5G移动边缘计算场景下的快速切换认证方案

doi:10.11959/j.issn.2096-109x.2022034

摘要/Abstract

摘要：

5G 万物互联为用户带来极致网络体验的同时也提出了新的挑战，用户的超低时延体验、移动状态下无顿感的获取业务以及安全防护问题备受关注。移动边缘计算能够满足 5G 低时延、大连接、高带宽的严苛要求，作为一种多信任域共存的计算范式，多实体之间、跨信任域之间互联互通频繁，身份认证作为安全防护的第一道关口尤为重要。通过对现有边缘计算范式下的身份认证机制研究，提出了一种通过构建信任域的基于预认证的轻量级快速切换认证方案，不同区域间移动的用户能实现快速安全的切换认证。所提方案将服务和计算由云端下沉到边缘侧，生物指纹技术被用于用户端以抵御终端被盗攻击，不同区域的边缘服务器采用预认证的方式来满足快速切换需求，用户与边缘服务器采用实时协商共享会话密钥的方式建立安全通道，认证方案以异或和哈希运算来保证轻量级。对所提方案从安全性与性能两方面进行评估，其中，安全性从理论设计分析和形式化工具验证两方面进行。采用形式化分析工具AVISPA验证了在存在入侵者的情况下所提方案的安全性，与其他方案相比所提方案更安全。性能主要从认证方案的计算成本和通信成本进行评估，仿真表明，所提方案在通信成本上有较好的优势，计算开销能够满足资源受限的移动终端用户需求。后续需要从两方面对方案进行改进，一是要加强方案可扩展性的改进以确保用户及边缘服务器能随时加入退出。二是要加强方案普适性的改进以满足第三方服务商的接入部署。

关键词: 移动边缘计算, 切换认证, 服务下沉, 隐私保护, AVISPA

Abstract:

The 5G internet of things brings the ultimate experience to users, but it also puts forward new challenges.Users’ requirements of ultra-low latency experience, access to business without sense during movement and security guarantee have attracted much attention.Mobile edge computing can meet the strict requirements of 5G with low latency, large connection and high bandwidth.As a computing paradigm with the coexistence of multi-trust domains, multi-entities and cross-trust domains are interconnected frequently.Identity authentication is particularly important for security protection.Through the research on the identity authentication mechanism under the existing edge computing paradigm, a lightweight fast handover authentication scheme based on pre-authentication was proposed.The proposed solution moved services and calculations from the cloud to the edge.Biometric fingerprint technology was used on the client side to defend against terminal theft attacks.Edge servers in different regions used pre-authentication scheme to meet fast switching requirements.The user and the edge server established a secure channel by negotiating a shared session key in real time, and the authentication scheme ensured lightweight operation with XOR and hash operation.The proposed scheme was evaluated from two aspects of security and performance.Theoretical design analysis and formal tool verification were carried out for security evaluation.The formal analysis tool, AVISPA, was used to verify the improved security of the proposed scheme in the presence of intruders.The performance was mainly evaluated from the computing cost and communication cost of the authentication scheme.The simulation results showed that the proposed scheme reduces communication cost, and the computational overhead can meet the needs of mobile terminals with limited resources.As the future work, the scheme will be improved from two aspects: one is to strengthen the scalability to ensure that users and edge servers can join and exit at any time, and the other one is to strengthen the universality of the scheme to meet the access deployment of third-party service providers.

Key words: mobile edge computing, handover authentication, service sinking, privacy protection, AVISPA

中图分类号:

TP309

张伟成, 卫红权, 刘树新, 普黎明. 5G移动边缘计算场景下的快速切换认证方案[J]. 网络与信息安全学报, 2022, 8(3): 154-168.

Weicheng ZHANG, Hongquan WEI, Shuxin LIU, Liming PU. Fast handover authentication scheme in 5G mobile edge computing scenarios[J]. Chinese Journal of Network and Information Security, 2022, 8(3): 154-168.

