铁路时间同步网挑战应答身份认证安全性分析

doi:10.16265/j.cnki.issn1003-3033.2022.11.2317

摘要/Abstract

摘要：

为保障铁路系统可靠稳定运行,提高铁路时间同步网安全防护能力,利用着色Petri网(CPN)分析铁路时间同步网身份认证的安全性。首先,基于Autokey模型的时间同步协议认证过程,建立基于公共参数的挑战应答身份认证过程的CPN模型,同时,利用该模型分析基于公共参数的挑战应答运行机制可能存在的漏洞。然后,建立中间人攻击下的挑战应答过程的CPN模型,并利用逆向状态分析法建立模型的状态方程,分析身份认证协议不安全状态的可达性。最后,利用CPN Tools软件仿真验证安全性分析结果。结果表明:CPN模型分析出铁路时间同步网挑战应答身份认证的过程存在安全漏洞,客户端对挑战应答报文源信息验证的缺乏,会导致中间人伪造的挑战应答报文可以通过客户端身份认证,实现操纵时间节点的目的。通过该模型演绎中间人的攻击序列,可为铁路时间同步网在制定安全防护策略时提供重要参考。

关键词: 铁路时间同步网, 挑战应答, 身份认证, 安全性分析, 着色Petri网(CPN), 中间人攻击

Abstract:

In order to ensure the reliable and stable operation of the railway system and improve the safety protection capability of the railway time synchronization network, CPN was used to analyze the safety of the identity authentication of the railway time synchronization network. Firstly, based on the Autokey model of the time synchronization protocol authentication process, the CPN model of the challenge-response identity authentication process based on public parameters was established. At the same time, this model was used to analyze the possible vulnerabilities of the challenge-response mechanism based on common parameters. Secondly, a CPN model of the challenge-response process under the man-in-middle attack was established. The state equation of the model was established by using the reverse state analysis method to analyze the reachability of the insecure state of the identity authentication protocol. Finally, the safety analysis results were simulated and verified by CPN Tools. The results show that the CPN model analyzes that there are safety vulnerabilities in the process of challenge-response authentication in the railway time synchronization network, and the client lacks the verification of the source information of the challenge-response packet. As a result, the forged challenge-response packet can be authenticated by the client to achieve the purpose of manipulating the time node. The model deduces the man-in-middle attack sequence, which provides an important reference for the safety protection strategy of the railway time synchronization network.

Key words: railway time synchronization network, challenge-response, identity authentication, safety analysis, colored Petri nets(CPN), man-in-middle attack

兰丽, 王潇霖. 铁路时间同步网挑战应答身份认证安全性分析[J]. 中国安全科学学报, 2022, 32(11): 1-8.

LAN Li, WANG Xiaolin. Safety analysis of challenge response authentication in railway time synchronization network[J]. China Safety Science Journal, 2022, 32(11): 1-8.

图/表 11

图1

图2

表1

表2

图3

表3

表4

表5

表6

ch1—ch4库所关联矩阵

库所	变迁
库所	T₂	T₃	T₄	T₅	T₉	$T 1 0$	T₁₆	T₁₇
ch₁	x₁	-x₁	—	—	—	—	—	—
ch₂	—	—	x₁	-x₁	—	—	—	—
ch₃	—	—	—	—	x₅	-x₅	—	—
ch₄	—	—	—	—	—	—	x₁₂	-x₁₂

