• <tr id="yyy80"></tr>
  • <sup id="yyy80"></sup>
  • <tfoot id="yyy80"><noscript id="yyy80"></noscript></tfoot>
  • 99热精品在线国产_美女午夜性视频免费_国产精品国产高清国产av_av欧美777_自拍偷自拍亚洲精品老妇_亚洲熟女精品中文字幕_www日本黄色视频网_国产精品野战在线观看 ?

    Robust Authentication and Session Key Agreement Protocol for Satellite Communications

    2022-08-23 02:21:38SomayehSoltaniSeyedAminHosseiniSenoJuliRejitoandRahmatBudiarto
    Computers Materials&Continua 2022年6期

    Somayeh Soltani,Seyed Amin Hosseini Seno,Juli Rejito and Rahmat Budiarto

    1Department of Computer Engineering,Ferdowsi University of Mashhad,Mashhad,9177948974,Iran

    2Faculty of Mathematics and Science,Universitas Padjadjaran,Jatinangor,45363,Indonesia

    3Faculty of Computer Science,Universitas Mercu Buana,Jakarta,11650,Indonesia

    Abstract: Satellite networks are recognized as the most essential communication infrastructures in the world today, which complement land networks and provide valuable services for their users.Extensive coverage and service stability of these networks have increased their popularity.Since eavesdropping and active intrusion in satellite communications are much easier than in terrestrial networks,securing satellite communications is vital.So far,several protocols have been proposed for authentication and key exchange of satellite communications,but none of them fully meet the security requirements.In this paper,we examine one of these protocols and identify its security vulnerabilities.Moreover,we propose a robust and secure authentication and session key agreement protocol using the elliptic curve cryptography(ECC).We show that the proposed protocol meets common security requirements and is resistant to known security attacks.Moreover,we prove that the proposed scheme satisfies the security features using the Automated Validation of Internet Security Protocols and Applications(AVISPA)formal verification tool and On-the fly Model-Checker(OFMC)and ATtack SEarcher(ATSE)model checkers.We have also proved the security of the session key exchange of our protocol using the Real or Random(RoR)model.Finally,the comparison of our scheme with similar methods shows its superiority.

    Keywords: Satellite communications; authentication; session key agreement;secure communication;security protocols;formal verification

    1 Introduction

    Nowadays, mobile satellite networks are used to provide advanced personal communication services.These services complement terrestrial networks, providing benefits such as global coverage and increasing mobility and reliability for users.Satellite communications are valuable in an emergency and when other networks are unable to operate.Users can use satellite phones anytime and anywhere,including seas, islands, and high mountains, where land-based networks cannot provide services [1–3].Furthermore,multicast applications delivery such as multimedia content distribution is perfectly performed by satellite systems[4,5].

    While there are many different types of satellites,Low-Earth-Orbit(LEO)satellites are used more in mobile communications.These satellites are at shorter distances from Earth, so they have higher signal strength and lower latency[6,7].However,unlike the Geosynchronous-Equatorial-Orbit(GEO)satellite,which alone covers the entire surface of the earth,several LEO satellites are required for this purpose[8].

    The LEO satellite is a land-based satellite located less than 2000 km above the earth, which enables communication between mobile devices and the network control center through gateways[8,9].Fig.1 illustrates a general overview of satellite communications.The four basic components of these communications are mobile users, the network control center (NCC), LEOs, and gateways.Mobile users need to register with NCC to use the services.Gateways communicate between LEOs and the NCC.

    Figure 1:An overview of satellite communications

    Because satellite communications are more susceptible to security attacks due to their broadcast nature, these communications need to be secure.Therefore, a session key is required for each communication session to encrypt the messages.There is also a need for strong authentication of both parties.

    In recent years, various protocols for securing satellite communications have been proposed,most of which have security flaws.In particular,some authentication and key management protocols have provided ECC-based solutions leveraging the elliptic curve discrete logarithm problem(ECDLP)[10–14].In this paper,we examine Qi et al.’s work[12]and show its security vulnerabilities.We propose a secure and robust protocol for key exchange in satellite communications,which is resistant to known security attacks and satisfies the security requirements.Further,a thorough analysis of the proposed protocol shows that it performs better in terms of security than other ECC-based protocols.

