CN105119832A - MIPv6 security mobility management system based on identification cryptology and mobility authentication method - Google Patents
MIPv6 security mobility management system based on identification cryptology and mobility authentication method Download PDFInfo
- Publication number
- CN105119832A CN105119832A CN201510633364.8A CN201510633364A CN105119832A CN 105119832 A CN105119832 A CN 105119832A CN 201510633364 A CN201510633364 A CN 201510633364A CN 105119832 A CN105119832 A CN 105119832A
- Authority
- CN
- China
- Prior art keywords
- message
- pkg server
- mipv6
- pkg
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 230000008569 process Effects 0.000 claims abstract description 9
- 230000005540 biological transmission Effects 0.000 claims abstract description 6
- 230000004044 response Effects 0.000 claims description 11
- 238000004891 communication Methods 0.000 claims description 9
- 125000004122 cyclic group Chemical group 0.000 claims description 9
- 230000011664 signaling Effects 0.000 claims description 8
- 101001046426 Homo sapiens cGMP-dependent protein kinase 1 Proteins 0.000 description 109
- 102100022422 cGMP-dependent protein kinase 1 Human genes 0.000 description 109
- 101001046427 Homo sapiens cGMP-dependent protein kinase 2 Proteins 0.000 description 45
- 102100022421 cGMP-dependent protein kinase 2 Human genes 0.000 description 45
- 238000007726 management method Methods 0.000 description 18
- 230000007246 mechanism Effects 0.000 description 5
- 238000005242 forging Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012913 prioritisation Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides an MIPv6 security mobility management system based on identification cryptology and a mobility authentication method. The system comprises CA, a PKG server, MN, HA and CN. The method comprises the following steps: issuing and managing a certificate for the PKG server in an MIPv6 autonomous domain by the CA; generating system common parameters by the PKG server in the MIPv6 autonomous domain; detecting in real time the state of the MN by the PKG server in the MIPv6 autonomous domain, wherein if the MN is in an initial state, executing security management in the MIPv6 autonomous domain; if the MN is in a mobile state, executing security mobility registration; a security return path being reachable; applying a shared key obtained through negotiation into an IPSec protocol, and establishing credible channel protected data transmission therebetween. According to the invention, an encryption scheme based on identification and a signature scheme are combined with an RR protocol and the IPSec protocol, and the identity of the MN is verified during a key negotiation process, so that a security scheme is more widely applied to a mobile environment, and by applying the shared key obtained through the negotiation into the IPSec protocol, a credible channel is established.
Description
Technical field
The invention belongs to technical field of network security, particularly a kind of MIPv6 safety moving management system of ID-based cryptosystem and mobile authentication method.
Background technology
Along with constantly improving and development of IPv6 agreement, mobile IPv 6 protocol also receives increasing concern gradually.Mobile IP v 6 (MobileIPv6, MIPv6) agreement is that in June, 2004 carries out standardization by IETF (InternetEngineeringTaskForce) for IPv6 agreement provides the agreement of mobility support.MIPv6 agreement has just been fully recognized that the importance of protocol security at the beginning of design.The major security threat that MIPv6 faces is from the following aspects:
(1) binding update messages associated safety threatens.Assailant pretends to be victim's mobile node (MobileNode by forging the means such as binding update messages, MN) false Care-of Address (Care-ofAddress is sent, or claim that it has the home address (HomeAddress of victim MN CoA), thus reach the object of man-in-the-middle attack (Man-in-the-Middle) HoA).
(2) security threat of Replay Attack.Communication entity in mobile IPv 6 protocol does not carry out authentication, and the binding update messages that assailant sent before can utilizing and repeating to send victim misleads normal communication.
(3) security threat of routing optimality.The risk of the Triangle routing produced in similar mobile IPv 4 (MIPv4) agreement, route optimization mechanism is employed, so define such as home address option data report, the first-class expansion data packet head newly of route in IPv6 agreement in mobile IPv 6 protocol.Assailant, by forging home address option data report, can initiate reflection attack to third party; Assailant can make third party have the authority obtaining mobile node related data packets by forging route head.Can obtain such conclusion, the threat that MIPv6 agreement faces mainly comes from message transmitting procedure, especially in the process of binding update messages transmission, lacks effective authentication means between communication entity.
