1. Introduction
The fifth generation (5G) of wireless communication technology has promoted the development of the Internet of Things, automatic driving, virtual reality [
1], etc. However, challenges still exist [
2,
3]. Although the terrestrial network has developed unprecedentedly, the seamless coverage of global heterogeneous networks has not been achieved. It is difficult for users to enjoy high-quality network services in many underserved areas (such as mountains, oceans, etc.) and in more than 50% of countries [
4]. Oriented toward the 6G network, satellite–ground integrated networks (SGIN), which could provide global coverage and integrated management of satellite and terrestrial networks, have become a hot topic of current research [
5,
6,
7]. In recent years, Amazon, SpaceX, and other major manufacturers are making great efforts to build satellite networks, which are expected to form a satellite communication system with a network capacity of 10 Tbps [
8], providing reliable communication services for SGIN. With 6G, satellites will obtain more computing power through mobile edge computing (MEC) [
9] and they will therefore be able to undertake heavier computing tasks.
Nevertheless, due to the high cost of satellite launches and maintenance, it is difficult for large satellite operators to hold all the satellites. There will still be many satellite operators maintaining a small number of satellites and providing personalized services. Owing to the short coverage time per satellite, users may need to switch operators or switch to a faster terrestrial network. In order to support global coverage, it is important to encourage operators of SGINs to collaborate with each other and provide cross-domain services. In a word, a SGIN is a complex heterogeneous network that combines multiple operators with global coverage.
As shown in
Figure 1, the SGIN architecture consists of three segments, i.e., a Satellite Node Segment, Ground Network Segment, and Access User Segment. The Satellite Node Segment consists of geosynchronous earth orbit (GEO) satellites, medium earth orbit (MEO) satellites, and low earth orbit (LEO) satellites. Compared to MEOs and GEOs, LEOs are closer to the ground and therefore have less communication overheads. Thus, only LEO authentication is considered in our architecture. These satellites can be transparent satellites or regenerative satellites. Transparent satellites are only responsible for transmitting messages. While regenerative satellites, which are equipped with gNB-DU, can be applied as a part of a 6G base station to process messages. The Ground Network Segment includes heterogeneous networks, such as large-scale servers, base stations, and satellite ground stations (GSs). Among them, the satellite network operators maintain the satellite ground network, including GSs and network control centers (NCCs). The terrestrial mobile operators maintain terrestrial networks, including the next-generation NodeBs (gNBs) and 6G core networks (6GCs). The Access User Segment consists of the user equipment (UE) in heterogeneous networks, such as mobile UE, IoT UE, and marine UE, which can be located on the ground, in suburban areas (areas with poor signal), at sea, in mountains, and so on. Obviously, these devices have different computing capabilities and diverse security requirements. They should choose suitable network domains and operators according to their own needs.
Since the information in a SGIN is transmitted through a public wireless channel, the user’s information is vulnerable to malicious attacks. Access authentication is the first step for UE to connect to the core network, so as to guarantee mutual authentication, forward and backward security, and be resistant to typical attacks. Unlike existing terrestrial networks, there is a large propagation delay (more than 10 ms) between satellite and terrestrial networks. In the traditional satellite network authentication scheme, the satellite generally transmits the forwarding messages [
10], which causes a transmission delay in communication at least four times that of satellite and terrestrial networks [
11]. Therefore, addressing efficient and secure authentication in SGINs is the first issue.
To make things even more challenging, heterogeneous devices need to be authenticated in this network. Based on our above architecture, the different types of user equipment and their diverse security requirements pose great challenges to the research of SGIN access authentication. At present, terrestrial networks usually use the authentication and key agreement (AKA) protocol to implement UE access authentication. The 5G AKA proposes to protect the privacy of users by encrypting their permanent identity and transmitting encrypted SUCI. However, there is no privacy authentication for heterogeneous terminals that access via satellite networks. For diverse users in SGIN, a targeted authentication model is required. For example, for IoT nodes with a large scale and relatively weak computing power, anonymous batch authentication with lower complexity is needed to achieve a faster speed. However, the existing batch authentication schemes do not effectively protect user privacy [
11] or incur excessive costs [
12]. While individual end-users are more computationally capable and care a lot about their privacy and security, they can choose protocols with higher security and better protect their privacy. That is to say, it is difficult to unify these users with different needs.