    The contributions of this paper are as follows:

    · Analysis of key exchange protocol introduced by Qi et al.[12]and security vulnerabilities are revealed.

    · A secure ECC-based authentication and key exchange protocol that resists common attacks and meets common security requirements.

    · A thorough security analysis of the proposed protocol and its resistance to various types of attacks.

    · Formal security verification of the proposed protocol on AVISPA tool, considering different model checking techniques that the proposed protocol meets different security requirements.· The proof of security of the proposed key exchange protocol using the RoR model.

    The rest of the paper is structured as follows: In Section 2, some essential related works are discussed.Section 3 provides background information on elliptic curve cryptography and the threat models.Section 4 describes Qi et al.’s protocol [12] and analyzes its security.Section 5 describes the proposed authentication and key exchange protocol for satellite communications.The security analysis of the proposed method is described in Section 6.In Section 7,the proposed protocol is compared with other similar protocols in terms of time complexity,communication cost,and security features.Finally,Section 8 is devoted to the conclusion.

    2 Related Works

    To provide satellite communications over unsecured networks, Cruickshank [15] developed the first satellite communication protocol in 1996.Since then,many protocols were introduced to secure satellite communications,and later on,other researchers take turns finding out weaknesses and flaws in those protocols and propose improved protocols.

    Chen et al.[16] proposed an authentication mechanism for mobile satellite communication systems.Later on,Lasc et al.[17]showed that Chen et al.’s protocol was not resistant to the Denial of Service (DoS) attack and then suggested an improvement.Next, Chang et al.[18] revealed that Lasc et al.’s protocol was susceptible to impersonation attack through a stolen smart card.Then they proposed an authentication protocol for satellite communications.The newly proposed protocol was claimed to be resistant to all kinds of attacks.However, Zhang et al.[19] showed that the protocol proposed by Chang et al.was not resistant against the DoS attack and the impersonation attack.

    Lee et al.[20] introduced an authentication and key exchange protocol for mobile satellite communications systems and claimed that it is resistant to all kinds of attacks.Later, Zhang et al.[21] revealed that Lee et al.’s protocol was not resistant against replay attacks, DoS attacks, and attacks from a stolen smart card.Then they developed a new protocol for satellite communication authentication.In 2018, Qi et al.[10] stated that Zhang et al.’protocol was insecure against the stolen-verifier attack and DoS attack.Then they proposed an ECC-based protocol for satellite communication authentication.In 2019,Ostad-sharif et al.[11]showed that Qi and Chen’s protocol could not meet the security requirements of perfect forward secrecy and did not resist the ephemeral secret leakage attack.

    Liu et al.[22]proposed a Lightweight protocol for satellite communications authentication.Later on,Qi et al.[12]showed that the protocol proposed by Liu et al.does not meet the perfect forward security requirement.Then they introduced an authentication protocol based on ECC.In this paper,we prove that the protocol of Qi et al.is not resistant to Known-session-specific temporary information attacks and insider attacks.

    Altaf et al.[14] proposed an authentication and key agreement scheme which is based on the(ECDLP problem.Then, Chen and Chen [13] proved that Altaf et al.’s protocol does not provide perfect forward secrecy.Moreover, we found that their scheme is vulnerable to DoS attack.The attacker can resend the request message to the NCC many times and force it to do the time-expensive point multiplication operation many times and thus overwhelms the NCC.Furthermore, Hosseini-Seno et al.[23] have proposed an authentication and key management protocol to provide patient privacy in Tele-medical information system.The proposed protocol cautiously considers all aspects of security requirements including the perfect forward secrecy.

    3 Preliminaries

    3.1 Elliptic Curve Cryptography(ECC)

    ECC uses the elliptic curvey2=x3+ax+bover the finite field Fp,wherepis a prime number with typically 256-bit(or more)length.All operations in the filed Fpare in the modular form.Therefore,the ECC is defined as(1):

    wherea,b∈Fp,4a3+27b2modp0,and O is the point at infinity.