Point out in document " SecurityinMobileIPv6:Asurvey "; MIPv6 agreement uses the mobile management signaling between IPSec (IPSecurity) agreement and IKE (InternetKeyExchange) protocol protection MN and HA (HomeAgent), uses the mobile management signaling between RR (ReturnRoutability) protocol protection MN and CN (Correspondentnode).But there is very large defect in this method, document " DesigningtheMobileIPv6securityprotocol " points out that the first stage of IKE protocol negotiation adopts the mode based on wildcard or certificate not to be adapted at widely using in mobile environment, set up on the one hand one and support the infrastructure of IKE agreement so completely and unrealistic, on the other hand, the ipsec protocol based on IKE is used can to exceed the load of many mobile terminals.RR agreement is then all not fully up to expectations in protocol security and service quality (QoS).The identification verification function that RR can not provide real pointed out by document " SecurityinMobileIPv6:Asurvey ", explains in detail in RR to there is assailant and utilize and the means such as to steal and forge the potential security threats such as false binding update messages deception CN in document.For above situation, many scholars propose the method improved.Document " Mobilemulti-layeredIPsec " proposes in MIPv6 agreement, use multi-level ipsec protocol to protect mobile management safety; Document " in mobile IP v 6, MN and HA asks a kind of prioritization scheme setting up IPSecSA " proposes the thinking that MN sets up security association between protection MN and HA in advance in home network.But the improvement of this amendment just to IPSec and IKE, inreal elimination IKE agreement Problems existing.
Summary of the invention
For prior art Problems existing, the invention provides a kind of MIPv6 safety moving management system and mobile authentication method of ID-based cryptosystem.
Technical scheme of the present invention is:
A MIPv6 safety moving management system for ID-based cryptosystem, comprising:
CA: be that PKG server is issued and manages certificate as authentication center, for the cross-domain communication between PKG server provides safety assurance;
PKG server: generation system common parameter, to issue private key for the entity in MIPv6 Autonomous Domain, detect state in MIPv6 Autonomous Domain residing for MN in real time, outside region PKG server proves that MN institute alleged identity is its actual identity when ID-based cryptosystem scheme is MN and HA negotiating about cipher key shared, MN is moved in MIPv6 Autonomous Domain;
Entity mobile node in MN:MIPv6 agreement; When MN is moved, outside region PKG server carries out secure registration;
Entity home agent in HA:MIPv6 agreement; When MN is moved, outside region PKG server carries out secure registration, the PUSH message doing proof of identification that HA sends to territory, local PKG server forwarding MN, and send to the system parameters of territory, local PKG server and the private key of MN to be transmitted to MN outer region PKG server;
Entity communication node in CN:MIPv6 agreement; In the process that MN is moved with keep between MN communicating, after MN is moved, carry out mobile messaging with MN mutual.
The MIPv6 safety moving management system of the ID-based cryptosystem described in utilization carries out the method for MIPv6 safety moving certification, comprises the following steps:
Step 1:CA is that the PKG server in each MIPv6 Autonomous Domain is issued and manages certificate;
Step 2: the PKG server generation system common parameter in each MIPv6 Autonomous Domain: cyclic group G
1with cyclic group G
2, Bilinear map e, cyclic group G
1on the private key of basic point P, PKG server and PKI, one-way Hash function H
1, H
2and H
3;
Step 3: the PKG server in each MIPv6 Autonomous Domain detects the state residing for MN in real time, if MN is in initial condition, then performs step 4; If MN is in mobile status, then perform step 5;
State when described initial condition is the PKG server in MN access territory, local;
Described mobile status is that MN is moved, and accesses state during outer region PKG server;
Safety management in step 4:MIPv6 Autonomous Domain: ID-based cryptosystem scheme is MN and HA negotiating about cipher key shared, if MN is moved, performs step 5, otherwise, perform step 7;
Step 5: safety moving is registered: MN outside region PKG server carries out secure registration;
Step 6: safe return path can reach: ID-based cryptosystem scheme carries out shared key negotiation between MN and CN;
Step 7: be applied in ipsec protocol by the shared key of consulting to obtain, sets up the transmission of trusted channel protected data between the two parties;
Described ipsec protocol is the agreement for the protection of mobile management signaling security between MN and HA in MIPv6 agreement.
Described step 5 specifically comprises the steps:
Step 5.1:MN outside region PKG server sends Care-ofIDPush PUSH message;
Described Care-ofIDPush PUSH message is the identity PUSH message being generated and sent outer region PKG server by MN;
Step 5.2:MN sends HomeIDPush PUSH message to HA;
Described HomeIDPush PUSH message is sent by MN and asks its entity home agent HA outside region PKG server to do the PUSH message of proof of identification;
Step 5.3:HA forwards HomeIDPush PUSH message to territory, local PKG server;
Step 5.4: PKG server outside region, territory, local PKG server sends HomeIDPush PUSH message, proves that MN institute alleged identity is its actual identity;
Step 5.5: outer region PKG server sends ParamsPush PUSH message to territory, local PKG server, and message content is the system parameters of outer region PKG server and the private key of MN;
Step 5.6: territory, local PKG server sends ParamsPush PUSH message to HA;
Step 5.7:HA sends ParamsPush PUSH message to MN, completes MN outside region PKG server registration.
