适用于铁路时间同步协议的双向身份认证方案  

作　　者：兰丽[1] 李佳康 白跳红 Lan Li;Li Jiakang;Bai Tiaohong(School of Electronic and Information Engineering,Lanzhou Jiaotong University,Lanzhou 730070)

机构地区：[1]兰州交通大学电子与信息工程学院,兰州730070

出　　处：《信息安全研究》2024年第12期1165-1171,共7页Journal of Information Security Research

基　　金：甘肃省自然科学基金项目(20JR10RA218);国家自然科学基金项目(61762057)。

摘　　要：针对铁路时间同步协议客户端认证缺失、关键消息明文传输等问题,提出一种更安全的双向身份认证方案,用于时间节点之间的认证和密钥建立.方案采用非对称加密机制和ECDH(elliptic curve Diffie-Hellman)算法安全协商共享密钥,运用主机当前时间作为序列号抵抗重放攻击,由共享密钥和序列号产生的身份校验码完成双向身份认证.随后用共享密钥加密保护之后的关键消息,解决了关键消息明文传输的问题.该方案不仅解决了客户端认证缺失的问题,而且还具有前后向安全性.最后,采用BAN逻辑进行形式化验证,结果表明:该方法在安全性、认证开销方面较其他方法更优,能够满足铁路时间同步协议双向身份认证安全性和实时性的要求.Aiming at the problems of missing authentication of the client of railroad time synchronization protocol and plaintext transmission of key messages,a more secure bidirectional authentication scheme is proposed for authentication and key establishment between time nodes.The scheme adopts asymmetric encryption mechanism and ECDH(elliptic curve Diffie-Hellman)algorithm to securely negotiate the shared key,applying the host’s current time as the sequence number to resist replay attacks,and completing the bidirectional authentication by the identity checking code generated from the shared key and the sequence number.The shared key and the identity check code generated from the sequence number complete the bidirectional authentication.Subsequently,the shared key is used to encrypt and protect the key messages,which solves the problem of plaintext transmission of key messages.This scheme not only solves the problem of missing client authentication,but also provides forward and backward security.Finally,BAN logic is used for formal verification,and the results show that the method in this paper is better than other methods in terms of security and authentication overhead,and can meet the requirements of security and realtime of two-way authentication of railroad time synchronization protocol.

关 键 词：铁路时间同步协议 ECDH密钥协商算法 身份校验码 双向身份认证 BAN逻辑 

分 类 号：TP309.7[自动化与计算机技术—计算机系统结构]