融合双层卫星网络的星地和星间AKA协议

doi:10.11959/j.issn.2096-109x.2023004

摘要/Abstract

摘要：

天地一体化网络以其大时空、天网地网和星地融合的特性备受关注，卫星不仅可以作为应急通信补充，还可以充当空中中继站，扩大地面网络覆盖范围，在军用和民用场景都占据着重要地位。实体身份认证和密钥协商机制可以防止假冒实体加入天地一体化网络，窃取用户隐私行为的发生，保障网络信息安全。针对天地一体化网络星地传输时延较大、链路高度暴露、星上处理能力有限以及星间拓扑结构动态时变等特点，提出一种轻量级的双层卫星网络的星间和星地组网实体身份认证（AKA，authenticated key agreement）协议，以实现安全的卫星组网架构，后续基于协商的会话密钥保护数据传输。所提协议基于对称密码体制，采用轻量级密码算法，引入群密钥和分层管理机制，针对双层卫星网络的不同场景特点，将认证协议分为高轨卫星星地和星间认证、层间和同轨道低轨卫星间认证以及相邻轨道低轨卫星间认证3部分。群密钥和分层管理机制提高了群组间信息的传递效率，减轻了地面控制中心的认证压力，且在三方认证协议中实现了双重验证，提高了认证安全强度。不同于以往的单场景认证，部分认证协议采取复用认证参数的形式，在一次认证转发过程中可实现双场景的认证需求。通过协议形式化安全仿真工具 Scyther 分析结果表明，所提协议均实现了安全接入认证。与现有协议相比，所提协议提高了认证安全性，降低了通信和计算开销。

关键词: 卫星通信, 双层卫星网络, 认证, 对称加密

Abstract:

With the characteristics of large space-time and satellite-ground network integration, the space integrated ground network has attracted much attention.Satellites can not only be used as emergency communication supplements, but also serve as air stations to expand the coverage of terrestrial networks, occupying an important position in both military and civilian scenarios.The entity authentication and key negotiation mechanism can prevent the malicious entities from joining the integrated network to steal users’ privacy, and guarantee network information security.In view of the characteristics of the high satellite-ground transmission delays, exposed links, limited processing capability and dynamic topology of the integrated network, a lightweight authentication scheme between satellites and ground suitable for double-layer satellite network was proposed to achieve a secure satellite networking architecture with session keys to protect data transmission.The scheme was based on symmetric cryptographic system, using lightweight cryptographic algorithms and introducing group key and hierarchical management mechanisms.The proposed scheme included three parts: inter-satellite authentication for geostationary earth orbit satellites, layer and inter-satellite authentication for same low earth orbit, and inter-satellite authentication for adjacent low earth orbit satellites.The group key and hierarchical management mechanism improved the efficiency of inter-group information transfer, reduced the authentication pressure on the ground control center, and enhanced the authentication security strength by realizing double verification in the three-entities authentication protocol.Different from the previous single scene authentication, the proposed authentication protocol took the form of multiplexing authentication parameters, which can realize the authentication requirements of dual scenes in one process.The results of Scyther, a protocol formal security simulation tool, show that the proposed scheme achieves secure access authentication.Compared with existing protocols, the proposed scheme improves authentication security and reduces communication and computational overhead.

Key words: satellite communications, double-layer satellite network, authentication, symmetric encryption

中图分类号:

TP302

曹进, 石小平, 马如慧, 李晖. 融合双层卫星网络的星地和星间AKA协议[J]. 网络与信息安全学报, 2023, 9(1): 18-31.

Jin CAO, Xiaoping SHI, Ruhui MA, Hui LI. Fusion of satellite-ground and inter-satellite AKA protocols for double-layer satellite networks[J]. Chinese Journal of Network and Information Security, 2023, 9(1): 18-31.

图/表 14

图1

图2

表1

参数定义Table 1 Parameter definition"

参数名称	定义
MsgKey _gi	群密钥
${MainKey}_{\sec A} / {MainKey}_{A i}$	预共享密钥
$K_{\sec A} / K_{A B} / K_{A i} / K_{i j}$	会话密钥
SSID	卫星的广播身份标识
T_msg	时间戳
AK	时间戳的保护序列
MAC	消息验证码
RES	认证响应值
$A V$	认证向量
Token	认证凭证
${Enc}_{K} (\cdot)$	基于密钥K 的分组加密运算
$KDF (\cdot)$	基于密钥K 的密钥生成函数
${Dec}_{K} (\cdot)$	使用密钥K 的解密运算
f₁	消息验证码生成函数
f₂	认证响应值生成函数
$l_{1} \oplus l_{2}$	表示l₁异或l₂运算
$l_{1} ∥ l_{2}$	表示l₁、l₂字符串连接运算

表1

图3

图4

图5

图6

图7

图8

表2

各协议开销Table 2 Overhead of each protocol"