Described step 6 specifically comprises the steps:
Step 6.1:MN outside region PKG server sends ParamsRequest request message, and the content of request is the system parameters of territory, CN place PKG server;
Described ParamsRequest message is the request message that MN asks the system parameters of the PKG server in territory, CN place, sends to outer region PKG server, and be forwarded to territory, MN local PKG server by outer region PKG server by MN;
Step 6.2: outer region PKG server forwards ParamsRequest request message to the PKG server in territory, CN place;
The PKG server outside region PKG server in territory, step 6.3:CN place sends ParamsReply response message;
Described ParamsReply response message is sent to outer region PKG server by the PKG server generation in territory, CN place, is finally sent to the message of MN, and its load comprises the system parameters of PKG server and the private key of MN in territory, CN place;
Step 6.4: outer region PKG server forwards ParamsReply response message to MN;
Step 6.5:MN sends Article 1 message and the CoTI message of RR agreement to CN, and Message Payload is that the shared key of MN consults request;
Described RR agreement is the agreement for the protection of mobile management signaling security between MN and CN in MIPv6 agreement;
Step 6.6:MN sends Article 2 message and the HoTI message of RR agreement to HA, and this Message Payload is that the local of MN proves request message;
Step 6.7:HA sends Article 3 message and the CoT message of RR agreement to CN, and this Message Payload is that the local of HA to MN proves;
Step 6.8:CN sends Article 4 message and the HoT message of RR agreement to MN, and this Message Payload is the shared key negotiation message of CN.
Beneficial effect:
The present invention by Identity based encryption scheme and signature scheme in conjunction with RR agreement and ipsec protocol, in the middle of the mobile management process being applied in MIPv6 agreement, in the process of key agreement, the identity of MN is verified, and do not have use based on shared key or the mechanism based on certificate, thus this safety approach is had in mobile environment apply more widely, shared key consulted the most at last is applied in ipsec protocol, sets up trusted channel.
Accompanying drawing explanation
Fig. 1 is the MIPv6 safety moving management system Organization Chart of the specific embodiment of the invention;
Fig. 2 be the specific embodiment of the invention territory in secure administration procedure sequential chart;
Fig. 3 is the safety moving registration process sequential chart of the specific embodiment of the invention;
Fig. 4 is the safe return routability procedure sequential chart of the specific embodiment of the invention;
Fig. 5 is the MIPv6 safety moving authentication method flow chart of the specific embodiment of the invention.
Embodiment
Below in conjunction with accompanying drawing, the specific embodiment of the present invention is elaborated.
Present embodiment utilizes id-based signatures mechanism to carry out authentication to communicating pair, Identity based encryption mechanism and signature mechanism is utilized to carry out shared key negotiation, use for reference the thought of RR agreement in the process, introduce the proof of HA to MN identity, the shared key of consulting gained is the most at last applied to ipsec protocol, sets up trusted channel.
A MIPv6 safety moving management system for ID-based cryptosystem, as shown in Figure 1, whole system logically relation is divided into some Autonomous Domains, and intrasystem entity comprises:
CA: be that PKG server is issued and manages certificate as authentication center, for the cross-domain communication between PKG server provides safety assurance;
PKG server: generation system common parameter, to issue private key for the entity in MIPv6 Autonomous Domain, detect state in MIPv6 Autonomous Domain residing for MN in real time, outside region PKG server proves that MN institute alleged identity is its actual identity when ID-based cryptosystem scheme is MN and HA negotiating about cipher key shared, MN is moved in MIPv6 Autonomous Domain;
Entity mobile node in MN:MIPv6 agreement; When MN is moved, outside region PKG server carries out secure registration;
Entity home agent in HA:MIPv6 agreement; When MN is moved, outside region PKG server carries out secure registration, the PUSH message doing proof of identification that HA sends to territory, local PKG server forwarding MN, and send to the system parameters of territory, local PKG server and the private key of MN to be transmitted to MN outer region PKG server;
Entity communication node in CN:MIPv6 agreement; In the process that MN is moved with keep between MN communicating, after MN is moved, carry out mobile messaging with MN mutual.
Whole system is divided into four territories, the MIPv6 Autonomous Domain that namely a CA territory is different with three, CA: be that PKG server is issued and manages certificate as authentication center; Three MIPv6 Autonomous Domains (AutonomousSystem, AS) AS0, AS1 and AS2, be in charge of safety in territory by PKG server PKG0, PKG1 and PKG2 in MIPv6 Autonomous Domain respectively.
For convenience of subsequent descriptions, provide mark as shown in table 1 and explanation.
