基于证书的有线局域网安全关联方案改进与分析

Improvement and analysis of certificate-based wired local area network security association scheme

在基于三元对等鉴别(TePA)的有线局域网(LAN)媒体访问控制安全(TLSec)中,基于证书的LAN安全关联方案在交换密钥建立过程中存在通信浪费和不适用于可信计算环境的问题。为了解决这两个问题,首先提出了一种改进的基于证书的LAN安全关联方案。该方案简化了新加入交换机与各个不相邻交换机之间的交换密钥建立过程,从而提高了交换密钥建立过程的通信性能。然后,在该方案基础上提出了一种可信计算环境下的基于证书的LAN安全关联方案。该方案在基于证书的鉴别过程中增加了对新加入终端设备的平台认证,从而实现了新加入终端设备的可信网络接入,能有效防止新加入终端设备将蠕虫、病毒和恶意软件带入LAN。最后,利用串空间模型(SSM)证明了这两个方案是安全的。此外,通过定性和定量的对比分析可知,这两个方案要优于相关文献所提出的方案。

In the Tri-element Peer Authentication(TePA)-based wired Local Area Network(LAN)media access control Security(TLSec),the certificate-based wired LAN security association scheme has communication waste in the exchange key establishment processes and is not suitable for trusted computing environment.To solve these two problems,firstly,an improved certificate-based wired LAN security association scheme was proposed.In this scheme,the exchange key establishment process between the newly added switch and each nonadjacent switch was simplified,thus improving the communication performance of the exchange key establishment processes.Then,a certificate-based wired LAN security association scheme for trusted computing environment was proposed based on the above scheme.In this scheme,the platform authentication of the newly added terminal devices was added in the process of certificate-based authentication,so as to realize the trusted network access of the newly added terminal devices,and effectively prevent the newly added terminal devices from bringing worms,viruses and malicious softwares into the wired LAN.Finally,the two schemes were proved secure by using the Strand Space Model(SSM).In addition,through qualitative and quantitative comparative analysis,the two schemes are better than those proposed in related literatures.