为满足互联网多业务背景下各方对于安全性的更高要求,平衡因引入安全机制造成的高代价问题,通过分析软件定义光接入网(SDOAN)所面临的通信安全挑战,提出了一种基于加密生成地址(CGA)算法与哈希生成地址(HGA)算法相结合的轻量级安全身份认证加密机制(CH-CNA)。该机制遵循OpenFlow协议的信息交互方式,通过引入无第三方参与的CGA算法和HGA算法,以此分别完成通信节点之间的首次认证绑定和非首次认证绑定。在认证绑定过程中可有效防止攻击者伪造、篡改认证交互消息,从而建立起面向接入网的端到端可信连接。采用OMNeT++网络仿真软件对提出的CH-CNA机制进行了测试,实验结果表明,该机制在保证通信节点之间安全性交互的同时,降低了平均计算开销和因恶意攻击引起的阻塞率,符合轻量级的定义要求。

We propose a lightweight secure identity authentication encryption (CH-CNA) mechanism based on the cryptographically generated address (CGA) algorithm and the hash generated address (HGA) algorithm to satisfy the strict security requirements of all the parties in the internet multi-servicing context while reducing the cost that is typically associated with the introduction of security mechanisms. In particular, the proposed mechanism analyzes the communication security challenges faced by the software-defined optical access networks (SDOAN). The CH-CNA mechanism follows the information interaction method of the OpenFlow protocol, and the first and non-first authentication bindings are achieved among the communication nodes using the CGA and HGA algorithms without any third-party participation. During the authentication binding process, the attacker is prevented from forging or tampering with the authentication interaction messages, establishing an end-to-end trusted connection in the access network. The proposed CH-CNA mechanism is tested using the OMNeT++ network simulation software. The experimental results demonstrate that the proposed mechanism can reduce the average computational overhead and blocking rate because of malicious attacks and ensure secure interaction among the communication nodes, which conforms to the definition of lightweight.