Table 1 identifies and illustrates
Utilize the MIPv6 safety moving management system of ID-based cryptosystem to carry out the method for MIPv6 safety moving certification, as shown in Figure 5, comprise the following steps:
Step 1:CA is that the PKG server in each MIPv6 Autonomous Domain is issued and manages certificate;
Step 2: the PKG server generation system common parameter in each MIPv6 Autonomous Domain: cyclic group G
1with cyclic group G
2, Bilinear map e, cyclic group G
1on the private key of basic point P, PKG server and PKI, one-way Hash function H
1, H
2and H
3;
Generate a random prime number q, choose the group G on two q rank
1, G
2with a bilinear map e:G
1× G
1→ G
2.Select a random number s, and P is set
pub=sP.Choose hash function
this hash function H
1a bit strings is mapped to crowd G
1on; Hash function H
2: G
2→ { 0,1}
n, this hash function is by group G
2in element map to become a length be the bit strings of n; Wherein n be regulation bright/length of the cryptogram space, expressly space M={0,1}
n, the cryptogram space
by above step, whole IBE (IdentityBasedEncryption) system just generates system common parameter Params={q, G
1, G
2, e, n, P, P
pub, H
1, H
2, the master key of PKG server is
Step 3: the PKG server in each MIPv6 Autonomous Domain detects the state residing for MN in real time, if MN is in initial condition, then performs step 4; If MN is in mobile status, then perform step 5;
State when described initial condition is the PKG server in MN access territory, local;
Described mobile status is that MN is moved, and accesses state during outer region PKG server;
Safety management in step 4:MIPv6 Autonomous Domain: ID-based cryptosystem scheme is MN and HA negotiating about cipher key shared, if MN is moved, performs step 5, otherwise, perform step 7;
Idiographic flow is as shown in Figure 2:
Step 4.1:MN sends Authentication theory request message to HA;
MN->HA:KeyExchangeRequest
Concrete message format: Code||MN||HA||Enc (Sig (g
mn) S
mn-0) ID
hA|| Time.
KeyExchangeRequest message generates and sends to HA by MN, and Message Payload part is the parameter g of Diffie-Hellman cipher key change
mn, wherein g is the system parameters q in territory, mn value is the secret value that entity mobile node MN has.
Step 4.2:HA sends Authentication theory response message to MN;
HA->MN:KeyExchangeReply
Concrete message format: Code||MN||HA||Enc (Sig (g
ha) S
ha-0) ID
mN|| Time.
KeyExchangeReply message is the response of HA to the Request from MN.Message Payload part is the parameter g of the Diffie-Hellman cipher key change that HA has
ha.
Step 5: safety moving is registered: MN outside region PKG server PKG2 carries out secure registration;
Idiographic flow is as shown in Figure 3:
Step 5.1:MN outside region PKG server PKG2 sends Care-ofIDPush PUSH message;
Described Care-ofIDPush PUSH message is the identity PUSH message being generated and sent outer region PKG server PKG2 by MN;
Message format: Code||MN||PKG2|| (ID
mN, CoA) || Time.
Care-ofIDPush message is the identity PUSH message being generated and sent PKG2 by MN.The type of message of the Code representative of this message shows that the Payload load pushed is PKI and its Care-ofaddress, the i.e. ID of node
mN, CoA, mobile node MN is the private key that MN generates by the system parameters of this message request PKG2 and PKG2.
Step 5.2:MN sends HomeIDPush PUSH message to HA;
Described HomeIDPush PUSH message is sent by MN and asks its entity home agent HA outside region PKG server to do the PUSH message of proof of identification;
MN->HA:HomeIDPush
Message format: Code||MN||PKG2||Enc (ID
mN, CoA) and SK
mn-ha|| Time.
HomeIDPush message has used for reference the thought of the HoTI message of RR agreement, is sent to its home agent HA by MN, and request HA does proof of identification to PKG2, and the actual content of Message Payload is the identity public key ID of MN
mNwith its current care of address CoA.
Step 5.3:HA forwards HomeIDPush PUSH message to territory, local PKG server PKG0;
HA->PKG0:HomeIDPush
Message format: Code||MN||PKG2||Enc (ID
mN, CoA) and ID
hA|| Time.
HomeIDPush message sends to PKG0 in territory, local by HA, and the proof of HA to MN identity is forwarded to PKG2 by request PKG0, and the real data of Message Payload is MN identity public key ID
mNwith the binding of MN current care of address CoA.
Step 5.4: PKG server PKG0 outside region, territory, local PKG server PKG2 sends HomeIDPush PUSH message, proves that MN institute alleged identity is its actual identity;
PKG0->PKG2:HomeIDPush
Message format: Code||MN||PKG2||{ID
mN, CoA}||Time.
HomeIDPush message is sent to PKG2 by PKG0, is the forwarding of the identity request of MN, and Message Payload is the proof of the identity of MN.CA server has issued certificate for different PKG servers in advance, and the safety before PKG server is ensured by CA server.