表6

图4

图5

参考文献 12

[1]	谢衡元. 解读铁道行业标准《铁路时间同步网技术条件》[J]. 铁道技术监督, 2016, 44(7):6-9,14.
	XIE Hengyuan. Interpretation of the railway industry standard technical conditions for railway time synchronization network[J]. Railway Quality Control, 2016, 44(7):6-9,14.
[2]	兰丽, 张友鹏. 基于随机Petri网的铁路时间同步网协议脆弱性分析[J]. 铁道学报, 2017, 39(8):85-92.
	LAN Li, ZHANG Youpeng. Vulnerability analysis of railway time synchronization network protocol based on stochastic Petri net[J]. Journal of the China Railway Society, 2017, 39(8):85-92.
[3]	JONKER M, KING A, KRUPP J, et al. Millions of targets under attack:a macroscopic characterization of the DoS ecosystem[C]. Proceedings of the 2017 Internet Measurement Conference, 2017:100-113.
[4]	CZYZ J, KALLITSIS M, GHARAIBEH M, et al. Taming the 800 pound gorilla:the rise and decline of NTP DDoS attacks[C]. Proceedings of the 2014 Conference on Internet Measurement Conference, 2014:435-448.
[5]	MALHOTRA A, GOLDBERG S. Attacking NTP's authenticated broadcast mode[J]. Computer Communication Review, 2016, 46(2):12-17.
[6]	SCHIFF N R, SCHAPIRA M, DOLEV D, et al. Preventing (network) time travel with chronos[C]. Proceedings of the Applied Networking Research Workshop, 2018:1-15.
[7]	陈曦, 臧文驰, 马明, 等. 基于消息摘要加密的网络时间协议安全时间同步方法研究[J]. 全球定位系统, 2021, 46(5):84-91.
	CHEN Xi, ZANG Wenchi, MA Ming, et al. Research on secure NTP method based on message digest encryption[J]. GNSS World of China, 2021, 46(5):84-91.
[8]	赵庭达, 武晓春. 基于TCPN的铁路时间同步网延迟攻击应对策略研究[J]. 铁道标准设计, 2021, 66(8):1-8.
	ZHAO Tingda, WU Xiaochun. Research on countermeasures against delay attack of railway time synchronization network based on TCPN[J]. Railway Standard Design, 2021, 66(8):1-8.
[9]	MILLS D, MARTIN J, BURBANK J, et al. Network time protocol version 4:protocol and algorithms specification[R], 2010.
[10]	余敬芝, 燕飞, 牛儒. 基于Petri网的形式化安全分析方法[J]. 中国安全科学学报, 2019, 29(增2):138-143.
	YU Jingzhi, YAN Fei, NIU Ru. Formal safety analysis method based on Petri net[J]. China Safety Science Journal, 2019, 29(S2):138-143. doi: 10.16265/j.cnki.issn1003-3033.2019.S2.023
[11]	冯丽萍, 文超, 彭其渊. Petri网节点重要性评价[J]. 中国安全科学学报, 2015, 25(4):116-122.
	FENG Liping, WEN Chao, PENG Qiyuan. Cascading failures analysis based on importance evaluation of nodes in Petri nets[J]. China Safety Science Journal, 2015, 25(4):116-122.
[12]	张友鹏, 李天娇, 王锋, 等. 基于SPN的铁路时间同步网建模与性能分析[J]. 铁道学报, 2016, 38(10):55-61.
	ZHANG Youpeng, LI Tianjiao, WANG Feng, et al. Modeling and performance analysis of railway time synchronization network based on SPN[J]. Journal of the China Railway Society, 2016, 38(10):55-61.

库所	库所含义
a₁	客户端选择挑战数生成挑战请求报文
a₂	客户端解析挑战应答报文获得挑战数i
a₃	利用挑战数i计算参数z
a₄	客户端解析挑战应答报文获得H(z)
a₅	验证挑战应答报文通过
a₆	验证挑战应答报文失败
b₁	服务器收到挑战请求报文
b₂	服务器计算生成挑战数y
b₃	服务器计算生成参数x
b₄	对参数x进行哈希加密得到H(x)
b₅	服务器生成挑战应答报文
m₁	中间人截获客户端挑战请求报文
m₂	中间人接收服务器挑战应答报文
m₃	选择随机数i作为挑战数
m₄	中间人利用公共参数和挑战数计算参数z
m₅	对参数z进行哈希加密得到H(z)
m₆	中间人生成部分挑战应答报文
m₇	篡改后的挑战应答报文
ch₁	挑战请求报文
ch₂	中间人转发的挑战请求报文
ch₃	服务器的挑战应答报文
ch₄	中间人发送的挑战应答报文

变迁	变迁含义
T₁	选择随机数r作为挑战数
T₂	客户端发送挑战请求报文
T₃	中间人截获客户端挑战请求报文
T₄	中间人转发客户端挑战请求报文至服务器
T₅	服务器接收挑战请求报文
T₆	利用随机数k和公共参数计算参数x和挑战数y
T₇	对参数x进行哈希加密得到H(x)
T₈	挑战数y和H(x)组包生成挑战应答报文
T₉	服务器发送挑战应答报文
T₁₀	中间人接收服务器挑战应答报文
T₁₁	选择随机数i作为挑战数
T₁₂	中间人利用公共参数和挑战数计算参数z
T₁₃	对参数z进行哈希加密得到H(z)
T₁₄	挑战数i和H(z)组包生成中间人的部分挑战应答报文
T₁₅	中间人对服务器的挑战应答报文进行篡改
T₁₆	中间人发送篡改的挑战应答报文
T₁₇	客户端接收挑战应答报文并解析
T₁₈	利用挑战数i和公共参数计算参数z
T₁₉	验证挑战应答报文真实性