引用本文: |
-
宋晨,王利明,徐震,李宏佳.面向软件定义卫星网络的协同接入认证机制[J].信息安全学报,2023,8(2):111-126 [点击复制]
- SONG Chen,WANG Liming,XU Zhen,LI Hongjia.A Synergetic Authentication Scheme for Software Defined Satellite Network[J].Journal of Cyber Security,2023,8(2):111-126 [点击复制]
|
|
摘要: |
接入认证是保障卫星网络安全的重要基础技术之一,一直为传统卫星网络安全领域的研究热点,但在新兴的软件定义卫星网络中的相关研究尚处于“襁褓”阶段。本文面向软件定义卫星网络提出了一种协同接入认证机制,其目标为:将安全技术和软件定义技术有机融合,在保证基本安全接入认证功能基础上,抵御卫星网络接入认证拒绝服攻击,规避由于切换认证中断导致的服务访问质量问题。协同接入认证机制设计中的主要贡献主要包括:协同接入认证模型和空间拓扑动态变化高容忍的接入认证协议两部分。其中,为了抵御接入认证拒绝服务攻击,协同接入认证模型设计为以地面合法端用户设备身份作为序参量,协同软件定义卫星网络管理面、控制面与转发面,仅上报注册的合法端用户设备的接入认证请求,减少接入认证暴露的攻击面;为了提升服务访问的连续性,空间拓扑动态变化高容忍的接入认证协议则基于椭圆曲线无证书算法,通过主动更新预接入和接入认证阶段的控制面转发控制参数,使合法端用户设备的服务访问对切换无感知,降低重认证次数。通过安全性分析,本文证明了所提出的接入认证机制不仅能够满足安全性需求,并且与典型认证方法相比,在抵御接入认证抗拒绝服务攻击和保障访问连续性等方面具有优势;进一步,通过数值仿真,验证了所提接入认证机制不仅可有效降低重认证次数,并且可达到毫秒级的认证算法计算效率。 |
关键词: 软件定义卫星网络 接入认证 椭圆曲线 无证书 |
DOI:10.19363/J.cnki.cn10-1380/tn.2023.03.09 |
投稿时间:2020-02-14修订日期:2020-06-12 |
基金项目:本课题得到中科院重点部署项目(No.ZDRW-KT-2016-02)课题“天基信息安全共享与服务机制研究”、国家重点研发计划项目(No.2017YFB1010004)的资助。 |
|
A Synergetic Authentication Scheme for Software Defined Satellite Network |
SONG Chen1,2, WANG Liming1, XU Zhen1, LI Hongjia1
|
(1.Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China) |
Abstract: |
The access authentication is one of key techniques to guarantee the security of satellite networks. The researches on access authentication for classical satellite networks have thus gained great momentum over the past few decades, while the researches on access authentication for the promising Software-Defined Satellite Network (SDSN) are still in its infancy. In this paper, we propose a synergetic authentication scheme for the SDSN, including a synergetic authentication model and an access authentication protocol with highly tolerant capability for topological dynamics in SDSN. Merging security technique and Software-Defined technique together can not only endorse the access authentication for SDSN, but also inherently resist to the DoS attacks in the process of access authentication in SDSN. Moreover, this scheme helps avoiding service access interruption which is caused by handover among different satellites. In the synergetic authentication model, to reduce the attack surface of the access authentication service, the identity of each legitimate Satellite Terminal (ST) is used as the order parameter; based on this parameter and the coordination of the management plane, the control plane and the data plane of SDSN, we filter and only forward the legitimate STs’ access authentication requests to the access authentication service. In the access authentication protocol, certificateless public key cryptography based on elliptical curve cryptography (ECC) is adopted; and, to improve the service continuity of STs during handover, we proactively update the forwarding-and-control parameter to reduce the handover latency and the interruption time of STs’ ongoing services. By using the security analysis, we prove that proposed scheme can meet the basic security requirements of access authentication, thwart the access authentication DoS attacks and improve the service continuity of handover STs. Moreover, through numerically simulations, we demonstrate that the proposed scheme can effectively reduce the number of re-authentications, and the computation of the access authentication can be achieved within milliseconds. |
Key words: software defined satellite network access authentication elliptical curve certificateless |