网络与信息安全学报 ›› 2022, Vol. 8 ›› Issue (3): 154-168.doi: 10.11959/j.issn.2096-109x.2022034

• 学术论文 • 上一篇    下一篇

5G移动边缘计算场景下的快速切换认证方案

张伟成, 卫红权, 刘树新, 普黎明   

  1. 信息工程大学,河南 郑州 450001
  • 修回日期:2021-02-12 出版日期:2022-06-15 发布日期:2022-06-01
  • 作者简介:张伟成(1990− ),男,山西应县人,信息工程大学硕士生,主要研究方向为5G移动边缘计算安全
    卫红权(1971− ),男,河南唐河人,信息工程大学研究员,主要研究方向为融合网络安全、可重构网络理论与技术
    刘树新(1987− ),男,山东潍坊人,博士,信息工程大学副研究员,主要研究方向为链路预测和通信网络安全
    普黎明(1976− ),男,云南嵩明人,信息工程大学副研究员,主要研究方向为网络体系结构和通信网络安全
  • 基金资助:
    国家自然科学基金(61803384)

Fast handover authentication scheme in 5G mobile edge computing scenarios

Weicheng ZHANG, Hongquan WEI, Shuxin LIU, Liming PU   

  1. Information Engineering University, Zhengzhou 450001, China
  • Revised:2021-02-12 Online:2022-06-15 Published:2022-06-01
  • Supported by:
    The National Natural Science Foundation of China(61803384)

摘要:

5G 万物互联为用户带来极致网络体验的同时也提出了新的挑战,用户的超低时延体验、移动状态下无顿感的获取业务以及安全防护问题备受关注。移动边缘计算能够满足 5G 低时延、大连接、高带宽的严苛要求,作为一种多信任域共存的计算范式,多实体之间、跨信任域之间互联互通频繁,身份认证作为安全防护的第一道关口尤为重要。通过对现有边缘计算范式下的身份认证机制研究,提出了一种通过构建信任域的基于预认证的轻量级快速切换认证方案,不同区域间移动的用户能实现快速安全的切换认证。所提方案将服务和计算由云端下沉到边缘侧,生物指纹技术被用于用户端以抵御终端被盗攻击,不同区域的边缘服务器采用预认证的方式来满足快速切换需求,用户与边缘服务器采用实时协商共享会话密钥的方式建立安全通道,认证方案以异或和哈希运算来保证轻量级。对所提方案从安全性与性能两方面进行评估,其中,安全性从理论设计分析和形式化工具验证两方面进行。采用形式化分析工具AVISPA验证了在存在入侵者的情况下所提方案的安全性,与其他方案相比所提方案更安全。性能主要从认证方案的计算成本和通信成本进行评估,仿真表明,所提方案在通信成本上有较好的优势,计算开销能够满足资源受限的移动终端用户需求。后续需要从两方面对方案进行改进,一是要加强方案可扩展性的改进以确保用户及边缘服务器能随时加入退出。二是要加强方案普适性的改进以满足第三方服务商的接入部署。

关键词: 移动边缘计算, 切换认证, 服务下沉, 隐私保护, AVISPA

Abstract:

The 5G internet of things brings the ultimate experience to users, but it also puts forward new challenges.Users’ requirements of ultra-low latency experience, access to business without sense during movement and security guarantee have attracted much attention.Mobile edge computing can meet the strict requirements of 5G with low latency, large connection and high bandwidth.As a computing paradigm with the coexistence of multi-trust domains, multi-entities and cross-trust domains are interconnected frequently.Identity authentication is particularly important for security protection.Through the research on the identity authentication mechanism under the existing edge computing paradigm, a lightweight fast handover authentication scheme based on pre-authentication was proposed.The proposed solution moved services and calculations from the cloud to the edge.Biometric fingerprint technology was used on the client side to defend against terminal theft attacks.Edge servers in different regions used pre-authentication scheme to meet fast switching requirements.The user and the edge server established a secure channel by negotiating a shared session key in real time, and the authentication scheme ensured lightweight operation with XOR and hash operation.The proposed scheme was evaluated from two aspects of security and performance.Theoretical design analysis and formal tool verification were carried out for security evaluation.The formal analysis tool, AVISPA, was used to verify the improved security of the proposed scheme in the presence of intruders.The performance was mainly evaluated from the computing cost and communication cost of the authentication scheme.The simulation results showed that the proposed scheme reduces communication cost, and the computational overhead can meet the needs of mobile terminals with limited resources.As the future work, the scheme will be improved from two aspects: one is to strengthen the scalability to ensure that users and edge servers can join and exit at any time, and the other one is to strengthen the universality of the scheme to meet the access deployment of third-party service providers.

Key words: mobile edge computing, handover authentication, service sinking, privacy protection, AVISPA

中图分类号: 

No Suggested Reading articles found!