    The ECCEp(a,b)is an Abelian group with addition as the group operation.Therefore, the addition of every two points on the curve leads to a new point on the curve.We can simulate scalar multiplication using the addition operation.The multiplication of scalarkin pointRisk.

    The building block for elliptic curve cryptography is the elliptic curve discrete logarithm problem:Given two pointsRandSoverEp(a,b), findksuch thatS=k.R.If the parameters of the elliptic curve are properly chosen,the ECDLP is believed to be infeasible with current technology[24].

    To select a suitable elliptic curve,in addition to determining the values ofa,b,andp,we should also define the generatorG.In some elliptic curves,all points on the curve(n)can be generated with a singleG.In this case,the curve has only one subgroup(h= 1).Sometimes,the curve has several subgroups (h >1), and it is necessary to find a separate generator for each one.In the proposed method, we use ECCs withh= 1, such as secp192r1 [25].Therefore, the ECC parameters in the proposed method are shown with a five-tuple〈a,b,p,n,G〉.

    3.2 Threat Models

    The most popular threat model is the Dolev-Yao model[26],which is an abstract model of agents’capabilities.The Dolev-Yao model strips away the extraneous details of communications and shows a simple view of exchanged messages.The Dolev-Yao model presents term of algebra and models the protocol messages as terms.It presents some term derivation rules which define how agents can build new terms from the old ones.

    Suppose Ag,K,and N represent the set of agents,keys,and nonces,respectively.We define the set of basic terms as B=Ag ∪N ∪K.We denote the public key and private key of the agentA∈Ag usingpk(A)andsk(A), respectively.Moreover, for A,B ∈Ag we usek(A,B)to denote the shared symmetric key between them.The inverse of eachk∈K is defined in(2)–(4).

    The term syntax in Dolev-Yao model is defined in(5).

    wheret0,t1∈B andk∈K.

    The intruder in the Dolev-Yao model is one of the agents and has access to the hash function,public keys of all agents,his private key,and his shared key with other entities.Moreover,the intruder has full control over all communication messages between agents.He can eavesdrop, intercept, or replay the messages [27].However, in examining the strength of security protocols, a stricter threat model such as the Canetti–Krawczyk(CK)[28]model is usually used.The attacker in the CK model not only has complete control over communications but also has the ability to obtain secret data in the system’s memories.Therefore,the adversary may access private keys of parties or session-specific temporary keys.We consider the CK treat model in the analysis of our protocol.

    4 Review and Analysis of Qi et al.Protocol

    This section analyzes the protocol introdued by Qi et al.[12].The protocol consists of four phases,namely, 1) initialization, 2) user registration, 3) login and authentication with key agreement, and 4)password update.In the registration phase,each user firstly selects his ID and password(IDi,pwi),and sends them to the NCC withIDi,mpi=H(IDi||pwi)via a secure channel[12].

    When the message is received,the NCC checks that the selectedIDidoes not belong to a duplicate user.It then performs the operations in the registration phase and finally delivers the smart card to the user.During the login and authentication phase,the user enters his smart card into the card reader and then inputs the user and password (IDi,pwi).If it is determined that the smart card belongs to the person,the user and the NCC agree on a shared key of(SKi=αβ.G)by transmitting messages to each other.So,from now on,the user and the NCC can communicate using the shared key.

    We demonstrate that the protocol proposed by Qi et al.is vulnerable against attacks,as follows.

    Known Session-Specific Temporary Information Attack

    If the random parameters generated in a protocol are captured by the attacker, the session key should not be revealed.However,in the Qi et al.’s protocol,the session keySKi=αβ.Gis generally made up of random numbers α and β and a base point,which is considered general.So,by revealing random numbers,the attacker gains the key to the session.Insider Attack

    It is assumed that the internal attacker (here NCC) tries to obtain the password of each user.Since the user sends the=H(IDi||pwi)andIDito the NCC,and the password is usually short,the internal attacker on the NCC side can guess the password using the hash table.

    5 The Proposed Protocol

    The proposed protocol uses elliptic curve encryption and consists of initialization, registration,and authentication and key agreement steps.Tab.1 shows the symbols used in the proposed protocol.

