無線網際網路之快速換手的安全與頻寬保留機制

Abstract

在本論文中，我們提出兩套群體認證與金鑰分配機制（group-based authentication and key agreement scheme）、一種快速安全認證機制（fast authentication scheme）和兩種行動頻寬保留機制（mobile resource reservation scheme）。使用者在漫遊網路中針對不間斷的即時服務（real-time services）可以利用這些機制快速執行互相認證、建立安全連線與完成頻寬保留進而完成使用者的服務品質保證（Quality of Services）。

群體認證與金鑰分配機制是基於群體概念所設計出來的，使用群體概念可以減少認證訊息的傳送，也可以降低服務網路儲存空間的浪費。所以群體認證與金鑰分配機制可以加快每一個使用者認證時間，同時也避免因為認證時間過長，而造成使用者即時服務中斷。我們分別考量使用者群組與同時考量使用者群組及服務網路群組提出了兩種群體認證分配機制—以群體金鑰為基底的群體認證與金鑰分配機制與以群體簽章為基底的群體認證與金鑰分配機制。在以群體金鑰為基底的群體認證與金鑰分配機制中，一旦使用者群組裡面其中一個使用者完成認證與金鑰分配之後，相對應的服務網路會取得所謂的群體認證資料。服務網路得到群體認證資料意味著得到使用者群組的家網路的充分授權，此時，服務網路與使用者群組裡面的每一位使用者完成互相認證與金鑰分配流程而不再需要使用者家網路的加入。與以群體金鑰為基底的群體認證與金鑰分配機制最大的不同是，以群體簽章為基底的群體認證與金鑰分配機制的群體概念不僅採用使用者群組，也同時採用服務網路群組。也就是說，一旦使用者群組裡面其中一個使用者與服務網路群組中其中一個服務網路完成互相認證與金鑰分配流程，使用者群組裡面的每一個使用者可以與服務網路群組裡面的每一個服務網路快速完成彼此互相認證與金鑰分配，而不再需要使用者家網路的參與。

針對即時服務的頻寬保證，在無線區域網路與無線網狀網路下，我們進一步提出快速認證機制，進而縮短使用者在漫遊時認證所需要的時間。在不失去安全性的情況下，使用者利用快速認證機制可以在漫遊時快速與網路端互相認證，並且同時建立安全連線，而不需要再一次執行認證與金鑰分配流程。在多躍步網路中，我們提出整合安全領域機制。整合安全領域機制以不影響IEEE 802.11i RSN之安全性為前提，消除安全機制於multi-hop網路拓樸所產生之繞送效能耗損，並以無線網狀網路(WLAN Mesh Networks)為例，降低inter-MAP換手延遲，使無線網狀網路可提供即時性服務更良好的QoS支援。

為了支援使用者漫遊，提供不間斷且保有連線品質的即時服務，我們利用行動智慧代理人（Mobile Intelligent Agent）提出了行動使用者頻寬保留機制。使用此機制可以很快的在使用者的相鄰網路建立具有品質保證的備份連線，一旦使用者漫遊到相鄰網路，可以立即使用具有品質保證的備份連線，減少換手的等待時間。這個機制不僅降低使用者連線的斷線率，同時也增加了頻寬的利用率。針對整網行動(network mobility)方面，我們也提出訊息整合機制。此機制不但自動幫助使用者維護連線品質，同時也整合在整網行動之網路的控制訊息，進而提高整網行動網路的頻寬利用率。

透過使用G-AKA, ISD, IARSVP或MBA四個機制，無線網路可提供即時性服務更良好的服務品質支援。當使用者在網路中漫遊時，透過G-AKA和ISD，使用者可以與網路快速認證，建立安全連線。透過IARSVP和MBA，使用者可以獲得即時服務所需要的頻寬，進而降低即時服務中斷率。我們可以在適當的時候採用G-AKA, ISD, IARSVP或MBA的機制，提供更好品質的即時性服務。

In this thesis, we propose several security and bandwidth mechanisms to support fast handover in wireless networks. In wireless network, a mobile node (MN) or a network moves as a whole, henceforth referred to as network mobility or NEMO for short, may move from one location to another. When an MN or a NEMO enter a new location, it may need to perform authentication and key agreement (AKA), re-authentication, and resource reservations. These three processes are normally time consuming and may affect the Quality of Service (QoS) of real–time applications, such as Voice over IP (VoIP). This thesis aims to propose new mechanisms to reduce or eliminate the latency caused by the above three processes.

In order to resolve the time-consuming AKA process, we propose two Group-based AKA (G-AKA) schemes, that is, Group Key-based AKA (GK-AKA) scheme and Group Signature-based AKA (GS-AKA) scheme, to shorten authentication process. Experimental results show that G-AKA schemes not only can reduce authentication latency but also the number of signal messages between a network visited by an MN and the MN's home network. In addition, G-AKA schemes can retain the same security level as the other AKA protocols do.

For the re-authentication process, we present an integrated security domain (ISD) mechanism for multi-hop network, such as wireless LAN Mesh Networks, to reduce the re-authentication delays. The ISD mechanism integrates the security domains of an IEEE 802.11i WLAN and an IEEE 802.11s Mesh Network so that it not only can reduce the number of authentications but also eliminate the overhead caused by the link layer security protocols.

As for the resource reservations process, we propose a mobile Intelligent Agent-based Resource reSerVation apProach (IARSVP) that can support QoS aware packet transmissions for mobile IP (MIP) networks. Mobile Intelligent Agents (MIAs) are characterized by their ability to move across wide-area networks, operate autonomously on foreign hosts, and perform tasks on behalf of the originating hosts. With MIAs, IARSVP can allocate resources in advance for neighbor locations an MN may visit next. MIAs carries the mobility security association, QoS requirement and administration specification, and associated executable codes of an MN. Therefore, they can perform location updates on behalf of the MN, and adjust autonomously in accordance with the network topology and resource usage when locating the forwarding points (FP) for the MN. As a consequence, IARSVP can avoid redundant resource reservations made in common routes, support route optimization and regional registration naturally, and discover alternative routes dynamically.

Furthermore, in order to resolve the mobility unawareness and excessive signals problems for all nodes inside a NEMO, we present a Mobile Bandwidth-Aggregation (MBA) reservation scheme to support QoS guaranteed services for NEMOs. In MBA, the mobile router (MR) of a NEMO is the proxy that aggregates and reserves the bandwidth required for all nodes inside the NEMO. Mathematical analysis and simulation results show that the proposed MBA scheme can significantly reduce the signal overhead for bandwidth reservations and maintenance. Furthermore we also conduct simulation to evaluate the performance of MBA in terms of blocking probabilities and bandwidth utilizations under three different reservation policies.

With the aforementioned G-AKA and ISD schemes, an MN not only can speedup AKA and re-authentication procedures but also reduce the number of signal messages exchanged between a visiting network and the home network. Furthermore, with IARSVP and MB, an MN or a NEMO can make resource reservations more effectively. Hopefully, these schemes can help to provide better QoS for real-time services when applicable.