基于身份认证的BACnet/IP分析与改进  

作　　者：谢鹏寿[1] 朱家锋 康永平[2] 冯涛[1] 李威[1] 冉玉翔 XIE Pengshou;ZHU Jiafeng;KANG Yongping;FENG Tao;LI Wei;RAN Yuxiang(School of Computer and Communications,Lanzhou University of Technology,Lanzhou 730050,China;School of Mechanical and Electrical Engineering,Lanzhou University of Technology,Lanzhou 730050,China)

机构地区：[1]兰州理工大学计算机与通信学院,甘肃兰州730050 [2]兰州理工大学机电工程学院,甘肃兰州730050

出　　处：《通信学报》2024年第3期227-243,共17页Journal on Communications

基　　金：国家自然科学基金资助项目(No.61862040,No.62162039)。

摘　　要：为了解决BACnet/IP身份认证存在多种可攻击漏洞和密钥泄露带来的安全问题,提出了一种安全增强的BACnet/IP-SA协议认证方案。研究协议身份认证消息流模型,基于着色Petri网理论和CPNTools对身份认证消息流建模,采用Dolev-Yao攻击者模型和形式化分析方法对BACnet/IP进行安全性分析,发现协议漏洞并提出改进方案。BACnet/IP-SA协议使用设备的伪身份来保护真实身份信息,使用PUF响应进行认证,通过多信息集合的验证值来验证端身份的真实性并生成会话密钥。结合BAN逻辑和非形式化方法,对协议的安全性进行了证明。实验结果表明,所提方案能有效抵抗多类攻击和密钥泄露带来的安全威胁,在减少计算开销的同时增强了协议身份认证的安全性。To solve security issues arising from multiple attackable vulnerabilities and key leakage in BACnet/IP authentication,a security-enhanced BACnet/IP-SA protocol authentication scheme was proposed.By analyzing the authentication message flow model of the protocol and modeling it using colored Petri net theory and CPN Tools,vulnerabilities in the security of BACnet/IP were identified.An improvement scheme was proposed based on the Dolev-Yao attacker model and formal analysis method.The BACnet/IP-SA protocol utilized the device’s pseudo-identity to safeguard the actual identity information.It emploied the PUF response for authentication and verified the authenticity of the counterparty’s identity.The session key was generated through the authentication value of the multi-information set.The protocol’s security was demonstrated by combining BAN logic and non-formal methods.The experimental results indicate that the proposed scheme can effectively resist security threats from multi-class attacks and key leakage,enhancing the security of the protocol authentication while reducing computational overhead.

关 键 词：BACNET/IP 形式化分析 着色PETRI网 BAN逻辑 协议改进 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]