无线网络认证协议抗拒绝服务攻击技术

发布时间：2019-05-18 06:54

【摘要】：随着无线网络的广泛应用,其安全性成为人们关注的焦点问题之一。由于无线网络链路的开放性,计算资源的有限性等原因,它相比于固定网络更容易遭受到各种攻击的威胁。尤其是无线网络中现有的一些安全认证机制,由于其设计机制的缺陷,非常容易遭受拒绝服务(DoS)攻击的威胁,而这种威胁对网络的威胁最大,防御困难。本文针对两种典型无线局域网中认证机制的抗DoS攻击技术进行了研究。一种是广泛部署的有中心的基础结构无线网,该类网络中普遍使用的IEEE802.11i安全标准在接入认证环节存在缺陷,使得无线接入点AP很容易遭受拒绝服务攻击。另一种是无中心的车载Ad Hoc网络,该类网络中基于数字签名对广播消息进行安全认证过程存在缺陷,也会导致严重的拒绝服务攻击问题。针对以上两种问题,分别提出了可行的解决方案。首先,针对IEEE802.11i接入认证机制的缺陷,提出了一种基于低成本RFID标签的无线局域网接入认证抗DoS攻击方案,极大地减少了DoS攻击对接入点的影响。在该方案中设计了一种基于低成本RFID标签的新型Client puzzle构造方法,在部署上该标签被贴在具有读写器功能的移动终端设备(STA)上,STA在该标签秘密计算的协助下完成认证请求的提交。与传统抗DoS攻击方案相比,该方案不仅避免了接入设备计算能力差异对抗DoS攻击效果的影响,而且可以解决传统抗DoS方案会引入新的DoS攻击的问题,同时,该方案最大限度地平衡了STA和AP之间的资源,对无线网络接入的影响更小。其次,针对无线车载网络广播消息中存在的DoS攻击问题,提出了一种基于Client puzzle的广播认证机制,采用强认证与弱认证相结合的方式抵御针对广播认证消息的DoS攻击。方案中,Client puzzle机制的构造是基于二次剩余的困难性,由RSU在信标帧中广播用于构造puzzle的参数,从而不额外增加协议的步骤。另外为了提高整个认证协议的抗DoS攻击能力,使用了自认证公钥密码体制来实现公钥的管理,能够减少基于证书公钥密码体制所带来的信令和计算开销。
[Abstract]:With the wide application of wireless network, its security has become one of the focus issues. Because of the openness of wireless network links and the limitation of computing resources, it is more vulnerable to various attacks than fixed networks. In particular, some existing security authentication mechanisms in wireless networks, because of the defects of their design mechanisms, are very vulnerable to the threat of denial of service (DoS) attacks, and this threat is the greatest threat to the network and difficult to defend. In this paper, the anti-DoS attack technology of two typical authentication mechanisms in wireless local area network (WLAN) is studied. One is a widely deployed wireless network with a central infrastructure. The IEEE802.11i security standard commonly used in this kind of network has defects in the access authentication link, which makes the wireless access point AP vulnerable to denial of service attacks. The other is the non-central vehicle Ad Hoc network, which has defects in the process of security authentication of broadcast messages based on digital signature, which will also lead to serious denial of service attacks. In view of the above two problems, the feasible solutions are put forward respectively. Firstly, aiming at the defects of IEEE802.11i access authentication mechanism, a wireless local area network access authentication anti-DoS attack scheme based on low cost RFID tag is proposed, which greatly reduces the influence of DoS attack on access point. In this scheme, a new Client puzzle construction method based on low cost RFID tag is designed, which is affixed to the mobile terminal device (STA) with reader function in deployment. STA completes the submission of the authentication request with the assistance of the secret calculation of the label. Compared with the traditional anti-DoS attack scheme, this scheme not only avoids the influence of different computing power of access devices against DoS attack, but also solves the problem that the traditional anti-DoS scheme will introduce new DoS attacks. At the same time, This scheme maximizes the balance of resources between STA and AP, and has less impact on wireless network access. Secondly, aiming at the problem of DoS attack in wireless vehicle network broadcast message, a broadcast authentication mechanism based on Client puzzle is proposed, which combines strong authentication with weak authentication to resist DoS attack against broadcast authentication message. The construction of, Client puzzle mechanism in the scheme is based on the difficulty of quadratic residue. RSU broadcast the parameters used to construct puzzle in beacon frame, so that the protocol can not be added. In addition, in order to improve the anti-DoS attack ability of the whole authentication protocol, the self-authenticated public key cryptosystem is used to realize the public key management, which can reduce the signaling and computing overhead caused by the certificate-based public key cryptosystem.
【学位授予单位】：西安电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TN915.08

【相似文献】