Eduroam中密码算法的应用分析  

作　　者：陈逸恺 蔡权伟[1,2,3,4] 王琼霄[1,2,3,4] Chen Yikai Cai Quanwei Wang Qiongxiao(School of Cyber Security？ University o f Chinese Academy o f Sciences, Beijing 100049 Data Assurance and Communication Security Research Center ^ Chinese Academy of Sciences, Beijing 100093 Institute of Information Engineering 9 Chinese Academy of Sciences, Beijing 100093 State Key Laboratory of Information Security ^Institute of Information Engineering , Beijing 100093)

机构地区：[1]中国科学院大学网络空间安全学院,北京100049 [2]中国科学院数据与通信保护研究教育中心,北京100093 [3]中国科学院信息工程研究所,北京100093 [4]信息安全国家重点实验室(中国科学院信息工程研究所),北京100093

出　　处：《信息安全研究》2017年第6期501-508,共8页Journal of Information Security Research

摘　　要：Eduroam,即教育漫游,为多家科研院所和学校提供全球无线漫游服务,Eduroam联盟内的工作人员可以使用本机构的账户接入联盟内其他机构的无线网.Eduroam的认证过程包含直接通信实体间通信连接的建立、通信协议对鉴别协议的支持、服务器信任结构的构建与信任关系的建立以及移动终端与身份服务器的双向鉴别等内容.密码算法在Eduroam认证过程中有多处应用,例如保护用户名和口令等认证信息不被泄露、帮助代理服务器之间建立信任关系等.然而Eduroam的认证过程全都是用了国际密码算法,考虑到国际密码算法在原理和实现上可能存在漏洞和后门,Eduroam存在泄露用户认证信息的可能性,而使用国产密码算法替换国际密码算法能够在一定程度上增强用户身份信息的安全性,并且这种替换不会对Eduroam整个认证体系产生任何影响.Eduroam, i. e. the education roaming, provides secure global wireless access roaming service for research institutions and schools. Member in Eduroam alliance can access to WLAN in other organizations within the alliance using their account in their own institution as users are authenticated by authentication servers of users’ own institutions. Authentication process in Eduroam contains the following contents ： the establishment of communication connections between two direct communication entities,how do communication protocols support authentication protocol,the trust fabric Eduroam choose to transmit packets between mobile devices and authentication servers,and the mutual authentication through which authentication servers and mobile devices authenticate each other. Cryptographic algorithms are used for various purpose, such as protecting authentication credential from disclosure 9 helping proxy servers establishing trust relationships. However, All of these cryptographic algorithms are international standard which may brings potential security compromise that we donJt know. Replacing international cryptographic algorithms with national cryptographic algorithms can strength the security of authentication progress to a certain degree. And such replacement will not influence the authentication system at all. Although we can^ change cryptographic algorithms supported by servers and access point outside our state, we can require domestic mobile devices and servers to support national cryptographic algorithms. That still make sense, especially in protecting authentication credential.

关 键 词：无线接入 跨域身份认证 国产密码算法 教育漫游 可扩展身份鉴别协议 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]