Meanwhile, due to the existence of multiple operators, SGIN secure roaming authentication also deserves attention. The current situation of many large satellite service providers (such as SpaceX and OneWeb) [
13,
14] as well as small providers cannot achieve continuous global coverage of signals, which causes many inconveniences for UE to enjoy diverse and stable services. As mentioned above, different network services in 6G may be provided by various operators, and the core network (CN) of satellite and terrestrial networks may be disparate. If a new satellite or terrestrial base station providing service to a subscriber originates from a different operator, the new operator needs to perform roaming authentication with the subscriber. However, the existing 3GPP roaming authentication approach [
15] is not applicable for SGINs, because satellite transmission will bring significant time delays. How to provide fast multi-operator cross-network roaming authentication for subscribers is also a key challenge.
Motivated by these challenges, we present an on-demand authentication protocol model for SGINs. In the model, we propose protocols for mutual authentication of UE and satellites, to reduce transmission overheads. Our protocols propose different access authentication scenarios for different users’ performance and security requirements, so that UE can have on-demand access. Among these, UE privacy is protected to different degrees. In addition, a roaming authentication protocol is proposed for cross-domain roaming by different operators, in line with the mutual authentication between the UE and satellite. Compared with other related works, we give consideration to authentication and roaming, and provide on-demand access authentication for terminals with different abilities and needs. The contributions of this paper are as follows:
On-demand privacy-preserving authentication protocols for SGIN: We propose an on-demand access authentication protocol for satellite networks in SGINs based on the protocol architecture. For UE with high security and privacy requirements, an anonymous unlinkable authentication protocol is proposed which ensures UE’s unlinkability. For large numbers of UE with demand for short delay times, a batch authentication protocol is proposed. The protocol supports rebatch authentication after authentication failure and can effectively alleviate DoS attacks.
A lightweight roaming authentication protocol for SGIN: The roaming authentication protocol provides a strategy for roaming between different operator networks for satellite-connected UE in SGINs, which needs to pre-negotiate with the corresponding core network after the last authentication is completed. The UE only needs to complete mutual authentication with the satellite when roaming, thus reducing the propagation delay.
The remainder of this article is organized as follows: We review the related work in
Section 2. Then, we introduce the prior knowledge involved in the protocol and SGIN system model in
Section 3. The details of our scheme are presented in
Section 4. The security of the proposed scheme is proven in
Section 5. We compare the performance of related schemes in
Section 6. Finally, we summarize the article in
Section 7.
2. Related Work
In recent years, researchers have made many contributions to the access authentication of SGINs. Nguyen et al. [
2] provided a systematic overview of 6G security and privacy issues. They analyzed the security architecture of 6G and considered the new open authentication protocols (e.g., satellite, sea area) for non-3GPP networks, as one of the priorities for 6G network access security. Zhao et al. [
16] made use of the broadcasting function of satellites to propose an efficient and lightweight access authentication scheme, to prevent the burden of “message storms” on satellite authentication. Cui et al. [
17] proposed an authentication scheme for heterogeneous B5G networks (including satellite networks) and proposed a user detection scheme based on trust evaluation. Guo et al. [
18] proposed an anonymous mutual authentication scheme based on RLWE, which can resist attacks based on quantum computing and guarantee efficiency and security in the post-quantum era. Yao et al. [
19] proposed a mutual authentication protocol named IMAS, which introduced group management forms to the satellite, to accomplish the multicast authentication between UE and satellites. Guo et al. [
20] proposed an access authentication protocol based on elliptic curve cryptography (ECC), which included three entities: the UE, satellite, and ground station. In addition, the scheme designed a batch handover scheme to reduce overheads.