图/表 21

图1

图2

表1

图3

图4

图5

图6

图7

图8

图9

图10

图11

图12

图13

图14

图15

表2

表3

表4

表5

表6

参考文献 26

[1]	5G Infrastructure PPP Association. 5G Vision-The 5G Infrastructure Public Private Partnership:the next generation of communication networks and services[J]. White Paper,February, 2015.
[2]	HU Y C , PATEL M , SABELLA D ,et al. Mobile edge computing—A key technology towards 5G[J]. ETSI White Paper, 2015,11(11): 1-16.
[3]	PATEL M , NAUGHTON B , CHAN C ,et al. Mobile-edge computing introductory technical white paper[J]. Mobile-edge Computing (MEC) Industry Initiative, 2014,29: 854-864.
[4]	QI Y , TIAN L , ZHOU Y ,et al. Mobile edge computing-assisted admission control in vehicular networks:the convergence of communication and computation[J]. IEEE Vehicular Technology Magazine, 2019,14(1): 37-44.
[5]	ZHOU Y , TIAN L , LIU L ,et al. Fog computing enabled future mobile communication networks:a convergence of communication and computing[J]. IEEE Communications Magazine, 2019,57(5): 20-7.
[6]	ZHOU Y , LING L , WANG L ,et al. Service aware 6G:An intelligent and open network based on convergence of communication,computing and caching[J]. Digital Communications and Networks, 2020,6(3): 253-260.
[7]	胡鑫鑫, 刘彩霞, 刘树新 ,等. 移动通信网鉴权认证综述[J]. 网络与信息安全学报, 2018,4(12): 1-15.
	HU X X , LIU C X , LIU S X ,et al. Overview of mobile communication network authentication[J]. Chinese Journal of Network and Information Security, 2018,4(12): 1-15.
[8]	翟靖轩 . 移动云计算中的认证协议研究[D]. 徐州:中国矿业大学, 2019.
	ZHAI J X . Research on authentication protocol in mobile cloud computing[D]. Xuzhou:China University of Mining and Technology, 2019.
[9]	陈春雨, 尚文利, 赵剑明 ,等. 边缘计算身份认证和隐私保护技术[J]. 自动化博览, 2018,v.35;No.300(S2): 96-99.
	CHEN C Y , SHANG W L , ZHAO J M ,et al. Edge computing identity authentication and privacy protection technology[J]. Automation Panorama, 2018,v.35;No.300(S2): 96-99.
[10]	胡荣磊, 陈雷, 段晓毅, 于秉琪 . 一种适用于雾计算的终端节点切换认证协议[J]. 电子与信息学报, 2020,42(10): 2350-2356.
	HU R L , CHEN L , DUAN X Y ,et al. A switching authentication protocol of terminal node for fog computing[J]. Journal of Electronics ＆ Information Technology, 2020,42(10): 2350-2356.
[11]	张佳乐, 赵彦超, 陈兵 ,等. 边缘计算数据安全与隐私保护研究综述[J]. 通信学报, 2018,39(3): 1-21.
	ZHANG J L , ZHAO Y C , CHEN B ,et al. Survey on data security and privacy-preserving for the research of edge computing[J]. Journal on Communications, 2018,39(3): 1-21.
[12]	CHEN C L , CHIANG M L , HSIEH H C ,et al. A lightweight mutual authentication with wearable device in location-based mobile edge computing[J]. Wireless Personal Communications, 2020,113(1): 575-598.
[13]	DHILLON P K , KALRA S . A lightweight biometrics based remote user authentication scheme for IoT services[J]. Journal of Information Security and Applications, 2017:S2214212616301442.
[14]	HU Y C , PATEL M , SABELLA D ,et al. Mobile edge computing—A key technology towards 5G[J]. ETSI White Paper, 2015,11(11): 1-16.
[15]	胡鑫鑫 . 5G 网络认证协议和非接入层协议安全性研究[D]. 战略支援部队信息工程大学.
	HU X X . Research on security of 5G network authentication protocol and non-access stratum protocol[D]. PLA Strategic Support Force Information Engineering University.
[16]	JIA X , HE D , KUMAR N ,et al. A provably secure and efficient identity-based anonymous authentication scheme for mobile edge computing[J]. IEEE Systems Journal, 2019: 1-12.
[17]	LIU H , ZHANG P , PU G ,et al. Blockchain empowered cooperative authentication with data traceability in vehicular edge computing[J]. IEEE Transactions on Vehicular Technology, 2020,PP(99): 1-1.
[18]	XIAO Y , JIA Y , LIU C ,et al. Edge computing security:state of the art and challenges[J]. Proceedings of the IEEE, 2019,PP(99): 1-24.
[19]	ZHANG J , CHEN B , ZHAO Y ,et al. Data security and privacy-preserving in edge computing paradigm:survey and open issues[J]. IEEE Access, 2018,6(18) 209-37.
[20]	LI X , CHEN T , CHENG Q ,et al. Smart applications in edge computing:overview on authentication and data security[J]. IEEE Internet of Things Journal, 2020,PP(99): 1-1.
[21]	TEAM T A . AVISPA v1.1 User manual[EB]. Information society technologies programme (June 2006)[EB]. 2006.
[22]	CHEVALIER Y , COMPAGNA L , CUELLAR J ,et al. A high level protocol specification language for industrial security-sensitive protocols[C]// Workshop on Specification and Automated Processing of Security Requirements-SAPS'2004. Austrian Computer Society, 2004.
[23]	GLOUCHE Y , GENET T , HOUSSAY E . SPAN:a security protocol animator for AVISPA[C]// IRISA, 2008.
[24]	SAILLARD R , GENET T . CAS+[EB].
[25]	SHARMA V , YOU I , PALMIERI F ,et al. Secure and energy-efficient handover in fog networks using blockchain-based DMM[J]. IEEE Communications Magazine, 2018,56(5): 22-31.
[26]	RIFA-POUS H , HERRERA-JOANCOMARTí J , . Computational and energy costs of cryptographic algorithms on handheld devices[J]. Future Internet, 2011,3(1): 31-48.