协议	信令开销/次	带宽开销/byte	计算开销/μs
文献[12]	2N	144N	$(4 T_{H} + 3 T_{ME}) \cdot N = 4.1552 \times 10^{3} \cdot N$
文献[24]-1	2N	88N	$(4 T_{H} + 8 T_{KDF}) \cdot N = 0.0157932 \times 10^{3} \cdot N$
文献[24]-2	2N	128N	$(4 T_{H} + 1 T_{KDF} + 2 T_{E / D}) \cdot N = 8.4735 \cdot N$
文献[25]	3N	72N	$(4 T_{H} + 6 T_{KDF} + 1 T_{E / D}) \cdot N = 0.0143832 \times 10^{3} \cdot N$
文献[26]	5N	164N	$(4 T_{H} + 6 T_{KDF} + 3 T_{E / D}) \cdot N = 0.01714986 \times 10^{3} \cdot N$
文献[27]	N	120N	$(1 T_{sign} + 1 T_{ver} + 1 T_{ME}) \cdot N = 1.7 \times 10^{3} \cdot N$
协议1	2N	64N	$(4 T_{H} + 2 T_{KDF} + 1 T_{E / D}) \cdot N = 9.4632 \cdot N$
协议2	4N/2	144N/2	$(6 T_{H} + 4 T_{KDF} + 3 T_{E / D}) \cdot N / 2 =8 .846145 \cdot N$
协议3	6N/2	164N/2	$(4 T_{H} + 7 T_{KDF} + 3 T_{E / D}) \cdot N / 2 = 9.22068 \cdot N$
协议4	5N	112N	$(4 T_{H} + 2 T_{KDF} + 2 T_{E / D}) \cdot N = 0.01093386 \times 10^{3} \cdot N$
注：文献[24]-1：文献[24]中认证双方基于预共享密钥的认证过程；文献[24]-2：文献[24]中认证双方在可信第三方协助下的认证过程；
协议1：星地认证；协议2：高轨卫星星地和星间认证；协议3：层间和同轨道低轨卫星间认证；协议4：相邻轨道低轨卫星间认证。