Step 5.5: outer region PKG server PKG2 sends ParamsPush PUSH message to territory, local PKG server PKG0, and message content is the outer system parameters Params of region PKG server PKG2 and the private key of MN;
PKG2->PKG0:ParamsPush
Message format: Code||PKG2||MN||{Params-2, S
mn-2|| Time.
ParamsPush message is PKG2 after the identity of checking MN, the parameter PUSH message of transmission.The Source of this message is PKG2, Destination is MN; It is the private key S that MN generates that Payload load comprises the system parameters Params-2 of PKG2 and PKG2
mn-2, this loading section needs the safety system between PKG to carry out signing and encrypting, and ensures its safety.
Step 5.6: territory, local PKG server PKG0 sends ParamsPush PUSH message to HA;
PKG0->HA:ParamsPush
Message format: Code||PKG2||MN||Enc (Params-2, S
mn-2) ID
hA|| Time.
ParamsPush message is the forwarding of step 4.5 message, and Message Payload part is the system parameters Params-2 of PKG2 and the private S of MN
mn-2key.
Step 5.7:HA sends ParamsPush PUSH message to MN, completes MN outside region PKG server PKG2 and registers.
HA->MN:ParamsPush
Message format: Code||PKG2||MN||Enc (Params-2, S
mn-2) SK
mn-ha|| Time
ParamsPush message is sent to MN by HA, is the forwarding of step 5.5 message in essence, and the actual content of message Payload loading section is then that the system parameters Params-2 of PKG2 and PKG2 is according to MN identity public key ID
mNthe private key S generated
mn-2.
Step 6: safe return path can reach: ID-based cryptosystem scheme carries out shared key negotiation between MN and CN;
Idiographic flow is as shown in Figure 4:
Step 6.1:MN outside region PKG server PKG2 sends ParamsRequest request message, and the content of request is the system parameters of territory, CN place PKG server PKG1;
Described ParamsRequest message is the request message that MN asks the system parameters of the PKG server PKG1 in territory, CN place, sends to outer region PKG server PKG2, and be forwarded to territory, MN local PKG server PKG0 by outer region PKG server PKG2 by MN;
MN->PKG2:ParamsRequest
Message format: Code||MN||PKG1||Sig (ID
mN) S
mn-2|| Time.
ParamsRequest message is generated by MN and is sent to PKG2, and this message is the system parameters in order to ask PKG1 to the manager PKG1 in AS1 territory, CN place, and Message Payload content is the identity public key ID of MN
mN, show that MN request PKG2 is the private key of the identity public key generation correspondence of MN, it is the private key S that MN generates that this load contents needs by PKG2
mn-2signature, pretends to be MN to initiate request to prevent other nodes.
Step 6.2: outer region PKG server PKG2 forwards ParamsRequest request message to the PKG server PKG1 in territory, CN place;
PKG2->PKG1:ParamsRequest
Message format: Code||MN||PKG1||{ID
mN|| Time.
ParamsRequest message is sent to PKG2 by PKG2, is the forwarding to step 6.1 message in essence, and Message Payload part is the identity public key ID of MN
mN.
The PKG server PKG1 outside region PKG server PKG2 in territory, step 6.3:CN place sends ParamsReply response message;
Described ParamsReply response message is generated by the PKG server PKG1 in territory, CN place to be sent to the message that outer region PKG server PKG2 finally sends to MN, and its load comprises the system parameters of PKG server PKG1 and the private key of MN in territory, CN place;
PKG1->PKG2:ParamsReply
Message format: Code||PKG1||MN||{Params-1, S
mn-1|| Time.
ParamsReply message is generated by PKG1 to be sent to PKG2, finally sends to MN, and Message Payload is the system parameters Params-1 of PKG1 and PKG1 is the private key S that MN generates
mn-1.
Step 6.4: outer region PKG server PKG2 forwards ParamsReply response message to MN;
PKG2->MN:ParamsReply
Message format: Code||PKG1||MN||Enc (Params-1, S
mn-1) ID
mN|| Time.
ParamsReply message sends to MN by PKG2, and it is the forwarding of step 6.3 message in essence, and the system parameters Params-1 of Message Payload part and PKG1 and PKG1 is the private key S that MN generates
mn-1.
Step 6.5:MN sends Article 1 message and the CoTI message of RR agreement to CN, and Message Payload is that the shared key of MN consults request;
Described RR agreement is the agreement for the protection of mobile management signaling security between MN and CN in MIPv6 agreement;
MN->CN:CoTI(KeyExchange)
Message format: Code||MN||CN||Enc (Sig (g
mn, ID
mN, CoA) and S
mn-1) ID
cN|| Time.
CoTI (KeyExchange) message is that present embodiment considers the fusion with RR agreement, and be included in by KeyExchange in the CoTI message of RR message, Message Payload is made up of three parts: Diffie-Hellman key agreement parameter g
mn, MN identity public key ID
mNand the current care of address CoA of MN, wherein g is one of PKG1 system parameters prime number q, and mn is the secret value that MN has.