参数	描述	参数	描述
UID	用户设备信息	F1、F2、F3、F4	哈希函数用于生成匿名密钥、签名信息、身份令牌、会话密钥
MID	加密的用户设备信息	RAND	注册阶段产生的随机数
UB	用户生物特征信息	Nu、Nmi、Nc	认证阶段用户产生的随机数、区域 i 的 MEC 服务器产生的随机数、云服务器产生的随机数
MU	由用户加密的用户身份信息	Mreg、Mreq、Sreq	注册请求、迁移请求、服务请求
XMU	由云服务器加密的用户身份信息	Sig	用户的签名信息
Cmac	云服务器地址	UAUTN、CAUTN	用户身份令牌、云服务器身份令牌
MC	加密的云服务器身份信息	MAUTNi	部署在区域i的MEC服务器身份令牌
MACi	部署在区域i的MEC服务器的mac地址	AUTNi、AUTNij	区域i认证令牌、区域i与区域j之间的认证令牌
Mimac	加密区域i的MEC服务器的mac地址	SKcmi	云服务器与区域i的MEC服务器之间的会话密钥
MMi	加密区域i的MEC服务器身份信息	SKumi	用户与区域i的MEC服务器之间的会话密钥
MAKi	部署在区域i的MEC服务器的匿名参数	SKmij	区域i与区域j的MEC服务器之间的会话密钥
UAK	注册阶段用户匿名参数	N0	用于生成共享密钥的用户密钥随机数
UAKc	认证阶段云服务器产生的匿名参数	Ni	用于生成共享密钥的区域i的MEC服务器的密钥随机数
UAKu	认证阶段用户产生的匿名参数	MSKumi	用户与区域i的MEC服务器之间的共享密钥
K	服务根密钥，定期随着服务升级更新	RESi	保存在区域i中的MEC服务器响应消息
Kmi	区域i的MEC服务器的服务标识密钥，定期随着服务升级更新	⊕	异域运算
Kc	云服务器私有参数	\|\|	联接符号
Mi	MEC服务器私有参数	{A}_SK	使用会话密钥SK加密A

仿真平台	Th	Txor	Tsyen	Tsyde	Tasen	Tasde
服务器	0.001 4	0.001 3	0.011 6	0.014 4	0.021 4	0.734 6
用户终端	0.002 2	0.001 9	0.093 4	2.812 7	0.103 9	3.693 7

阶段	终端用户	MEC1	MEC2	云服务器
用户注册阶段	4Th+3Txor	N/A	N/A	4Th+4Txor
服务器注册阶段	N/A	2Th+Txor	2Th+Txor	3Th+2Txor
首次认证阶段	3Th+6Txor	2Th+5Txor	N/A	3Th+5Txor
服务迁移阶段	Th+Txor	Th+3Txor	2Th+2Txor	2Th+8Txor
切换认证阶段	4Th+4Txor	N/A	Th+4Txor	N/A
注：N/A表示空值。

认证方案	用户	边缘节点	远程服务器
本文方案	4Th+4Txor=0.016 4	Th+4Txor=0.006 6	N/A
方案[12]	2Txor=0.0038	2Txor=0.0026	4Txor=0.005 2
方案[13]	8Th=0.0176	6Th=0.0084	8Th=0.0112
注：N/A表示空值。

方案	通信成本	数据长度/bit
本文方案	2\|ID\|+4\|XOR\|	1 536
方案[12]	6\|XOR\|	1 536
方案[13]	3\|ID\|+5\|H\|+2\|XOR\|+4\|T\|	2 688