Smart Card Based Protocol For Secure And Controlled Access Of Mobile Host In Foreign Network

Smart Card Based Protocol for Secure and Controlled Access Of Mobile Host in IPv6 Compatible Foreign Network 954203020 郭啟揚 954203039 鄭志瑋 954203057 蔡繼正

Outline(1/1)

Introduction

Smart Card

Java Card

AAA architecture

RADIUS

Diameter

Network layer security using IPv6

IP Source Address Filtering

IPsec

User registration protocol

Comment

Introduction

IPsec +PKI

耗損運算能力、頻寬

難實作

Smart card+IPv6+ IPsec

AAA

(Authentication , Authorization , Accounting)

MAP

(Mobile Authentication Protocol)

AAA 、 Java Applet 、加密 function 、 AR 的實作、 ipv6 、

LSA 、 URP 、 IPsec

Smart Card(1/4)

Magnetic Stripe cards

Smart card (IC 卡，晶片卡、智慧卡 )

Memory card

Microprocessor card

Java Card

Smart Card(2/4)

Memory Cards

Memory Cards

Capacity ： 64KB to 1MB

Ex ： pre-paid telephone card

Optical memory card

Capacity ： 4MB

Ex ： personal identification card

Smart Card(3/4)

Microprocessor Cards

Contact Cards

IC 電話卡、 IC 金融卡

Contactless Cards

捷運悠遊卡

Combi Cards

第二代信用卡

Smart Card(4/4)

Java Card(1/2)

JAVA 卡之前的智慧卡

需求上升，新應用誕生

APIs 非常複雜

沒有一個通用的開發環境

不同廠商相同應用的卡不相容

Java Card(2/2)

Java Card

支援一卡多用途

可重用性

Jave Applets 易實作

Applets 可於任何 java-based 環境執行

使用 Java API 撰寫的卡片彼此相容

AAA architecture

AAA

Authentication

Authorization

Accounting

Protocol

RADIUS

Remote Authentication Dial In User Service

Diameter

RADIUS(1/2)

RADIUS(2/2)

缺點

Low security guarantee

Low scalability

Low Transmission reliability

Low AVP (Attribute Value Pair) space 256

Heavy processing requirement

Diameter(1/4)

Diameter(2/4)

TCP or SCTP

(Stream Control Transmission protocol)

支援 retransmission 和 windowing flow

Proxy 必需 ack 每一個 packet

它解決了 Radius 相關問題

Connection disruption

Silent discard

congestion

Diameter(3/4)

CMS (Cryptographic Message Syntax)

安全性高

End to end

Digital signature and encryption

Diameter(4/4)

優點

較大的 AVP space 2^32

用 time stamp 解決 Replay attack

擴充性高

Payload 調整為 32bit

Network layer security using IPv6

IP Source Address Filtering

IPsec

IP Source Address Filtering User identity IP Share key Share key

IPsec(2/5)

IPsec 協定

AH (Authentication Header)

ESP (Encapsulating Security Payload)

IPsec 通道

Transport mode

Tunnel mode

IPsec(3/5)

IPsec(4/5)

IPsec(5/5)

SA(Security Association)

Unidirectional

SAin SBout ： SBin SAout

相同的 key 、加密參數

SA bundle

A triple

Destination IP address

Protocol identifier (ESP 、 AH)

SPI (Security parameter index)

Store in SADB

(Security Association Database)

實作： FreeS/WAN

User registration protocol(1/4)

AAA server

AAAh (AAA server in the home network of the MH)

AAAv (AAA server in the visited network)

SA (Security Association)

Inter-domain SA

Local SA

Temporary Shared key (TSK)

User Registration Protocol(2/4)

URP (User Registration Protocol)

MAP (Mobile Authentication Protocol )

Implementation of URP

Use EAPoUDP (EAP format)

Communicate with clients

TSK

Diameter (AAA)

Communicate with AAA server

MH AR AAAh

User registration protocol(3/4) LSA IPsec TSK TSK TSK

Local challenge VN_ID Care of address AUTH=HMAC-MD5(LC,user_id,VN_ID,SAmh) User Name AVP:user_id Extract LC , user_id , AUTH,VN_ID, MH_Ipaddr EAP AVP:AUTH Care of IP:MH_Ipaddr AAA Registration Request Challenge AVP:LC AUTH==HMAC-MD5(LC,user_id,VN_ID,SAmh ) HC,AUTHNET,Randtsk AUTHNET=HMAC-MD5(HC,user_id,VN_ID,SAmh) TSK=3DES(Randtsk,SAmh) ARA (Randtsk,HC,TSK,VN_ID,user_id,Authnet) EAP format AUTH=HMAC-MD5(HC,user_id,VN_ID,SAmh) AUTH==AUTHNET EAP format

Implementation detail Extensible Authentication Protocol AAA Registration Request

Comment(1/2) 3 6+3=9 訊息數其他技術本名縮寫 Mobile Authentication Protocol Internet key Exchange IPsec +IPv6+ Smart card PKI+IKE Temporary share key Two phase MAP IKE

Comment(2/2) 低高成本不易容易 key 竊取易難建置 key 定時更新 Key 不能失去 Key 安全性本名縮寫 Mobile Authentication Protocol Public key infrastructure 高低 MAP PKI

所以 MAP 將會是未來的趨勢你認為呢？ Thank you for attention Q&A