    Table 1: The symbols used in the proposed protocol

    5.1 Initialization Phase

    In this phase,the NCC sets some parameters to be used in authentication and key management.As explained in the previous section,to use the ECC cryptosystem,the NCC needs to set the five-tuple〈a,b,p,n,G〉.Besides,the NCC chooses a random numberSNCC∈Fpand computes its related public keyPNCC=SNCC.G.Moreover,the NCC needs to choose the hash functionh(.).

    5.2 Registration Phase

    To use the NCC services,the user needs to register first.The steps of user registration are depicted in Fig.2 and are as follows:

    Figure 2:The registration phase of the proposed protocol

    Step 1.The userUifirst asks the NCC via a secure channel to send him the initialized parameters, 〈〈a,b,p,n,G,h(.),IDNCC,PNCC〉.

    Step 2.After receiving the necessary parameters,the user chooses an ID and password.He also selects a random numberSi∈Fpas the private key and calculates his public keyPi=Si.G.The user then calculates his masked password to hide his password from the NCC.The masked password is defined in(6).

    Finally,he sends the triple〈IDi,Pi,MPWi〉through the secure channel to the NCC.

    Step 3.Upon receiving 〈IDi,Pi,MPWi〉, the NCC checks the validity ofIDi.If the ID is legitimate, the NCC computesMi, which is a combination of the user’s identity, the NCC’s identity,and the NCC’s private key as defined in(7).

    Then,the NCC performs the XOR operation onMiandMPWito calculateAias defined in(8).

    Finally,the NCC sends〈Ai〉toUivia the secure channel.

    Step 4.The user calculates the hash of his identity,his password,and his private key as defined in(9).

    Finally,he stores[〈a,b,p,n,G〉,h(.),IDNCC,PNCC,Ai,Si,HIDPi]in his mobile device.

    5.3 Authentication and Key Agreement Phase

    Upon completion of the registration,the user and the NCC start a two-way authentication and key exchange process to communicate with each other via an insecure channel.A complete description of this phase is given in Fig.3 and is described in the following steps:

    Figure 3:The authentication and key agreement phase of the proposed protocol

    Step 1.The user enters his identity and password (.Here, the ID and password are shown using the prime symbol to indicate that these values are re-entered in this step and may differ from the ID and password values in the previous phase.Then[〈a,b,p,n,G〉,h(.),IDNCC,PNCC,Ai,Si,HIDPi] is extracted from the mobile device memory.After that,is calculated and checked to see if this value is the same asHIDPiin the device memory(10).

    If these two values are not the same,the user does not enter the correct ID and password,and the session ends.Here again,the primed form is used to indicate the recalculation of the variable in this step.Then the user’s mobile device calculates the masked passwordandin(11)and(12).

    It then selects a random numberei,s∈Fpas the ephemeral private key of the session and calculates the ephemeral public key of the sessionEi,s=ei,s.G.The user also calculates another ephemeral secret(Ci,s)as defined in(13).

    Then the mobile device calculates the masked identity of the user for this session as defined in(14).

    The mobile device then sets the timestampTi,sand calculatesResi,sas defined in(15).

    Finally, the mobile device sends the four-tuple 〈MIDi,s,Resi,s,Ei,s,Ti,s〉 to the LEO.Upon receiving the four-tuple, the LEO adds its own identityIDLEOto it and forwards the five-tuple〈MIDi,s,Resi,s,Ei,s,Ti,s,IDLEO〉to the NCC.

    Step 2.Upon receiving the message〈MIDi,s,Resi,s,Ei,s,Ti,s,IDLEO〉,the NCC checks the validity of the LEO.Then it verifies the freshness of the message by checking that the difference between receiving time(Trec)and the timestampTi,sis less thanΔt.Afterward,it calculatesas defined in(16).

    Moreover,the NCC computesas defined in(18),and it aborts the session if it is not valid.

    Note that here we use the double prime symbol to indicate that the variables are calculated in a new step of the protocol.

    Then the NCC calculatesandas defined in(18)and(19).

    Then the NCC selects the ephemeral private key of the session,eNCC,s∈Fp, and computes the ephemeral public key,ENCC,s=eNCC,s.G.Moreover,the NCC calculates another secret,CNCC,s,as defined in(20).

