一种基于OpenFlow光接入网的轻量级安全身份认证加密机制
|
摘要
为满足互联网多业务背景下各方对于安全性的更高要求,平衡因引入安全机制造成的高代价问题,通过分析软件定义光接入网(SDOAN)所面临的通信安全挑战,提出了一种基于加密生成地址(CGA)算法与哈希生成地址(HGA)算法相结合的轻量级安全身份认证加密机制(CH-CNA)。该机制遵循OpenFlow协议的信息交互方式,通过引入无第三方参与的CGA算法和HGA算法,以此分别完成通信节点之间的首次认证绑定和非首次认证绑定。在认证绑定过程中可有效防止攻击者伪造、篡改认证交互消息,从而建立起面向接入网的端到端可信连接。采用OMNeT++网络仿真软件对提出的CH-CNA机制进行了测试,实验结果表明,该机制在保证通信节点之间安全性交互的同时,降低了平均计算开销和因恶意攻击引起的阻塞率,符合轻量级的定义要求。
We propose a lightweight secure identity authentication encryption(CH-CNA) mechanism based on the cryptographically generated address(CGA) algorithm and the hash generated address(HGA) algorithm to satisfy the strict security requirements of all the parties in the internet multi-servicing context while reducing the cost that is typically associated with the introduction of security mechanisms. In particular, the proposed mechanism analyzes the communication security challenges faced by the software-defined optical access networks(SDOAN). The CH-CNA mechanism follows the information interaction method of the OpenFlow protocol, and the first and non-first authentication bindings are achieved among the communication nodes using the CGA and HGA algorithms without any third-party participation. During the authentication binding process, the attacker is prevented from forging or tampering with the authentication interaction messages, establishing an end-to-end trusted connection in the access network. The proposed CH-CNA mechanism is tested using the OMNeT++ network simulation software. The experimental results demonstrate that the proposed mechanism can reduce the average computational overhead and blocking rate because of malicious attacks and ensure secure interaction among the communication nodes, which conforms to the definition of lightweight.
We propose a lightweight secure identity authentication encryption(CH-CNA) mechanism based on the cryptographically generated address(CGA) algorithm and the hash generated address(HGA) algorithm to satisfy the strict security requirements of all the parties in the internet multi-servicing context while reducing the cost that is typically associated with the introduction of security mechanisms. In particular, the proposed mechanism analyzes the communication security challenges faced by the software-defined optical access networks(SDOAN). The CH-CNA mechanism follows the information interaction method of the OpenFlow protocol, and the first and non-first authentication bindings are achieved among the communication nodes using the CGA and HGA algorithms without any third-party participation. During the authentication binding process, the attacker is prevented from forging or tampering with the authentication interaction messages, establishing an end-to-end trusted connection in the access network. The proposed CH-CNA mechanism is tested using the OMNeT++ network simulation software. The experimental results demonstrate that the proposed mechanism can reduce the average computational overhead and blocking rate because of malicious attacks and ensure secure interaction among the communication nodes, which conforms to the definition of lightweight.
引文
[1] Rubio-Loyola J,Galis A,Astorga A,et al.Scalable service deployment on software-defined networks[J].IEEE Communications Magazine,2011,49(12):84-93.
[2] Yang H,Zhang J,Zhao Y L,et al.Experimental demonstration of remote unified control for open flow-based software-defined optical access networks[J].Photonic Network Communications,2016,31(3):568-577.
[3] Akhunzada A,Ahmed E,Gani A,et al.Securing software defined networks:taxonomy,requirements,and open issues[J].IEEE Communications Magazine,2015,53(4):36-44.
[4] Chen R R,Kuang C X,Ma J J,et al.Algorithm of coherent optical orthogonal frequency division multiplexing-passive optical network system based on optical-comb wave[J].Acta Optica Sinica,2017,37(7):0706003.陈荣荣,邝彩霞,马俊洁,等.基于光梳状波的相干光正交频分复用-无源光网系统的算法[J].光学学报,2017,37(7):0706003.
[5] Khondoker R,Larbig P,Senf D,et al.AutoSecSDNDemo:demonstration of automated end-to-end security in software-defined networks[C]//2016 IEEE NetSoft Conference and Workshops (NetSoft),June 6-10,2016,Seoul,Korea.New York:IEEE,2016:347-348.
[6] Chen M,Qian Y F,Mao S W,et al.Software-defined mobile networks security[J].Mobile Networks and Applications,2016,21(5):729-743.
[7] He D B,Padhye S,Chen J H.An efficient certificateless two-party authenticated key agreement protocol[J].Computers & Mathematics With Applications,2012,64(6):1914-1926.
[8] Potthast M,Forler C,List E,et al.Passphone:outsourcing phone-based web authentication while protecting user privacy[M]//Brumley B,R?ning J.Secure IT systems.NordSec 2016.Lecture notes in computer science.Cham:Springer,2016,10014:235-255.
[9] He D B,Zeadally S,Kumar N,et al.Efficient and anonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architectures[J].IEEE Transactions on Information Forensics and Security,2016,11(9):2052-2064.
[10] Zhou Y W,Yang B,Zhang W Z.An improved two-party authenticated certificateless key agreement protocol[J].Chinese Journal of Computers,2017,40(5):1181-1191.周彦伟,杨波,张文政.一种改进的无证书两方认证密钥协商协议[J].计算机学报,2017,40(5):1181-1191.
[11] Gao T H,Guo N,Zhu Z L.Access authentication for HMIPv6 with node certificate and identity-based hybrid scheme[J].Journal of Software,2012,23(9):2465-2480.高天寒,郭楠,朱志良.节点证书与身份相结合的HMIPv6网络接入认证机制[J].软件学报,2012,23(9):2465-2480.
[12] Jiang H,Zhang L Q,Ruan L L.Study on public key cryptography-based 802.1x bidirectional authentication[J].Computer Applications and Software,2016,33(2):290-293.蒋华,张乐乾,阮玲玲.基于公钥密码体制的802.1x双向认证研究[J].计算机应用与软件,2016,33(2):290-293.
[13] Wang M M,Liu J W,Chen J,et al.Software defined networking:security model,threats and mechanism[J].Journal of Software,2016,27(4):969-992.王蒙蒙,刘建伟,陈杰,等.软件定义网络:安全模型、机制及研究进展[J].软件学报,2016,27(4):969-992.
[14] Wang T,Chen H C,Cheng G Z.Research on software-defined network and the security defense technology[J].Journal on Communications,2017,38(11):133-160.王涛,陈鸿昶,程国振.软件定义网络及安全防御技术研究[J].通信学报,2017,38(11):133-160.
[15] Fu Y H,Bi J,Zhang K Y,et al.Scalability of software defined network[J].Journal on Communications,2017,38(7):141-154.付永红,毕军,张克尧,等.软件定义网络可扩展性研究综述[J].通信学报,2017,38(7):141-154.
[16] Zhang L.The study of security technology of access network based on SDN[D].Beijing:Beijing University of Posts and Telecom,2014:9-17.张磊.基于SDN的接入网安全技术研究[D].北京:北京邮电大学,2014:9-17.
[17] Benabbou J,Elbaamrani K,Idboufker N,et al.Software-defined networks,security aspects analysis[C]//2015 11th International Conference on Information Assurance and Security (IAS),December 14-16,2015,Marrakech,Morocco.New York:IEEE,2015:79-84.
[18] Sayid J,Sayid I,Kar J.Certificateless public key cryptography:a research survey[J].International Journal of Security and Its Applications,2016,10(7):103-118.
[19] Cui J H,Zhang Y Z,Wang Z,et al.Light-weight object detection networks for embedded platform[J].Acta Optica Sinica,2019,39(4):0415006.崔家华,张云洲,王争,等.面向嵌入式平台的轻量级目标检测网络[J].光学学报,2019,39(4):0415006.
[20] Aura T.Cryptographically generated addresses(CGA)[M]//Boyd C,Mao W.Information security.ISC 2003.Lecture notes in computer science.Berlin,Heidelberg:Springer,2003,2851:29-43.
[21] Rajendran T,Sreenaath K V.Hash optimization for cryptographically generated address[C]//2008 3rd International Conference on Communication Systems Software and Middleware and Workshops (COMSWARE′08),January 6-10,2008,Bangalore,India.New York:IEEE,2008:365-369.
[22] Zhang S J,Lan J L,Hu Y X,et al.Survey on scalability of control plane in software-defined networking[J].Journal of Software,2018,29(1):160-175.张少军,兰巨龙,胡宇翔,等.软件定义网络控制平面可扩展性研究进展[J].软件学报,2018,29(1):160-175.
[23] Lara A,Ramamurthy B.OpenSec:policy-based security using software-defined networking[J].IEEE Transactions on Network and Service Management,2016,13(1):30-42.
[24] Guo Z Q,Wang Z X,Zhang L C,et al.An efficient and secure route optimisation scheme for mobile IPv6 based on Hash generate address[J].Computer Applications and Software,2016,33(6):105-109.郭志强,王振兴,张连成,等.基于Hash生成地址的移动IPv6高效安全路由优化方案[J].计算机应用与软件,2016,33(6):105-109.
[25] Li X L,Ai W J.On a security binding mechanism based on identity authentication of communication nodes[J].Computer Applications and Software,2015,32(1):294-296,308.李向丽,艾文君.一种基于通信节点身份认证的安全绑定机制的研究[J].计算机应用与软件,2015,32(1):294-296,308.
[26] Azodolmolky S,Petersen M N,Fagertun A M,et al.SONEP:a software-defined optical network emulation platform[C]//2014 International Conference on Optical Network Design and Modeling,May 19-22,2014,Stockholm,Sweden.New York:IEEE,2014:216-221.
[27] Eidgahi S Z,Rafe V.Security analysis of network protocols through model checking:a case study on mobile IPv6[J].Security and Communication Networks,2016,9(10):1072-1084.
[2] Yang H,Zhang J,Zhao Y L,et al.Experimental demonstration of remote unified control for open flow-based software-defined optical access networks[J].Photonic Network Communications,2016,31(3):568-577.
[3] Akhunzada A,Ahmed E,Gani A,et al.Securing software defined networks:taxonomy,requirements,and open issues[J].IEEE Communications Magazine,2015,53(4):36-44.
[4] Chen R R,Kuang C X,Ma J J,et al.Algorithm of coherent optical orthogonal frequency division multiplexing-passive optical network system based on optical-comb wave[J].Acta Optica Sinica,2017,37(7):0706003.陈荣荣,邝彩霞,马俊洁,等.基于光梳状波的相干光正交频分复用-无源光网系统的算法[J].光学学报,2017,37(7):0706003.
[5] Khondoker R,Larbig P,Senf D,et al.AutoSecSDNDemo:demonstration of automated end-to-end security in software-defined networks[C]//2016 IEEE NetSoft Conference and Workshops (NetSoft),June 6-10,2016,Seoul,Korea.New York:IEEE,2016:347-348.
[6] Chen M,Qian Y F,Mao S W,et al.Software-defined mobile networks security[J].Mobile Networks and Applications,2016,21(5):729-743.
[7] He D B,Padhye S,Chen J H.An efficient certificateless two-party authenticated key agreement protocol[J].Computers & Mathematics With Applications,2012,64(6):1914-1926.
[8] Potthast M,Forler C,List E,et al.Passphone:outsourcing phone-based web authentication while protecting user privacy[M]//Brumley B,R?ning J.Secure IT systems.NordSec 2016.Lecture notes in computer science.Cham:Springer,2016,10014:235-255.
[9] He D B,Zeadally S,Kumar N,et al.Efficient and anonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architectures[J].IEEE Transactions on Information Forensics and Security,2016,11(9):2052-2064.
[10] Zhou Y W,Yang B,Zhang W Z.An improved two-party authenticated certificateless key agreement protocol[J].Chinese Journal of Computers,2017,40(5):1181-1191.周彦伟,杨波,张文政.一种改进的无证书两方认证密钥协商协议[J].计算机学报,2017,40(5):1181-1191.
[11] Gao T H,Guo N,Zhu Z L.Access authentication for HMIPv6 with node certificate and identity-based hybrid scheme[J].Journal of Software,2012,23(9):2465-2480.高天寒,郭楠,朱志良.节点证书与身份相结合的HMIPv6网络接入认证机制[J].软件学报,2012,23(9):2465-2480.
[12] Jiang H,Zhang L Q,Ruan L L.Study on public key cryptography-based 802.1x bidirectional authentication[J].Computer Applications and Software,2016,33(2):290-293.蒋华,张乐乾,阮玲玲.基于公钥密码体制的802.1x双向认证研究[J].计算机应用与软件,2016,33(2):290-293.
[13] Wang M M,Liu J W,Chen J,et al.Software defined networking:security model,threats and mechanism[J].Journal of Software,2016,27(4):969-992.王蒙蒙,刘建伟,陈杰,等.软件定义网络:安全模型、机制及研究进展[J].软件学报,2016,27(4):969-992.
[14] Wang T,Chen H C,Cheng G Z.Research on software-defined network and the security defense technology[J].Journal on Communications,2017,38(11):133-160.王涛,陈鸿昶,程国振.软件定义网络及安全防御技术研究[J].通信学报,2017,38(11):133-160.
[15] Fu Y H,Bi J,Zhang K Y,et al.Scalability of software defined network[J].Journal on Communications,2017,38(7):141-154.付永红,毕军,张克尧,等.软件定义网络可扩展性研究综述[J].通信学报,2017,38(7):141-154.
[16] Zhang L.The study of security technology of access network based on SDN[D].Beijing:Beijing University of Posts and Telecom,2014:9-17.张磊.基于SDN的接入网安全技术研究[D].北京:北京邮电大学,2014:9-17.
[17] Benabbou J,Elbaamrani K,Idboufker N,et al.Software-defined networks,security aspects analysis[C]//2015 11th International Conference on Information Assurance and Security (IAS),December 14-16,2015,Marrakech,Morocco.New York:IEEE,2015:79-84.
[18] Sayid J,Sayid I,Kar J.Certificateless public key cryptography:a research survey[J].International Journal of Security and Its Applications,2016,10(7):103-118.
[19] Cui J H,Zhang Y Z,Wang Z,et al.Light-weight object detection networks for embedded platform[J].Acta Optica Sinica,2019,39(4):0415006.崔家华,张云洲,王争,等.面向嵌入式平台的轻量级目标检测网络[J].光学学报,2019,39(4):0415006.
[20] Aura T.Cryptographically generated addresses(CGA)[M]//Boyd C,Mao W.Information security.ISC 2003.Lecture notes in computer science.Berlin,Heidelberg:Springer,2003,2851:29-43.
[21] Rajendran T,Sreenaath K V.Hash optimization for cryptographically generated address[C]//2008 3rd International Conference on Communication Systems Software and Middleware and Workshops (COMSWARE′08),January 6-10,2008,Bangalore,India.New York:IEEE,2008:365-369.
[22] Zhang S J,Lan J L,Hu Y X,et al.Survey on scalability of control plane in software-defined networking[J].Journal of Software,2018,29(1):160-175.张少军,兰巨龙,胡宇翔,等.软件定义网络控制平面可扩展性研究进展[J].软件学报,2018,29(1):160-175.
[23] Lara A,Ramamurthy B.OpenSec:policy-based security using software-defined networking[J].IEEE Transactions on Network and Service Management,2016,13(1):30-42.
[24] Guo Z Q,Wang Z X,Zhang L C,et al.An efficient and secure route optimisation scheme for mobile IPv6 based on Hash generate address[J].Computer Applications and Software,2016,33(6):105-109.郭志强,王振兴,张连成,等.基于Hash生成地址的移动IPv6高效安全路由优化方案[J].计算机应用与软件,2016,33(6):105-109.
[25] Li X L,Ai W J.On a security binding mechanism based on identity authentication of communication nodes[J].Computer Applications and Software,2015,32(1):294-296,308.李向丽,艾文君.一种基于通信节点身份认证的安全绑定机制的研究[J].计算机应用与软件,2015,32(1):294-296,308.
[26] Azodolmolky S,Petersen M N,Fagertun A M,et al.SONEP:a software-defined optical network emulation platform[C]//2014 International Conference on Optical Network Design and Modeling,May 19-22,2014,Stockholm,Sweden.New York:IEEE,2014:216-221.
[27] Eidgahi S Z,Rafe V.Security analysis of network protocols through model checking:a case study on mobile IPv6[J].Security and Communication Networks,2016,9(10):1072-1084.