Step 6.6:MN sends Article 2 message and the HoTI message of RR agreement to HA, and this Message Payload is that the local of MN proves request message;
MN->HA:HoTI(HomeVerifyRequest)
Message format: Code||MN||CN||Enc (ID
mN, CoA) and SK
mn-ha|| Time.
Article 2 message HoTI in the middle of HoTI (HomeVerifyRequest) message and RR agreement.Message Payload is MN identity public key ID
mNwith the binding of MN as Care-of Address CoA.
Step 6.7:HA sends Article 3 message and the CoT message of RR agreement to CN, and this Message Payload is that the local of HA to MN proves;
HA->CN:CoT(HomeVerify)
Message format: Code||MN||CN|| (ID
mN, CoA) || Time.
CoT (HomeVerify) message is the Article 3 message CoT in the middle of RR agreement, and its effect is for the identity of MN provides local to prove.This Message Payload content is MN identity public key ID
mNwith the binding of MN as Care-of Address CoA.
Step 6.8:CN sends Article 4 message and the HoT message of RR agreement to MN, and this Message Payload is the shared key negotiation message of CN.
CN->MN:HoT(KeyExchange)
Message format: Code||CN||MN||Enc (Sig (g
cn) S
cn-1) ID
mN|| Time.
HoT (KeyExchange) message is the last item message HoT in the middle of RR agreement.The Diffie-Hellman key agreement g of Message Payload CN
cn, wherein, g is one of PKG1 system parameters prime number q, and cn is the Diffie-Hellman secret value that CN has.
Step 7: be applied in ipsec protocol by the shared key of consulting to obtain, sets up the transmission of trusted channel protected data between the two parties;
Described ipsec protocol is the agreement for the protection of mobile management signaling security between MN and HA in MIPv6 agreement.
Claims (4)
1. a MIPv6 safety moving management system for ID-based cryptosystem, is characterized in that, comprising:
CA: be that PKG server is issued and manages certificate as authentication center, for the cross-domain communication between PKG server provides safety assurance;
PKG server: generation system common parameter, to issue private key for the entity in MIPv6 Autonomous Domain, detect state in MIPv6 Autonomous Domain residing for MN in real time, outside region PKG server proves that MN institute alleged identity is its actual identity when ID-based cryptosystem scheme is MN and HA negotiating about cipher key shared, MN is moved in MIPv6 Autonomous Domain;
Entity mobile node in MN:MIPv6 agreement; When MN is moved, outside region PKG server carries out secure registration;
Entity home agent in HA:MIPv6 agreement; When MN is moved, outside region PKG server carries out secure registration, the PUSH message doing proof of identification that HA sends to territory, local PKG server forwarding MN, and send to the system parameters of territory, local PKG server and the private key of MN to be transmitted to MN outer region PKG server;
Entity communication node in CN:MIPv6 agreement; In the process that MN is moved with keep between MN communicating, after MN is moved, carry out mobile messaging with MN mutual.
2. utilize the MIPv6 safety moving management system described in claim 1 to carry out the method for MIPv6 safety moving certification, it is characterized in that, comprise the following steps:
Step 1:CA is that the PKG server in each MIPv6 Autonomous Domain is issued and manages certificate;
Step 2: the PKG server generation system common parameter in each MIPv6 Autonomous Domain: cyclic group G
1with cyclic group G
2, Bilinear map e, cyclic group G
1on the private key of basic point P, PKG server and PKI, one-way Hash function H
1, H
2and H
3;
Step 3: the PKG server in each MIPv6 Autonomous Domain detects the state residing for MN in real time, if MN is in initial condition, then performs step 4; If MN is in mobile status, then perform step 5;
State when described initial condition is the PKG server in MN access territory, local;
Described mobile status is that MN is moved, and accesses the state during PKG server of outer region;
Safety management in step 4:MIPv6 Autonomous Domain: ID-based cryptosystem scheme is MN and HA negotiating about cipher key shared, if MN is moved, performs step 5, otherwise, perform step 7;
Step 5: safety moving is registered: MN outside region PKG server carries out secure registration;
Step 6: safe return path can reach: ID-based cryptosystem scheme carries out shared key negotiation between MN and CN;
Step 7: be applied in ipsec protocol by the shared key of consulting to obtain, sets up the transmission of trusted channel protected data between the two parties;
Described ipsec protocol is the agreement for the protection of mobile management signaling security between MN and HA in MIPv6 agreement.