    The NCC then sets the timestampTNCC,sand calculates the session key,SK, and the verifier,AuthNCC,s,as defined in(21)and(22).

    Finally,the NCC sends the four-tuple〈AuthNCC,s,ENCC,s,TNCC,s,MIDi,s〉to the LEO,and the LEO forwards the triple 〈AuthNCC,s,ENCC,s,TNCC,s〉to the mobile device.

    6 Security Analysis of the Proposed Protocol

    In this section, we describe the security features, the robustness against several security attacks of the proposed protocol, and formally verify the correctness of the proposed protocol in terms of satisfying security features using AVISPA.

    6.1 Security Features

    6.1.1 Mutual Authentication

    Key agreement protocols require the parties to authenticate each other.In our proposed method,the user selects the ephemeral private keyei,sand generates the ephemeral public keyEi,sand the secret keyCi,s.To request services, the user sendsEi,sand some other messages to the NCC and keepsCi,shidden.Except for the user, the only entity that can reproduceCi,sis NCC.The NCC reproduces theCi,susingEi,sand incorporates it into its authentication message (AuthNCC,s).On the other hand,the NCC selects the ephemeral private keyeNCC,s, from which it generates the ephemeral public keyENCC,sand the secret keyCNCC,s.The NCC sends theENCC,sto the user and holds the secret keyCNCC,s.Except for NCC,the only entity that can reproduceCNCC,sis the user.The user can regenerateCNCC,sandAuthNCC,s.If the reconstructedAuthNCC,sis equal to the sentAuthNCC,s,NCC will be authenticated to the user.The user then insertsCNCC,sin his authentication message(Authi,s)and sends it to the NCC.IfAuthi,sis equal toh(IDi‖Ci,s‖CNCC,s),the user is authenticated for NCC.

    6.1.2 Session Key Security

    6.1.3 Perfect Forward Secrecy

    The perfect forward secrecy guarantees the security of the session key,even though the long-term secret keys of parties are compromised.The proposed method preserves this feature because the session key is built using both long-term private keys and temporary secret keys.Even if the adversary A gets access toSiandSNCC,he cannot guess the session key.

    6.1.4 User Anonymity

    The proposed method does not send the user identity in plain text over insecure channels,but the masked user identity,MIDi,s=⊕h(Ci,s),is sent.Only the NCC can calculateCi,susingSNCCand know the user ID.Therefore,user anonymity is preserved against other entities.

    6.2 Security Attacks

    6.2.1 Replay Attack

    Our proposed method is resistant against the replay attack because, in addition to sending the timestampTi,sexplicitly, we also embed it in theResi,smessage.So, if the adversary A updates the timestampTi,stoTnewi,sand resends the message〈MIDi,s,Resi,s,Ei,s,Tnewi,s〉,the NCC detects the attack by checkingResi,s.Also,if the attacker repeats the message〈AuthNCC,s,ENCC,s,TnewNCC,s〉by changing the timestampTNCC,s,the user will notice the attack by checkingAuthNCC,s.

    6.2.2 Man-in-the-Middle Attack

    If the adversary A interrupts the communication between the valid userUiand the NCC,he should be able to send legitimate message〈MIDi,s,Resi,s,Ei,s,Ti,s〉to the NCC.However,to build a validResi,s,the adversary has to know the password and the private key ofUi.

    6.2.3 Insider Attack

    The user does not send the password to NCC in the registration phase explicitly but sends it in hidden form,MPWi=h((PWi⊕Si)‖(IDi⊕Si)).Since the NCC does not know the user’s private keySi,it cannot guess the user’s password.

    6.2.4 Impersonation Attack

    If the adversary A wants to impersonate the user,he must be able to forget the request message〈MIDi,s,Resi,s,Ei,s,Ti,s〉.Assuming that the adversary is one of the users, he can generate a random numberei,sand the secret keyCi,sand createMIDi,sby accessing the user ID.He can also generateEi,sandTi,s,but he cannot generateRESi,swithoutMi,and knowingMirelies on knowingAiand the user passwordPWior knowing the NCC’s private key,SNCC.

    6.2.5 Known-Session-Specific Temporary Information Attack

    If the attacker accesses the temporary session parameters in any way, he should not be able to access the session key.Since the session key,SK=in our scheme is composed of both temporary and long-term parameters,it is resistant to this attack.

    6.2.6 Smart Card Loss Attack

    If the user’s mobile device (or smart card) is stolen, the adversary A should not be able to impersonate the user.Our proposed method is resistant to this attack because even if the adversary access smart card information [〈a,b,p,n,G〉,h(.),IDNCC,PNCC,Ai,Si,HIDPi], he cannot impersonate the user without the correct ID and password.

    6.2.7 Stolen Verifier Attack

    In our proposed method,NCC does not store any information about users other than their ID.Therefore,if the adversary accesses the NCC database,it will not receive any additional information.

    6.2.8 DoS Attack

    Denial of Service attacks can be done on satellite communications entities,including the users and the NCC.By persuading the NCC to perform a large number of heavy-weight point multiplication operations on the elliptic curve, the attacker causes the NCC to crash and makes it impossible to provide services to authorized users.Our proposed protocol is resistant to this attack because if one of the users wants to carry out this attack against the NCC,he himself will suffer the same heavy-weight operations.Also,due to the resistance of the proposed method to replay attacks,the adversary is not able to resend the request message to the NCC.For the same reason,it is not possible to perform this attack on system users.

    6.3 Formal Security Analysis with AVISPA

    AVISPA is a role-based language that provides a formal language for specifying protocols and security properties and uses several back-ends to analyze them[29,30].Each participant in the protocol is represented by a role,which communicates with other roles by channels.The HLPSL specification is translated to an intermediate format,which is then analyzed by some back-ends.The four back-ends used by AVISPA include Tree Automata-based Protocol Analyzer(TA4SP),OFMC[31],Constraint Logic-based Attack Searcher(CL-ATSE)[32],and satisfiability-based Model-Checker(SATMC)[33].

    We have implemented our protocol in the HLPSL language.We have defined a role for the user,role_Ui,and a role for the NCC,role_NCC.We have also defined asessionrole that specifies a session of the protocol.In addition,we have considered anenvironmentrole and defined three sessions in it.The first session is between the user and the NCC.In the second session,the intruder impersonates the user,and in the third session,the intruder impersonates the NCC.In addition,we have defined the intruder’s knowledge and the security goals.

    The goal ofsecrecy_of sec_1examines the confidentiality ofei,sfor the user.If the goal is satisfied by the protocol, the secrecy ofei,sis guaranteed.Similarly, the goal ofsecrecy_of sec_2checks the confidentiality ofeNCC,sfor the NCC.Moreover, the goal ofsecrecy_of sec_3examines that theSKis confidential between the user and the NCC, and the attacker cannot access it.Besides, the goalsauthentication_on auth_1andauthentication_on auth_2examine the mutual authentication of the user and the NCC.The goal predicatesrequest(Ui, NCC, auth_1, Eis)inrole_Uiandwitness(NCC, Ui,auth_1, Eis’)inrole_NCCare used to declare the authentication of the user by NCC.Similarly,request(NCC,Ui,auth_2,Enccs)inrole_NCCandwitness(Ui,NCC,auth_2,Enccs’)inrole_Uiare used to examine the authentication of NCC by the user.To check whether these goals are satisfied by our protocol,we use OFMC and ATSE.The results in Figs.4 and 5 show that both of these model checkers find our protocol safe, which means that our protocol meets the secrecy of the session key and the mutual authentication of parties.

    Figure 4:The results of OFMC model checker on the proposed protocol

    Figure 5:The results of ATSE model checker on the proposed protocol

    6.4 Proving the Security of Proposed Key Exchange Protocol Using RoR Model

    We examine semantic security of the session key of the proposed protocol using the Real-or-Random model[34,35].In this model,adversaryAobtains a session key or a random value by querying protocol participants.The adversary must guess whether the output returned to him is a real key or a random value.For this purpose, we introduce various concepts such as participants, participant instances,oracles available toA,queries to these oracles,and the concept of partnering.

    Participants.The two disjoint sets of our proposed protocol participants areUandNCC.We represent the set of all participants with P =U∪NCC.Moreover,we represent thejth participant of the protocol withPj∈P.

    Participant Instances.During the execution of the protocol by the adversary,several instances of each participant may be executed.The instanceiof the participantPjis denoted byand is called anoracle.

    Long-Lived Keys.Each participantP∈P has a secret keySP∈Fp.

    Ephemeral Keys.Each participantP∈P in a sessionshas an ephemeral keyeP,s∈Fp.

    Protocol Execution.A protocol indicates how participant instances behave in response to signals received from the environment [36].Intending to break the protocol security, the adversary sends signals to the instances of the participants (oracles) and receives a response according to the rules of the protocol.In fact,the adversary sends queries to oracles,and these queries model the attacker’s ability in a real attack.Types of queries include:Freshness.An oracles fresh if it is in the accept mode,andand its partner are not open(by Reveal query).

    Semantic Security of A Key Exchange Protocol.Suppose adversary A executes the key exchange protocol PRO and has access to Execute, Send, Reveal, Corrupt, Corrupt_Ephemeral, and Test queries.The adversary can ask the Test query up to one time for each fresh oracle.Suppose the adversary’s guess for the Test query isc′.The adversary wins the game ifc′=c, wherecis the value of the coin set before the game.The protocol PRO is secure if the advantage of the probabilistic polynomial-time adversary in breaking the session key is negligible,as shown in(27).

    Theorem 1.Suppose adversary A can execute a maximum ofNhHash query,NsSend query,andNeExecute query to break our proposed key exchange protocol, PRO_SAT.The advantage of A in breaking the PRO_SAT protocol is given in(28):

    where|H|is the range space of the Hash oracle,|D|is the size of the password dictionary,andpis the prime number in Fp.

    Proof.To prove Theorem 1,we define a six-step game:G0 to G5.

    G0.Game 0 is the real attack of A against our proposed protocol, PRO_SAT.Intuitively, the adversary can win the game with the probability of 1/2.The advantage of the adversary to break the semantic security of PRO is |Pr(SUCC0)-1/2|, whereSUCC0is the event in which A guesses the coin correctly and wins the game.Rescaling it,we can define the advantage of A as(29).

    G1.In this game, we simulate passive attacks by the adversary.The adversary eavesdrops on messages between oraclesandith an Execute query.The adversary then decides with the Test query that the session key returned to him is real or random.To create a session key in the proposed protocol,the ephemeral keys of the user and NCC,as well as long-term keys of both parties are needed.To be more precise,the session key is made in the client using the long-term keySiand the ephemeral private keyei,s.It is made in NCC using the long-term keySNCCand the temporary private keyeNCC,s.The adversary cannot gain access to any of these keys by simulating eavesdropping attacks, and his advantage in violating the security of the session key does not increase,as shown in(30).

    G2.In this game,in addition to simulating eavesdropping attacks,active attacks are also simulated with the Send query.Active attacks by the adversary can be one of three attacks:replay attack,man-inthe-middle,or impersonation attack.As stated in sections 6.2.1,6.2.2,and 6.2.4,the proposed method is immune to these attacks.Therefore,the advantage of A in this game does not increase.Therefore,we have:

    G3.In this game, the adversary queries the Hash oracleNhtimes to find collisions.The birthday paradox states that the probability of collisions in the output of the Hash oracle is at most2|H|.Moreover,sinceSi,SNCC,ei,s,andeNCC,sare randomly selected from Fp,the probability of collision in the Send and Execute oracles is at most(Ns+Ne)2/2p.So,we have:

    G4.This game simulates the smart card loss attack.If the mobile device (or smart card) of the user is stolen,A may try to guess the password using an online dictionary attack.Since the number of password failures is limited by the protocol,we have:

    G5.In this game,the adversary asks the Corrupt query and gets the oracle’s long-lived key in response.Of course,to get the session key,A needs the long-lived keys of both oracles in communication.Also,to create the session key,A needs to have access to ephemeral keys for each session.To access the onetime keys of each session,the adversary must be able to solve the ECDLP problem.If the advantage of A for breaking the ECDLP isAdvECDLP(A),we have:

    Given thatPr(SUCC5)= 1/2,we can calculate the advantage of A using(29)to(34),as shown in(35).