In the face of the high privacy requirements of users of 6G, anonymous authentication based on aliases or group signature authentication can be used. Although the alias mechanism [
21] has good performance in information transmission and privacy protection, users need to store a large number of certificates, which leads to a large amount of overheads [
22]. The traditional group signature message will bring some transmission overheads. Boneh et al. [
23] proposed a short group signature (SGS) scheme, which allows bilinear pairing to be widely used in modern cryptography. Wasef and Shen [
12] proposed a batch authentication scheme based on SGS, so that SGS can be applied to a large number of user authentication scenarios. Alamer [
24] proposed a scheme to transform the SGS signature algorithm into a signcryption algorithm, which ensures message integrity and confidentiality.
Owing to the large number of user nodes, researchers have proposed batch authentication. Huang et al. [
25] proposed a fast anonymous batch authentication scheme for vehicle networking, which can verify multiple requests at a time and negotiate a session key with the vehicle through broadcast messages. Considering that a failure of batch authentication will lead to the failure of all authentication of a batch of nodes, the author also proposed to rebatch authentication to prevent possible DoS attacks. Lai et al. [
26] proposed a lightweight group authentication scheme for M2M networks, and the UE in their scheme can also accomplish rebatch authentication by dichotomizing. Mahmood et al. [
27] proposed ECC-based lightweight security without using a batch verification method (LSWBVM). Their method can authenticate a large number of request messages and verify messages one by one.
Due to the presence of multiple SGIN operators, cross-domain roaming authentication has become a research direction. Xue et al. [
28] proposed a lightweight group key negotiation protocol based on
secret sharing and proposed a cross-domain handover authentication scheme. Considering the problems of different operators in the converged network, Liu et al. [
29] proposed a decentralized anonymous authentication scheme applied to the cross-operator satellite service scenario, which can carry out cross-domain fast handover authentication and ensure the fairness of billing. Yang et al. [
30] proposed an authentication scheme based on group signatures and completed cross-domain roaming of users through advanced negotiation between ground stations and satellites. Guo et al. [
31] proposed a new secure roaming authentication and key negotiation protocol called SRAKN, which enables efficient and fast roaming between users, satellites, and foreign terrestrial control stations (FTCS), and finally negotiates secure session keys. Yang et al. [
32] proposed a fast handover authentication protocol for high-speed mobile terminals for railways in SGINs. Their method forms a temporary group of terminals in the same compartment and completes the handover based on preset information.
Table 1 shows a summary of the related works described in this paper. We study their schemes according to four aspects of these related works: performance objective, algorithm/scheme, scenario, and motivation.
4. The Proposed Scheme
In this section, we give a detailed description of the scheme, which consists of four phases: an initialization phase, anonymous authentication phase, roaming authentication phase, and user revocation phase. Without losing generality, and in order to be more intuitive, we will only focus on a certain set of UE and the corresponding LEOs.
4.1. Initialization Phase
In the initialization phase, the satellite core network servers (i.e., NCCs) first input the security parameter and generate the system master key . Then, the NCC generates for LEOs based on ECC. Moreover, the NCC outputs the public parameter , where is the addictive cyclic group with the generator element and the order , is the multiplicative cycle group with the same order , is the bilinear pairing , and and are hash functions. At the same time, the 6GC completes the initial key configuration with the UE. The detailed access authentication protocols for terrestrial networks are beyond the scope of this paper.
After generating the public parameter, the NCC implements Algorithm 1 to generate the group public key
and group master secret key
, in which
needs to be published in an open channel and
needs to be kept secret by the NCC. For each
in the group, the NCC generates
and sends
to the corresponding UE. The UE needs to use
as its private key and not disclose it to anyone.
Algorithm 1: Initialization |
Input: a group of user identity, a number of users |
Output: , |
1: | Select random numbers |
2: | Select random numbers such that |
3: | Sets |
4: | for all with identity do |
5: | Select a random number |
6: | Set |
7: | Store the tuple |
8: | end for |
9: | return |
Additionally, the NCC generates the necessary parameters for batch authentication. The steps for batch authentication initialization are shown below:
NCC selects a random number for each LEO, and generates a batch master key and batch public key for LEOs. The LEOs should keep and secret.