3. MIPv6 safety moving authentication method according to claim 2, it is characterized in that, described step 5 specifically comprises the steps:
Step 5.1:MN outside region PKG server sends Care-ofIDPush PUSH message;
Described Care-ofIDPush PUSH message is the identity PUSH message being generated and sent outer region PKG server by MN;
Step 5.2:MN sends HomeIDPush PUSH message to HA;
Described HomeIDPush PUSH message is sent by MN and asks its entity home agent HA outside region PKG server to do the PUSH message of proof of identification;
Step 5.3:HA forwards HomeIDPush PUSH message to territory, local PKG server;
Step 5.4: PKG server outside region, territory, local PKG server sends HomeIDPush PUSH message, proves that MN institute alleged identity is its actual identity;
Step 5.5: outer region PKG server sends ParamsPush PUSH message to territory, local PKG server, and message content is the system parameters of outer region PKG server and the private key of MN;
Step 5.6: territory, local PKG server sends ParamsPush PUSH message to HA;
Step 5.7:HA sends ParamsPush PUSH message to MN, completes the PKG server registration of the outside region of MN.
4. MIPv6 safety moving authentication method according to claim 2, it is characterized in that, described step 6 specifically comprises the steps:
Step 6.1:MN outside region PKG server sends ParamsRequest request message, and the content of request is the system parameters of territory, CN place PKG server;
Described ParamsRequest message is the request message that MN asks the system parameters of the PKG server in territory, CN place, sends to outer region PKG server, and be forwarded to territory, MN local PKG server by outer region PKG server by MN;
Step 6.2: outer region PKG server forwards ParamsRequest request message to the PKG server in territory, CN place;
The PKG server outside region PKG server in territory, step 6.3:CN place sends ParamsReply response message;
Described ParamsReply response message is sent to outer region PKG server by the PKG server generation in territory, CN place, is finally sent to the message of MN, and its load comprises the system parameters of PKG server and the private key of MN in territory, CN place;
Step 6.4: outer region PKG server forwards ParamsReply response message to MN;
Step 6.5:MN sends Article 1 message and the CoTI message of RR agreement to CN, and Message Payload is that the shared key of MN consults request;
Described RR agreement is the agreement for the protection of mobile management signaling security between MN and CN in MIPv6 agreement;
Step 6.6:MN sends Article 2 message and the HoTI message of RR agreement to HA, and this Message Payload is that the local of MN proves request message;
Step 6.7:HA sends Article 3 message and the CoT message of RR agreement to CN, and this Message Payload is that the local of HA to MN proves;
Step 6.8:CN sends Article 4 message and the HoT message of RR agreement to MN, and this Message Payload is the shared key negotiation message of CN.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510633364.8A CN105119832B (en) | 2015-09-29 | 2015-09-29 | The MIPv6 safety movings management system and mobile authentication method of ID-based cryptosystem |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510633364.8A CN105119832B (en) | 2015-09-29 | 2015-09-29 | The MIPv6 safety movings management system and mobile authentication method of ID-based cryptosystem |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105119832A true CN105119832A (en) | 2015-12-02 |
| CN105119832B CN105119832B (en) | 2018-01-02 |
Family
ID=54667727
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510633364.8A Expired - Fee Related CN105119832B (en) | 2015-09-29 | 2015-09-29 | The MIPv6 safety movings management system and mobile authentication method of ID-based cryptosystem |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105119832B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107124282A (en) * | 2017-05-18 | 2017-09-01 | 西安电子科技大学 | RFID Verification Systems and method under cloud environment based on MIPv6 |
| CN108322464A (en) * | 2018-01-31 | 2018-07-24 | 中国联合网络通信集团有限公司 | A kind of secret key verification method and equipment |
| CN109688116A (en) * | 2018-12-11 | 2019-04-26 | 北京数盾信息科技有限公司 | A kind of dense tubular system (DTS) for supporting dynamic expansion algorithm and operational capability |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1863375A (en) * | 2005-05-11 | 2006-11-15 | 中兴通讯股份有限公司 | Registering method of mobile node to communication node in mobile IPv6 standard |
| US20070211723A1 (en) * | 2006-03-10 | 2007-09-13 | Cisco Technology, Inc. | Mobile network device multi-link optimizations |
| CN101056307A (en) * | 2006-04-11 | 2007-10-17 | 中兴通讯股份有限公司 | A method for secure registration with the agent mobile IP |
| CN101478388A (en) * | 2009-01-16 | 2009-07-08 | 西安电子科技大学 | Multi-stage security supporting mobile IPSec access authentication method |
