Upload
flyingsheep
View
3.724
Download
6
Embed Size (px)
DESCRIPTION
This is the presentation in a course named ECT , the paper is about technique like AAA ,RADIUS ,smart card ,jave card
Citation preview
Smart Card Based Protocol for Secure and Controlled Access
Of Mobile Host in IPv6 Compatible
Foreign Network
954203020 郭啟揚954203039 鄭志瑋954203057 蔡繼正
Outline(1/1) Introduction Smart Card Java Card AAA architecture
RADIUS Diameter
Network layer security using IPv6 IP Source Address Filtering IPsec
User registration protocol Comment
Introduction IPsec +PKI
耗損運算能力、頻寬 難實作
Smart card+IPv6+ IPsec AAA(Authentication , Authorization , Accounting) MAP(Mobile Authentication Protocol)
AAA 、 Java Applet 、加密 function 、 AR 的實作、 ipv6 、LSA 、 URP 、 IPsec
Smart Card(1/4)
Magnetic Stripe cards Smart card (IC 卡,晶片卡、智慧卡 )
Memory card Microprocessor card Java Card
Smart Card(2/4)
Memory Cards Memory Cards
Capacity : 64KB to 1MB Ex : pre-paid telephone card
Optical memory card Capacity : 4MB Ex : personal identification card
Smart Card(3/4)
Microprocessor Cards Contact Cards
IC 電話卡、 IC金融卡 Contactless Cards
捷運悠遊卡 Combi Cards
第二代信用卡
Smart Card(4/4)
Java Card(1/2)
JAVA 卡之前的智慧卡 需求上升,新應用誕生 APIs 非常複雜 沒有一個通用的開發環境 不同廠商相同應用的卡不相容
Java Card(2/2)
Java Card 支援一卡多用途 可重用性 Jave Applets 易實作 Applets 可於任何 java-based 環境執行 使用 Java API 撰寫的卡片彼此相容
AAA architecture AAA
Authentication Authorization Accounting
Protocol RADIUS
Remote Authentication Dial In User Service Diameter
RADIUS(1/2)
RADIUS(2/2)
缺點 Low security guarantee Low scalability Low Transmission reliability Low AVP (Attribute Value Pair) space 256 Heavy processing requirement
Diameter(1/4)
Diameter(2/4) TCP or SCTP
(Stream Control Transmission protocol) 支援 retransmission 和 windowing flow Proxy 必需 ack 每一個 packet 它解決了 Radius 相關問題
Connection disruption Silent discard congestion
Diameter(3/4)
CMS (Cryptographic Message Syntax) 安全性高 End to end Digital signature and encryption
Diameter(4/4) 優點
較大的 AVP space 2^32 用 time stamp 解決 Replay attack 擴充性高 Payload 調整為 32bit
Network layer security using IPv6
IP Source Address Filtering IPsec
IP Source Address Filtering
ServerNetwor ResourcePC
MH
MH
AR
Drop
Pass
Not granted
DHCP
User identity
IP
Share key Share key
IPsec(2/5)
IPsec 協定 AH (Authentication Header) ESP (Encapsulating Security Payload)
IPsec 通道 Transport mode Tunnel mode
IPsec(3/5)
IPsec(4/5)
IPsec(5/5) SA(Security Association)
Unidirectional SAin SBout : SBin SAout 相同的 key 、加密參數
SA bundle A triple
Destination IP address Protocol identifier (ESP 、 AH) SPI (Security parameter index)
Store in SADB(Security Association Database)
實作: FreeS/WAN
User registration protocol(1/4)
AAA server AAAh (AAA server in the home network of
the MH) AAAv (AAA server in the visited network)
SA (Security Association) Inter-domain SA Local SA
Temporary Shared key (TSK)
User Registration Protocol(2/4) URP (User Registration Protocol) MAP (Mobile Authentication Protocol )
Implementation of URP Use EAPoUDP (EAP format) Communicate with clients TSK
Diameter (AAA) Communicate with AAA server
MH AR AAAh
User registration protocol(3/4)
LSA
IPsec
TSK
TSK
TSK
Local challengeVN_ID
Care of address
AUTH=HMAC-MD5(LC,user_id,VN_ID,SAmh)
User Name AVP:user_id
Extract LC , user_id , AUTH,VN_ID, MH_Ipaddr
EAP AVP:AUTH
Care of IP:MH_Ipaddr
AAA Registration Request
Challenge AVP:LC
AUTH==HMAC-MD5(LC,user_id,VN_ID,SAmh)HC,AUTHNET,Randtsk
AUTHNET=HMAC-MD5(HC,user_id,VN_ID,SAmh)TSK=3DES(Randtsk,SAmh)
ARA (Randtsk,HC,TSK,VN_ID,user_id,Authnet)
EAP format
AUTH=HMAC-MD5(HC,user_id,VN_ID,SAmh)AUTH==AUTHNET
EAP format
Implementation detail
Extensible Authentication Protocol AAA Registration Request
Comment(1/2)
縮寫 IKE MAP
本名 Internet key
Exchange
Mobile Authentication
Protocol
技術 Two phase Temporary share key
訊息數 6+3=9 3
其他 PKI+IKE IPsec +IPv6+ Smart card
Comment(2/2)縮寫 PKI MAP
本名 Public key infrastructu
re
Mobile Authentication
Protocol
安全性 低 高Key Key 不能失去 key 定時更新建置 難 易成本 高 低key 竊取
容易 不易
所以 MAP 將會是未來的趨勢你認為呢?
Thank you for attentionQ&A