The NCC selects a random number for each . Then, the NCC calculates the batch authentication key , for the UE. Therefore, the batch authentication key of is , and the UE should keep secret.
Finally, the NCC sends ( to the LEOs over a secure channel (e.g., offline channel). Additionally, the NCC sends to the corresponding UE securely, and saves and in a local user key list (UKL).
4.2. Anonymous Authentication Phase
In this section, we show two scenarios according to the different needs of the UE: an unlinkable authentication scenario and batch authentication scenario. Each UE gives all the key information required for the two scenarios during the initialization phase, so it can switch scenarios when needed, without reregistering.
4.2.1. Unlinkable Authentication Scenario
In this scenario, we refer to Boneh’s [
23] short group signature (SGS) algorithm, which is one of the most famous group signatures. The UE in SGS can randomly generate a temporary identity (TID) that is irrelevant to the real
. Owing to the unlinkable anonymity of SGS, the UE can use different TIDs in different sessions, and no other entity knows that these TIDs belong to the same UE. The specific protocol process is shown in
Figure 3, and its steps are as follows:
When the UE wants to access the NCC, the message needs to be constructed, where is a random number, is part of the session key, and is a timestamp that can resist reply attacks. Taking , , and as input, the UE implements Algorithm 2 and obtains the signature , where , and can be calculated and stored in advance. When the UE needs to revote its secret keys, it needs to recalculate and . After completing the construction of plaintext and signature, the UE sends to an appropriate LEO.
When receiving s request from the UE, the LEO first authenticates the timestamp in the message. The LEO generates the current timestamp and verifies , where is adjusted according to different network conditions. If it does not meet the conditions, the LEO returns an error message. Otherwise, the LEO validates the accuracy of the signature using Algorithm 3. If the verification passes, the LEO selects the random number and calculates the session key . If the verification fails, an error message is returned. The LEO signs the message using to obtain the signature . Then, the LEO sends the message to the UE.
After receiving the message, the UE first verifies the validity of the timestamp; that is, whether the timestamp satisfies . If it is valid, the message will be verified by the ECDSA. If verified, the UE calculates the session key . The key negotiation between the two sides is complete.
Algorithm 2: Generating Signature |
Input: |
Output: |
1: | Select random numbers |
2: | Set , , |
3: | Set and |
4: | Select random numbers |
5: | Set
|
6: | Set |
7: | Set , , , , |
8: | return |
Algorithm 3: Verifying Message |
Input: |
Output: |
1: | Set
|
2: | If then |
3: | The signature is valid |
4: | else |
5: | Reject the signature |
6: | end if |
4.2.2. Batch Authentication Scenario
The traditional short group signature scheme uses a batch group signature (BGS) to complete batch authentication. However, due to the insufficient computing power of some devices in 6G heterogeneous networks and the massive terminals, we designed a novel batch authentication protocol to meet the needs of these terminals. In this scenario, users can generate a TID, but it is traceable. A set of UE send their batch authentication message to the LEO, which authenticates all parameters uniformly. If the first batch authentication is successful, the LEO authenticates them and continues the authentication process. If the first authentication fails, a rebatch is required. The specific protocol process is shown in
Figure 4, and the detailed steps are as follows:
The UE selects random numbers , then calculates , . The UE sets the access message as , where is a timestamp. Then, UE calculates the hash value of , and sets the batch authentication key and . Then, the UE receives the signature of batch authentication . After signing the message, the UE sends to the target LEO;
When the LEO receives
from the UE, it first checks the validity of the timestamp
. If
is legal, the LEO sets
,
and
, then calculates the following equation:
If Equation (1) is true,
UE in the batch authentication group is valid. Otherwise, it means that there are invalid messages in this group. Batch authentication has the advantage of reducing the computational overheads, but once an invalid request occurs in a batch, the authentication will fail. When a malicious attacker continuously sends invalid information to implement DoS attacks, users may be unable to complete authentication for a long time. Therefore, a rebatch is required to protect the UE’s QoS. The algorithm of “divide-and-conquer” (BVDC) [
25] can be used. The LEO can use dichotomous validation for a batch authenticated UE, to find the UE that failed validation and return error messages. Although the rebatch may bring computation overheads, it is helpful for improving the overall system efficiency and increasing the verification success rate.