| US20120110334A1 (en) * | 2010-10-29 | 2012-05-03 | Telefonaktiebolaget L M Ericsson (Publ) | Secure route optimization in mobile internet protocol using trusted domain name servers |
| CN103813324A (en) * | 2012-11-07 | 2014-05-21 | 中国移动通信集团公司 | Node signature method and mobile node access method of hierarchical MIPv6 |
-
2015
- 2015-09-29 CN CN201510633364.8A patent/CN105119832B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1863375A (en) * | 2005-05-11 | 2006-11-15 | 中兴通讯股份有限公司 | Registering method of mobile node to communication node in mobile IPv6 standard |
| US20070211723A1 (en) * | 2006-03-10 | 2007-09-13 | Cisco Technology, Inc. | Mobile network device multi-link optimizations |
| CN101056307A (en) * | 2006-04-11 | 2007-10-17 | 中兴通讯股份有限公司 | A method for secure registration with the agent mobile IP |
| CN101478388A (en) * | 2009-01-16 | 2009-07-08 | 西安电子科技大学 | Multi-stage security supporting mobile IPSec access authentication method |
| US20120110334A1 (en) * | 2010-10-29 | 2012-05-03 | Telefonaktiebolaget L M Ericsson (Publ) | Secure route optimization in mobile internet protocol using trusted domain name servers |
| CN103813324A (en) * | 2012-11-07 | 2014-05-21 | 中国移动通信集团公司 | Node signature method and mobile node access method of hierarchical MIPv6 |
Non-Patent Citations (4)
| Title |
|---|
| EHMKE M ETAL: "Securing Control Signaling in Mobile IPv6 with Identity-Based Encryption", 《ISSUES IN INFORMING SCIENCE & INFORMATION TECHNOLOGY》 * |
| GAO TIANHAN ETAL: "A hybrid approach to secure hierarchical mobile IPv6 networks", 《COMPUTER SCIENCE AND INFORMATION SYSTEMS》 * |
| 田野: "基于身份密码学的MIPv6安全切换研究", 《中国优秀博硕士学位论文全文数据库 (博士) 信息科技辑》 * |
| 高天寒等: "节点证书与身份相结合的HMIPv6网络接入认证机制", 《软件学报》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107124282A (en) * | 2017-05-18 | 2017-09-01 | 西安电子科技大学 | RFID Verification Systems and method under cloud environment based on MIPv6 |
| CN107124282B (en) * | 2017-05-18 | 2019-10-25 | 西安电子科技大学 | RFID Verification System and method under cloud environment based on MIPv6 |
| CN108322464A (en) * | 2018-01-31 | 2018-07-24 | 中国联合网络通信集团有限公司 | A kind of secret key verification method and equipment |
| CN109688116A (en) * | 2018-12-11 | 2019-04-26 | 北京数盾信息科技有限公司 | A kind of dense tubular system (DTS) for supporting dynamic expansion algorithm and operational capability |
| CN109688116B (en) * | 2018-12-11 | 2022-09-02 | 北京数盾信息科技有限公司 | Close management system supporting dynamic expansion algorithm and operational capability |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105119832B (en) | 2018-01-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10601594B2 (en) | End-to-end service layer authentication | |
| US9705856B2 (en) | Secure session for a group of network nodes | |
| CN107181597B (en) | PMIPv6 authentication system and method based on identity agent group signature | |
| Lavanya et al. | Lightweight key agreement protocol for IoT based on IKEv2 | |
| CN102111273B (en) | Pre-sharing-based secure data transmission method for electric load management system | |
| WO2019015387A1 (en) | Group identity signature based pmipv6 anonymous access authentication system and method | |
| CN108353279A (en) | A kind of authentication method and Verification System | |
| Modares et al. | A survey of secure protocols in mobile IPv6 | |
| Lai et al. | A secure blockchain-based group mobility management scheme in VANETs | |
| CN103188080A (en) | Method and system for secret key certification consultation of terminal to terminal based on identify label | |
| Amadeo et al. | Securing the mobile edge through named data networking | |
| Chen et al. | A security scheme of 5G ultradense network based on the implicit certificate | |
| Abd-Elrahman et al. | Fast group discovery and non-repudiation in D2D communications using IBE | |
| CN108833113A (en) | A kind of authentication method and system of the enhancing communication security calculated based on mist | |
| Shah et al. | A TOTP‐Based Enhanced Route Optimization Procedure for Mobile IPv6 to Reduce Handover Delay and Signalling Overhead | |
| CN105119832A (en) | MIPv6 security mobility management system based on identification cryptology and mobility authentication method | |
| GB2543359A (en) | Methods and apparatus for secure communication | |
| US11838428B2 (en) | Certificate-based local UE authentication | |
| CN101547091A (en) | Method and device for transmitting information | |
| Nyangaresi et al. | Secure algorithm for IoT devices authentication | |
| Wang et al. | A secure solution of V2G communication based on trusted computing | |
| Mahajan et al. | Security and privacy in VANET to reduce authentication overhead for rapid roaming networks | |
| Elmubark et al. | Fast and secure generating and exchanging a symmetric keys with different key size in TVWS | |
| Song et al. | A secure and lightweight approach for routing optimization in mobile IPv6 | |
| Mathi et al. | A secure and decentralized registration scheme for IPv6 network-based mobility |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180102 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |