关键词: 无线接入, 跨域身份认证, 国产密码算法, 教育漫游, 可扩展身份鉴别协议

Abstract: Eduroam, i.e. the education roaming, provides secure global wireless access roaming service for research institutions and schools. Member in Eduroam alliance can access to WLAN in other organizations within the alliance using their account in their own institution as users are authenticated by authentication servers of users own institutions. Authentication process in Eduroam contains the following contents: the establishment of communication connections between two direct communication entities, how do communication protocols support authentication protocol, the trust fabric Eduroam choose to transmit packets between mobile devices and authentication servers, and the mutual authentication through which authentication servers and mobile devices authenticate each other. Cryptographic algorithms are used for various purpose, such as protecting authentication credential from disclosure, helping proxy servers establishing trust relationships. However, All of these cryptographic algorithms are international standard which may brings potential security compromise that we dont know. Replacing international cryptographic algorithms with national cryptographic algorithms can strength the security of authentication progress to a certain degree. And such replacement will not influence the authentication system at all. Although we cant change cryptographic algorithms supported by servers and access point outside our state, we can require domestic mobile devices and servers to support national cryptographic algorithms. That still make sense, especially in protecting authentication credential.

Key words: wireless access, crossdomain authentication, domestic cryptographic algorithm, education roaming, extensible authentication protocol