For UE that passes the authentication, the LEO constructs , where is a timestamp, is a session key parameter generated by LEO, and is a number randomly generated. The LEO uses to generate the signature and send to the UE.
After receiving the message, the UE first verifies the validity of the timestamp. The message is then verified by . If the verification is successful, the UE calculates the session key , and the LEO calculates the session key . The key negotiation between the two sides is complete.
4.3. Roaming Authentication Phase
When the UE needs to roam across the network, due to changes in geographical location or network conditions, the roaming authentication phase can be completed. The proposed scheme designs a lightweight roaming authentication protocol to meet the needs of UE. For UE that need to change core network, they must be re-authenticated and negotiate a new session key. To reduce the overheads of roaming authentication, the UE should perform pre-negotiation after the initial authentication or the last roaming.
Pre-negotiation Phase: The UE first collects optional satellite information, and then sends its
and
to the source core network, namely sCN (i.e., NCCs or 6GCs) through the sLEO, to request roaming authentication tokens. After receiving the UE’s request information, the sCN selects the generation key
. Then, sCN calculates
, where
is a symmetric encryption function,
is a key derivation function,
is a pre-shared key maintained between the CNs and LEOs, and
is the expiration time of the token. A secure channel is established between the UE and sLEO during the authentication phase, and secure channels exist between core networks. The sCN encrypts
using the key
stored between sCN and UE, then returns the message to the UE. When
expires or the UE discovers new suitable LEOs, the UE needs to apply to the sLEO for new tokens. The LEO updates the token issued to the UE when the LEO or CN evaluates that it is necessary to change the
. At the same time, if the tLEO does not belong to the sCN as
Case ii, the sCN sends the
list to the tCN through the channel, then tCN sends
to tLEO. Otherwise, sCN sends the
list directly to tLEO as
Case i. The specific negotiation process is shown in the upper part of
Figure 5.
Roaming Authentication Phase: When the UE needs to roam, the process is as shown in the lower part of
Figure 5. The following steps need to be completed:
The UE first generates a random number , then uses the public key of the tLEO to encrypt , where is an asymmetric encryption algorithm based on ECC. Then, the UE selects a random number and obtains a timestamp , sets , and generates . Finally, the UE sends message to the tLEO;
Upon receiving the message, the tLEO first checks the timestamp then decrypts using its private key in order to obtain and . The tLEO decrypts using and checks the ID and ET in the token. If it does meet the conditions, the tLEO generates to verify whether it is equal to . If verified, tLEO generates a random number and generates . Then, the tLEO calculates , where is a symmetric encryption algorithm. The tLEO selects a random number and sets . Finally, the tLEO calculates and sends the message to the UE, where is a timestamp;
While receiving the message, UE first checks the timestamp. If checks, UE calculates . Then UE decrypts and gets . UE calculates and checks whether . If it does meet, the new conversation between UE and the tLEO is established. UE and the tLEO get their new session keys and .
4.4. User Revocation Phase
In the case that the UE needs to quit the group or the system needs to revoke the illegal UE authentication in the unlinkable authentication, the algorithm in the user revocation phase is needed. For an illegal UE, the NCC has the right to disclose their real ID and other information through signatures they send out. The private key of the illegal UE can be calculated through the group master key and in the signature. The NCC can find the real of the UE by comparing with the user information in UKL. For an illegal UE that requests to quit the group, the NCC performs the operations described above. After that, the NCC creates a revocation list (RL) that contains the key of the to be revoked. The NCC sends the RL to each LEO. The LEOs save the RL and periodically broadcast the latest RL’, which includes .