表2

图9

表3

图10

表4

参考文献 28

[1]	CHEN S Z , SUN S H , KANG S L . System integration of terrestrial mobile communication and satellite communication—the trends,challenges and key technologies in B5G and 6G[J]. China Communications, 2020,17(12): 156-171.
[2]	LIN M , HUANG Q Q , COLA T D ,et al. Integrated 5G-satellite networks:A perspective on physical layer reliability and security[J]. IEEE Wireless Communications, 2020,27(6): 52-159.
[3]	CHIHA A , WEE M V , GORATTI L ,et al. Techno-economic analysis of inflight connectivity using an integrated satellite-5G network[J]. International Journal of Satellite Communications and Networking, 2020,39(4): 322-338.
[4]	VLK F , SCHWARZ R T , LORENZ M ,et al. Emergency 5G communication on‐the‐move:Concept and field trial of a mobile satellite backhaul for public protection and disaster relief[J]. International Journal of Satellite Communications and Networking, 2020,39(4): 417-430.
[5]	HE D J , LI X R , CHAN S ,et al. Security analysis of a space-based wireless network[J]. IEEE Network, 2019,33(1): 36-43.
[6]	张桐 . 天地一体化网络中攻击检测的研究与实现[D]. 北京:北京邮电大学, 2020.
	ZHANG T . The research and realization of attack detection in the space ground integrated network[D]. Beijing:Beijing University of Posts and Telecommunications, 2020.
[7]	SAEED N , ALMORAD H , DAHROUJ H ,et al. Point-to-point communication in integrated satellite-aerial 6G networks:State-of-the-art and future challenges[J]. IEEE Open Journal of the Communications Society, 2021,2: 1505-1525.
[8]	易克初, 李怡, 孙晨华 ,等. 卫星通信的近期发展与前景展望[J]. 通信学报, 2015,36(6): 157-172.
	YI K C , LI Y , SUN C H ,et al. Recent development and its prospect of satellite communications[J]. Journal on Communications, 2015,36(6): 157-172.
[9]	王璇 . 低轨卫星网络高效安全组网研究[D]. 西安:西安电子科技大学, 2019.
	WANG X . Research on efficient and secure networking in LEO satellite networks[D]. Xi’an:Xidian University, 2019.
[10]	朱晓攀 . 大规模低轨宽带卫星网络路由关键技术研究[D]. 北京:中国科学院大学, 2020.
	ZHU X P . Research on key routing technologies of large-scale low earth orbit broadband satellite network[D]. Beijing:University of Chinese Academy of Sciences, 2020.
[11]	徐志博, 马恒太 . 一种用于卫星网络安全认证的协议设计与仿真[J]. 计算机工程与应用, 2007,43(17): 130-132.
	XU Z B , MA H T . Design and simulation of security authentication protocol for satellite network[J]. Computer Engineering and Applications, 2007,43(17): 130-132.
[12]	ZHONG Y T , MA J F . A highly secure identity-based authenticated key-exchange protocol for satellite communication[J]. Journal of Communications and Networks, 2012,12(6): 592-599.
[13]	高婧, 黄望宗 . 基于ELGama1数字签名的卫星网络认证方案[J]. 计算机工程与设计, 2011,32(12): 3980-3982.
	GAO J , HUANG W Z . Satellite network authentication scheme based on ELGamal digital signature[J]. Computer Engineering and Design. 2011,32(12): 3980-3982.
[14]	任方, 马建峰, 郝选文 . 空间信息网基于证书的混合式公钥基础设施[J]. 吉林大学学报:工学版, 2012,42(2): 440-445.
	REN F , MA J F , HAO X W . Certificate-based hybrid public key infrastructure for space information networks[J]. Journal of Jilin University (Engineering Edition), 2012,42(2): 440-445.
[15]	LIU Y , NI L Q , PENG M G . A secure and efficient authentication protocol for satellite-terrestrial networks[J]. IEEE Internet of Things Journal, 2022.
[16]	ROY C A , BARAS J S . A lightweight certificate-based source authentication protocol for group communications in hybrid wireless/satellite networks[C]// IEEE Global Telecommunications Conference, 2009.
[17]	张子剑, 周琪, 张川 ,等. 新的低轨星座组网认证与群组密钥协商协议[J]. 通信学报, 2018,39(6): 150-158.
	ZHANG Z J , ZHOU Q , ZHANG C ,et al. New low-earth orbit satellites authentication and group key agreement protocol[J]. Journal on Communications, 2018,39(6): 146-158.
[18]	徐畅, 陈雨馨, 黄聪裕 ,等. 一种高轨卫星组网认证及可信保持协议[J]. CN107979408A, 2018.
	XU C , CHEN Y X , HUANG C Y ,et al. A high-orbit satellite network authentication and credibility retention protocol[J]. CN107979408A, 2018.
[19]	徐畅, 童逍瑶, 周琪 ,等. 一种轻量级低轨星座组网认证与群组密钥协商协议[J]. CN108055663A, 2018.
	XU C , TONG X Y , ZHOU Q ,et al. A lightweight low-orbit constellation network authentication and group key agreement protocol[J]. CN108055663A, 2018.
[20]	武衡 . 卫星安全组网认证关键技术研究[D]. 西安:西安电子科技大学, 2019.
	WU H . Research on key technology of satellite network security authentication[D]. Xi’an:Xidian University, 2019.
[21]	XUE K P , MENG W , ZHOU H C ,et al. A lightweight and secure group key based handover authentication protocol for the software-defined space information network[J]. IEEE Transactions on Wireless Communications, 2020,19(6): 3673-3684.
[22]	刘渊, 张浩, 叶海洋 ,等. 面向天地一体化信息网络的卫星链路仿真研究[J]. 通信学报, 2018,39(4): 56-67.
	LIU Y , ZHANG H , YE H Y ,et al. Research on satellite link emulation for space-ground integration information network[J]. Journal on Communications, 2018,39(4): 56-67.
[23]	韩旭, 陆思奇, 程庆丰 . 形式化工具 Scyther 优化与实例分析[J]. 信息安全研究, 2016,2(3): 272-279.
	HAN X , LU S Q , CHEN Q F . The improvement and instance analysis of the formal verification tool Scyther[J]. Journal of Information Security Research, 2016,2(3): 272-279.
[24]	HUANG C Y , ZHU L H , LI C L ,et al. A new satellite constellation networking certification and reliable maintenance protocol(DISA)[C]// Proceedings of 30th International Conference on Software Engineering and Knowledge Engineering, 2018.
[25]	朱辉, 武衡, 赵海强 ,等. 适用于双层卫星网络的星间组网认证方案[J]. 通信学报, 2019,40(3): 1-9.
	ZHU H , WU H , ZHAO H Q ,et al. Efficient authentication scheme for double-layer satellite network[J]. Journal on Communications, 2019,40(3): 1-9.
[26]	朱辉, 武衡, 张林杰 ,等. 适用于低轨卫星网络的星间组网认证系统及方法[J]. CN109547213A, 2019.
	ZHU H , WU H , ZHANG L J ,et al. Inter-satellite networking authentication system and method suitable for low-orbit satellite network[J]. CN109547213A, 2019.
[27]	YANG Q Y , XUE K P , XU J ,et al. AnFRA:anonymous and fast roaming authentication for space information network[J]. IEEE Transactions on Information Forensics and Security, 2019,14(2): 486-497.
[28]	MA R H , CAO J , FENG D G ,et al. LAA:lattice-based access authentication scheme for IoT in space information networks[J]. IEEE Internet of Things Journal, 2020,7(4): 2791-2805.

密码运算	计算时间/μs
T_ME	0.53 × 10³
T_sign	0.73 × 10³
T_ver	0.44 × 10³
T_H	1.21
T_{E /D}	1.05
T_KDF	1.23