北大学 | PMIPv6 network bidirectional access authentication system and method based on classification identity signature |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107181597A (en) * | 2017-06-30 | 2017-09-19 | 东北大学 | A kind of identity-based acts on behalf of the PMIPv6 Verification Systems and method of group ranking |
WO2019001169A1 (en) * | 2017-06-30 | 2019-01-03 | 东北大学 | Pmipv6 authentication system and method for identity-based proxy group signature |
CN107181597B (en) * | 2017-06-30 | 2020-02-07 | 东北大学 | PMIPv6 authentication system and method based on identity agent group signature |
CN107493570A (en) * | 2017-07-18 | 2017-12-19 | 东北大学 | A kind of the PMIPV6 anonymous access authentication systems and method of identity-based group label |
WO2019015387A1 (en) * | 2017-07-18 | 2019-01-24 | 东北大学 | Group identity signature based pmipv6 anonymous access authentication system and method |
CN110213245A (en) * | 2019-05-15 | 2019-09-06 | 如般量子科技有限公司 | Application system short distance energy-saving communication method and system based on unsymmetrical key pond and allograph |
CN110213245B (en) * | 2019-05-15 | 2021-06-22 | 如般量子科技有限公司 | Application system short-distance energy-saving communication method and system based on asymmetric key pool and proxy signature |
CN110855615A (en) * | 2019-10-14 | 2020-02-28 | 云深互联(北京)科技有限公司 | Equipment binding method and device |
Also Published As
Publication number | Publication date |
---|---|
CN106507355B (en) | 2019-05-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Yang et al. | Efficient handover authentication with user anonymity and untraceability for mobile cloud computing | |
Cao et al. | A simple and robust handover authentication between HeNB and eNB in LTE networks | |
Wang et al. | SDN-based handover authentication scheme for mobile edge computing in cyber-physical systems | |
CN101222331B (en) | Authentication server, method and system for bidirectional authentication in mesh network | |
CN111885602B (en) | Heterogeneous network-oriented batch switching authentication and key agreement method | |
CN107181597B (en) | PMIPv6 authentication system and method based on identity agent group signature | |
CN107493570B (en) | A kind of the PMIPV6 anonymous access authentication system and method for identity-based group label | |
Sun et al. | Privacy-preserving device discovery and authentication scheme for D2D communication in 3GPP 5G HetNet | |
CN106507355B (en) | A kind of the PMIPv6 Verification System and method of identity-based allograph | |
CN107920350A (en) | Privacy protection switching authentication method based on SDN and 5G heterogeneous network | |
Shashidhara et al. | A robust user authentication protocol with privacy-preserving for roaming service in mobility environments | |
Nguyen et al. | Enhanced EAP-based pre-authentication for fast and secure inter-ASN handovers in mobile WiMAX networks | |
Gharsallah et al. | An efficient authentication and key agreement protocol for a group of vehicles devices in 5G cellular networks | |
Fu et al. | Fast and secure handover authentication scheme based on ticket for WiMAX and WiFi heterogeneous networks | |
CN103781067A (en) | Authentication switching method with privacy protection in LTE (long term evolution)/LTE-A (LTE-advanced) network | |
CN103957524A (en) | PMIPv6 network bidirectional access authentication system and method based on classification identity signature | |
Kumar et al. | Design of a USIM and ECC based handover authentication scheme for 5G-WLAN heterogeneous networks | |
Ren et al. | Fast and Universal Inter‐Slice Handover Authentication with Privacy Protection in 5G Network | |
Kim et al. | MoTH: mobile terminal handover security protocol for HUB switching based on 5G and beyond (5GB) P2MP backhaul environment | |
Haddad et al. | Secure and efficient AKA scheme and uniform handover protocol for 5G network using blockchain | |
Roy et al. | FastHand: A fast handover authentication protocol for densely deployed small-cell networks | |
Zhu et al. | Research on authentication mechanism of cognitive radio networks based on certification authority | |
Lin et al. | A fast iterative localized re-authentication protocol for heterogeneous mobile networks | |
CN105119832A (en) | MIPv6 security mobility management system based on identification cryptology and mobility authentication method | |
Li et al. | A novel re-authentication scheme based on tickets in wireless local area networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |