• • 上一篇    下一篇

基于 EAP-AKA 协议的安全性分析和改进

苗俊峰%马春光%孟彦%周永进   

  • 基金资助:
    黑龙江省自然科学基金[F201229]、哈尔滨市科技创新人才研究专项基金(2012RFXXG086)

Security Analysis and Improvement based on EAP-AKA Protocol

MIAO Jun-feng%MA Chun-guang%MENG Yan%ZHOU Yong-jin   

  • About author:哈尔滨工程大学计算机科学与技术学院,黑龙江哈尔滨,150001%哈尔滨工程大学计算机科学与技术学院,黑龙江哈尔滨 150001; 哈尔滨工程大学国家保密学院,黑龙江哈尔滨 150001

摘要: 近几年来,以3G 网络和 WLAN 为主要代表的无线网络技术取得了重大突破,3G网络能够在广域的范围内提供比较好的漫游服务,但其传输的数据速率以及网络带宽较小,而WLAN 能够提供较高的数据传输速率而且价格较低,但其网络范围较小,因此,3G 网络和WLAN 两者融合具有很好的互补性,这是实现高速接入的一种比较高效的模式。因此3GPP 组织针对3G 网络与 WLAN 融合提出了一套互联方案,并为其设计了可扩展认证和密钥协商协议(EAP-AKA)。但是经过大量的的实践和研究发现,EAP-AKA 协议存在一些安全缺陷,文章通过对 EAP-AKA 的协议过程和安全性进行分析,针对其安全缺陷,特别是用户身份会暴露而导致由于身份泄露引起的跟踪攻击,缺乏对无线局域网(WLAN)接入网络的认证以及明文传输会话密钥而导致 WLAN 失去通信过程中的机密性和完整性等,提出了一种通过对 WLAN 接入网络增设公钥以及采用匿名技术的改进方案,分别完成了对无线局域网接入网络的认证,避免了用户身份信息的暴露以及加密传输会话密钥,保证了为用户提供安全的网络服务。

Abstract: In recent years, basing on 3G network and WLAN as the main representative of the wireless network technology which achieved a major breakthrough, 3G network can provide better roaming service in wide area, but the transmission data rate and network bandwidth is small, while the WLAN can provide higher data transmission speed and lower prices, but the network range is small, therefore, both 3G network and WLAN fusion can complement each other very well, which is to achieve a more efficient mode of high speed access. So the 3GPP puts forward a set of scheme for 3G based on WLAN neural network, and designs the Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA). But after a lot of practice and research findings, the EAP-AKA protocol has some security flaws and this paper analyzes the EAP-AKA protocol and security, and points out security flaws in protocol, which especially the user identity will be exposed leading to track attack caused by identity leakage and the lack of authentication of wireless local area network (WLAN) access network and plaintext transmission session key causes WLAN to lose communication process of confidentiality and integrity, which proposes a WLAN access network by adding a public key and an anonymous technology, completes on the WLAN access network authentication, and avoids exposure for the user identity information, and encrypts the session key to ensure to provide security for the user's network service.