A UE that receives the RL’ updates its private key according to Algorithm 4, where
is the total number of tuples in RL’. Unrevoked UE must run this algorithm until all UEs in RL’ are revoked. After completing the above steps, the unrevoked UE needs to update the pre-stored parameters
and
. In addition, for offline UE, they need to request the latest RL’ when they are online. Therefore, the revoked
cannot obtain a new
. The authentication will fail when the
participates in group signature authentication again. When participating in batch authentication,
will also be detected by the LEO, thus prohibiting its access to the network.
Algorithm 4: Unrevoked User Update Parameters |
Input: |
Output: |
1: | Update as |
2: | Update |
3: | Update the secret key as |
4: | return |
The user revocation process can be carried out offline, which reduces the burden on the UE and prevents delays caused by the LEO checking the RL operation during authentication. The performance analysis of Yang et al. [
30] showed that the revocation mechanism of SGS is effective. For the protocol that is unlinkable, this phase allows the UE to exit the group, better managing the network. Although user revocation brings additional computational overheads, it is acceptable and necessary.
5. Security Verification
In this section, we use the ProVerif tool to conduct formal verification of the protocol. Then, we complete an informal security analysis.
5.1. Formal Analysis Using ProVerif
We used the ProVerif tool to formalize the proposed protocol in two parts. ProVerif is an automated protocol verification tool that emulates protocols and validates secure protocols against known active and passive attacks. It can handle various encryption primitives, such as key exchange schemes, hash functions, asymmetric encryption, and symmetric encryption. Since the proposed scheme is based on bilinear mapping, we used equations in ProVerif to add specific rules to analyze the protocol more accurately.
The ProVerif code of the proposed scheme consists of two parts: unlinkable authentication verification and batch authentication verification. The roaming authentication phase is included in each part. All verification results are shown in
Figure 6 and
Figure 7. Specially,
sk_LEO and
sk_LEO2 indicate secret keys for different LEOs; and
psk,
K0, and
k1 indicate the keys used in the roaming authentication phase described in
Section 4.3. For unlinkable authentication verification, (
phi,
A) and (
epsilon1,
epsilon2) indicate the UE’s group secret keys and NCC’s group master secret keys in
Section 4.1. For batch authentication verification,
s and
sk_NCC indicate the secret keys of the NCC, and (
BMK,
BK,
RK) indicate the keys used in batch authentication in
Section 4.1. There are injective correspondences between the participants in each step of authentication, pre-negotiation, and roaming authentication. The figures show that the two parts of the proposed scheme are reliable, and the individual keys and the negotiated session keys are secure.
5.2. Informal Security Analysis
In this section, we analyze important security characteristics of the proposed scheme. In the first four sections, we analyze the security characteristics of the proposed scheme. In the subsequent four sections, we analyze attacks that the proposed scheme can defend against.
In a SGIN, authentication passes through at least two interactions. In the first step, the UE sends a message to the LEO, and the UE is authenticated by the LEO. In the second step, the LEO returns the signature of the ECSDA to the UE, and the identity of the LEO is proven by the UE. This completes the process of mutual authentication between the UE and LEO. The keys of both the UE and LEO are issued by the trusted NCC during the initialization phase, and the authenticator holds the public keys of the target nodes, such as and . Therefore, the fake group members or LEOs cannot be authenticated by the legitimate node.
In each phase of the proposed scheme, no matter in which scenario, the session key is calculated according to the Diffie–Hellman problem through two random numbers generated by the two entities (i.e., UE and LEO). Calculating the session key without knowing the two generators involves solving the discrete logarithm problem on an elliptic curve. At present, it is computationally infeasible to solve the discrete logarithm problem in polynomial time [
36].
- 3.
Forward/Backward Security
New session keys and are negotiated in both authentication and roaming authentication phases of the proposed protocol. There is no computable correlation between the new session key and the session key of other sessions. No entity other than the UE and LEO can calculate the new session key.
- 4.
