适用于铁路时间同步协议的双向身份认证方案

信息安全研究 ›› 2024, Vol. 10 ›› Issue (12): 1165-.

适用于铁路时间同步协议的双向身份认证方案

兰丽李佳康白跳红

(兰州交通大学电子与信息工程学院兰州730070)

出版日期:2024-12-25 发布日期:2024-12-30
通讯作者: 兰丽博士，副教授.主要研究方向为铁路信息安全、交通信息工程及控制. lanli_laoshi@mail.lzjtu.cn
作者简介:兰丽博士，副教授.主要研究方向为铁路信息安全、交通信息工程及控制. lanli_laoshi@mail.lzjtu.cn 李佳康硕士研究生.主要研究方向为铁路信息安全. ljk123450228@163.com 白跳红硕士.主要研究方向为铁路信息安全. 1766955129@qq.com

Twoway Authentication Scheme for Railway Time Synchronization Protocol

Lan Li, Li Jiakang, and Bai Tiaohong

(School of Electronic and Information Engineering, Lanzhou Jiaotong University, Lanzhou 730070)

Online:2024-12-25 Published:2024-12-30

摘要/Abstract

摘要： 针对铁路时间同步协议客户端认证缺失、关键消息明文传输等问题，提出一种更安全的双向身份认证方案，用于时间节点之间的认证和密钥建立.方案采用非对称加密机制和ECDH(elliptic curve DiffieHellman)算法安全协商共享密钥，运用主机当前时间作为序列号抵抗重放攻击，由共享密钥和序列号产生的身份校验码完成双向身份认证.随后用共享密钥加密保护之后的关键消息，解决了关键消息明文传输的问题.该方案不仅解决了客户端认证缺失的问题，而且还具有前后向安全性.最后，采用BAN逻辑进行形式化验证，结果表明：该方法在安全性、认证开销方面较其他方法更优，能够满足铁路时间同步协议双向身份认证安全性和实时性的要求.

关键词: 铁路时间同步协议, ECDH密钥协商算法, 身份校验码, 双向身份认证, BAN逻辑

Abstract: Aiming at the problems of missing authentication of the client of railroad time synchronization protocol and plaintext transmission of key messages, a more secure bidirectional authentication scheme is proposed for authentication and key establishment between time nodes. The scheme adopts asymmetric encryption mechanism and ECDH (elliptic curve DiffieHellman) algorithm to securely negotiate the shared key, applying the host’s current time as the sequence number to resist replay attacks, and completing the bidirectional authentication by the identity checking code generated from the shared key and the sequence number. The shared key and the identity check code generated from the sequence number complete the bidirectional authentication. Subsequently, the shared key is used to encrypt and protect the key messages, which solves the problem of plaintext transmission of key messages. This scheme not only solves the problem of missing client authentication, but also provides forward and backward security. Finally, BAN logic is used for formal verification, and the results show that the method in this paper is better than other methods in terms of security and authentication overhead, and can meet the requirements of security and realtime of twoway authentication of railroad time synchronization protocol.

Key words: railroad time synchronization protocol, ECDH key negotiation algorithm, identity check digit, twoway authentication, BAN logic

中图分类号:

TP309.7

兰丽, 李佳康, 白跳红, . 适用于铁路时间同步协议的双向身份认证方案[J]. 信息安全研究, 2024, 10(12): 1165-.

参考文献

［1］谢衡元. 解读铁道行业标准《铁路时间同步网技术条件》［J］. 铁道技术与监督, 2016, 44(7): 69［2］兰丽, 王潇霖. 铁路时间同步网挑战应答身份认证安全性分析［J］. 中国安全科学学报, 2022, 32(11): 18［3］卢俊凯. 可信互联网时间服务系统研究与开发［D］. 西安: 西安电子科技大学, 2020: 2736［4］Mkacher F, Bestel X, Duda A. Secure time synchronization protocol［C］ Proc of Int Symp on Precision Clock Synchronization for Measurement, Control, and Communication. Piscataway, NJ: IEEE, 2018: 16［5］Dowling B, Stebila D, Zaverucha G. Authenticated network time synchronization［C］ Proc of the 25th USENIX Security Symposium. Berkeley, CA: USENIX Association, 2016: 823840［6］Cheng Zijing, He Lei, Zhao Jingling, et al. A security enhanced IEEE1588 protocol for deepspace environment［C］ Proc of the 9th Int Conf on P2P, Parallel, Grid, Cloud and Internet Computing. Piscataway, NJ: IEEE, 2014: 913［7］Yang Jun, Guo Yong, Cheng Zijing, et al. Space time protocol based on IEEE1588［C］ Proc of the 10th Int Conf on Broadband and Wireless Computing, Communication and Applications. Piscataway, NJ: IEEE, 2015: 359363［8］魏松杰, 李莎莎, 王佳贺. 基于身份密码系统和区块链的跨域认证协议［J］. 计算机学报, 2021, 44(5): 908920［9］陈永, 詹芝贤, 刘雯. 下一代高速铁路LTER时间同步网协议脆弱性分析［J］. 铁道学报, 2023, 45(1): 6374［10］王志强, 黄玉洁, 庞舒方, 等. 面向远程医疗信息系统的认证密钥交换协议［J］. 信息安全研究, 2023, 9(11): 11021110［11］马俊明. 一种防止重放攻击的设计方案［J］. 网络安全技术与应用, 2022 (2): 1517［12］赵波, 向程, 张焕国. 一种抵御中间人攻击的可信网络连接协议［J］. 计算机学报, 2019, 42(5): 11371148［13］Franke D, Sibold D, Teichel K, et al. Network time security for the network time protocol［EBOL］. RFC 8915, 2020 ［20240723］. https:www.hjp.atdocrfcrfc8915.html