Smart Card Based Protocol for Secure and Controlled Access

Of Mobile Host in IPv6 Compatible

Foreign Network

954203020 郭啟揚954203039 鄭志瑋954203057 蔡繼正

Outline(1/1) Introduction Smart Card Java Card AAA architecture

RADIUS Diameter

Network layer security using IPv6 IP Source Address Filtering IPsec

User registration protocol Comment

Introduction IPsec +PKI

耗損運算能力、頻寬 難實作

Smart card+IPv6+ IPsec AAA(Authentication , Authorization , Accounting) MAP(Mobile Authentication Protocol)

AAA 、 Java Applet 、加密 function 、 AR 的實作、 ipv6 、LSA 、 URP 、 IPsec

Smart Card(1/4)

Magnetic Stripe cards Smart card (IC 卡，晶片卡、智慧卡 )

Memory card Microprocessor card Java Card

Smart Card(2/4)

Memory Cards Memory Cards

Capacity ： 64KB to 1MB Ex ： pre-paid telephone card

Optical memory card Capacity ： 4MB Ex ： personal identification card

Smart Card(3/4)

Microprocessor Cards Contact Cards

IC 電話卡、 IC金融卡 Contactless Cards

捷運悠遊卡 Combi Cards

第二代信用卡

Smart Card(4/4)

Java Card(1/2)

JAVA 卡之前的智慧卡 需求上升，新應用誕生 APIs 非常複雜 沒有一個通用的開發環境 不同廠商相同應用的卡不相容

Java Card(2/2)

Java Card 支援一卡多用途 可重用性 Jave Applets 易實作 Applets 可於任何 java-based 環境執行 使用 Java API 撰寫的卡片彼此相容

AAA architecture AAA

Authentication Authorization Accounting

Protocol RADIUS

Remote Authentication Dial In User Service Diameter

RADIUS(1/2)

RADIUS(2/2)

缺點 Low security guarantee Low scalability Low Transmission reliability Low AVP (Attribute Value Pair) space 256 Heavy processing requirement

Diameter(1/4)

Diameter(2/4) TCP or SCTP

(Stream Control Transmission protocol) 支援 retransmission 和 windowing flow Proxy 必需 ack 每一個 packet 它解決了 Radius 相關問題

Connection disruption Silent discard congestion

Diameter(3/4)

CMS (Cryptographic Message Syntax) 安全性高 End to end Digital signature and encryption

Diameter(4/4) 優點

較大的 AVP space 2^32 用 time stamp 解決 Replay attack 擴充性高 Payload 調整為 32bit

Network layer security using IPv6

IP Source Address Filtering IPsec

IP Source Address Filtering

ServerNetwor ResourcePC

MH

MH

AR

Drop

Pass

Not granted

DHCP

User identity

IP

Share key Share key

IPsec(2/5)

IPsec 協定 AH (Authentication Header) ESP (Encapsulating Security Payload)

IPsec 通道 Transport mode Tunnel mode

IPsec(3/5)

IPsec(4/5)

IPsec(5/5) SA(Security Association)

Unidirectional SAin SBout ： SBin SAout 相同的 key 、加密參數

SA bundle A triple

Destination IP address Protocol identifier (ESP 、 AH) SPI (Security parameter index)

Store in SADB(Security Association Database)

實作： FreeS/WAN

User registration protocol(1/4)

AAA server AAAh (AAA server in the home network of

the MH) AAAv (AAA server in the visited network)

SA (Security Association) Inter-domain SA Local SA

Temporary Shared key (TSK)

User Registration Protocol(2/4) URP (User Registration Protocol) MAP (Mobile Authentication Protocol )

Implementation of URP Use EAPoUDP (EAP format) Communicate with clients TSK

Diameter (AAA) Communicate with AAA server

MH AR AAAh

User registration protocol(3/4)

LSA

IPsec

TSK

TSK

TSK

Local challengeVN_ID

Care of address

AUTH=HMAC-MD5(LC,user_id,VN_ID,SAmh)

User Name AVP:user_id

Extract LC , user_id , AUTH,VN_ID, MH_Ipaddr

EAP AVP:AUTH

Care of IP:MH_Ipaddr

AAA Registration Request

Challenge AVP:LC

AUTH==HMAC-MD5(LC,user_id,VN_ID,SAmh)HC,AUTHNET,Randtsk

AUTHNET=HMAC-MD5(HC,user_id,VN_ID,SAmh)TSK=3DES(Randtsk,SAmh)

ARA (Randtsk,HC,TSK,VN_ID,user_id,Authnet)

EAP format

AUTH=HMAC-MD5(HC,user_id,VN_ID,SAmh)AUTH==AUTHNET

EAP format

Implementation detail

Extensible Authentication Protocol AAA Registration Request

Comment(1/2)

縮寫 IKE MAP

本名 Internet key

Exchange

Mobile Authentication

Protocol

技術 Two phase Temporary share key

訊息數 6+3=9 3

其他 PKI+IKE IPsec +IPv6+ Smart card

Comment(2/2)縮寫 PKI MAP

本名 Public key infrastructu

re

Mobile Authentication

Protocol

安全性 低 高Key Key 不能失去 key 定時更新建置 難 易成本 高 低key 竊取

容易 不易

所以 MAP 將會是未來的趨勢你認為呢？

Thank you for attentionQ&A