Privacy and Untraceability
In SGIN unlinkable authentication scenario, it is difficult for an attacker to know the real identity of a UE through the signature. Unless the attacker can obtain the UE’s private key and the UKL stored in the NCC, it cannot reveal the UE’s identity. Or in another case, the attacker obtains . But these are extremely difficult to do for the attacker. From another perspective, anonymity in the unlinkable authentication scenario is conditional. NCC has the right to recover the UE’s private key of the signature through , so as to obtain the real identity of the UE. In addition, the anonymity is untraceable, and the UE can use different in different sessions, and the attacker cannot associate two different sessions of the same UE through signatures.
In the batch authentication scenario, the UE is traceable due to the existence of . However, it is difficult for the attacker to crack the real ID of the UE using the batch authentication key . In addition, the UE in the unlinkable authentication scenario does not send information correlating to batch authentication. Even if the UE is changed, the attacker cannot associate the UE in batch authentication scenario with the UE in the unlinkable authentication scenario.
- 5.
Resistance to Replay Attacks
In each scenario, the entity sends a message that contains a timestamp . The integrity of the timestamp is protected by a signature, so it is difficult for an attacker to tamper with the timestamp. The other entity verifies the timestamp , where is the interval that matches the current network condition. Therefore, the authentication party can confirm the freshness of the message and distinguish whether it is under replay attack.
- 6.
Resistance of Impersonation Attacks
Suppose an attacker tries to imitate a legitimate UE, it must have the UE’s group private key , batch private key , or roaming parameters in order to generate a valid signature. However, these private keys are only held by the UE and NCC. It is difficult for the attacker to obtain both private keys. The LEO’s private key is only held by the LEO and NCC. If the attacker uses the wrong private key signature, the UE will verify the signature and the validation will fail. In the roaming authentication phase, the attacker needs to obtain the , modify the information in the token, and send the token to the UE through the established secure channel to complete the attack. This is also difficult for the attacker.
- 7.
Resistance to Man-in-the-Middle Attacks
An attacker attempting a man-in-the-middle attack attempts to intercept the communication between the UE and LEO and imitate the other party in the conversation. However, due to the resistance of the protocol to impersonation attacks, it is difficult for the attacker to successfully achieve this goal, and they therefore cannot complete man-in-the-middle attacks.
- 8.
Resistance to Dos Attacks
The traditional batch authentication protocol does not support a reauthentication algorithm. Therefore, when an attacker launches a DoS attack, the UE of the whole group cannot perform batch authentication. Thus, the LEO cannot know the specific UE who implemented the DoS attack. The batch authentication scenario of the proposed scheme supports the rebatch process. A legitimate UE can pass the authentication without re-authentication, and the LEO can also find the illegal UE that launched attacks. When the number of illegal operations performed by a UE reaches the threshold, the NCC can revoke them.
7. Conclusions
In this paper, we investigated on-demand access and roaming authentication protocols in a multi-operator heterogeneous scenario in a satellite–ground integrated network. We have proposed a scheme that includes anonymous unlinkable and batch authentication protocols, as well as fast roaming authentication. Specifically, users with higher privacy requirements are suitable for the unlinkable authentication scenario, where the scheme can provide anonymity and unlinkability; a large number of users with higher efficiency requirements are suitable for the batch authentication scenario, where the scheme provides traceable anonymity. In addition, for users who need to switch between multi-operator networks, this scheme provides a cross-domain fast roaming authentication solution. The proposed protocol delegates the authentication task to the satellite, which significantly reduces the transmission delay in the SGIN. We performed a formal analysis using ProVerif and an informal analysis to prove the security of the scheme. In addition, we evaluated the performance of the scheme and the results showed that our scheme is effective.
To enhance our research, we intend to study short group signature algorithms in more depth in our future work and propose more secure and more efficient protocols for unlinkability authentication scenarios based on zero-knowledge proofs. In addition, the application scenario of 6G will be more complex than 5G, and it is a challenge to cope with the fair billing of multiple operators and balance their interests. Especially, the introduction of eSIMs brings novel security risks and conflicts of interest. Thus, in the future, we will further consider the interests of multi-operator scenarios and try to find a suitable solution to authentication.