    7 Performance Analysis and Comparison

    In this section,we examine the computational complexity of the proposed method.The messages in the proposed protocol are obtained by combining xor,hash,and scalar multiplication on the elliptic curve.In calculating time complexity, we ignore the xor time execution, and we calculate the time required for hash and scalar multiplication based on the time reported in[37].The computation times of various cryptographic operations,reported by Xu et al.[37],are as follows:

    ·This the time of the one-way hash function,which is 0.0004 ms.

    ·Tsmis the time of scalar multiplication on elliptic curves,which is 7.3529 ms.

    ·Tmeis the time of modular exponentiation,which is 1.8269 ms.

    ·Tsis the time of symmetric encryption/decryption,which is 0.1303 ms.

    The time complexity of our protocol includes the time spent by the user’s mobile device and the time spent by the NCC.The time spent by the mobile device is 7Th+4Tsmand the time consumed by the NCC is 6Th+4Tsm,and the total time is 13Th+8Tsm,which is equal to 58.8284 milliseconds.

    To measure the communication cost of the proposed method,we need to measure the size of the messages exchanged between the different entities of the protocol.Messages consist of a combination of IDs,hash values,timestamps,and points on the elliptic curve.To calculate the communication cost,suppose each identifier is 64 bits long,the hash size is 256 bits,the timestamp is 64 bits,and the point size on the elliptic curve is 192 bits(due to secp192r1 selection).

    To exchange the session key between the user and the NCC, it is necessary to send messages 〈MIDi,s,Resi,s,Ei,s,Ti,s〉, 〈MIDi,s,Resi,s,Ei,s,Ti,s,IDLEO〉, 〈AuthNCC,s,ENCC,s,TNCC,s,MIDi,s〉, and〈AuthNCC,s,ENCC,s,TNCC,s〉.Therefore,the communication cost of our protocol is 4×ecc+7×hash+ID+3×timestamp=4×192+7×256+64+3×64=2816 bits.

    At the end of this section,we compare the proposed method with several similar methods,which are all based on the ECDLP problem,in terms of security features and computational cost.As shown in Tab.2,Tsai et al.’s protocol[38]does not satisfy perfect forward secrecy.Moreover,it is vulnerable to the known-session-specific temporary information attack and DoS attack.The protocol of Qi and Chen [10] does not meet the perfect forward secrecy and is not resistant against the known-sessionspecific temporary information attack.The protocol of Qi et al.[12] is vulnerable to insider attack and the known-session-specific temporary information attack.Finally, Altaf et al.’s protocol [14] is vulnerable to DoS attack and does not meet perfect forward secrecy.We see that our method, by spending a little more time,is resistant to the known attacks and meets security requirements.We also see that the communication cost of the proposed method is almost similar to other methods except[12]in which modular exponentiation are used.

    Table 2: The comparison of the proposed method with some related methods

    Table 2:Continued

    8 Conclusion and Future Work

    This paper contributes towards the widespread deployment of satellite applications by tackling one of the main challenges,i.e.,security issues.This paper first analyzed the authentication protocol for satellite communications proposed by Qi et al.and proved its vulnerability to two kinds of security attacks.Then this paper presented a robust secure authentication and key agreement protocol based on elliptic curve cryptography for secure satellite communications.Moreover,a thorough security analysis of the proposed protocol was performed.The security analysis showed that it is resistant to all known attacks.Besides, the formal verification of the proposed method proved that it satisfies the security requirements.

    As future work,the protocol performance can be improved in terms of time execution by reducing the number of scalar multipliers while preserving the security requirements.Implementation on application in blockchain[39]and software defined network[40]are also considered as future works.

    Funding Statement:The authors received no specific funding for this study.

    Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.

    男女午夜视频在线观看| 国产精品电影一区二区三区| 国产欧美日韩综合在线一区二区| 视频区图区小说| 欧美人与性动交α欧美精品济南到| 国产精品偷伦视频观看了| 国产精华一区二区三区| 精品熟女少妇八av免费久了| 欧美日韩一级在线毛片| 亚洲欧美激情综合另类| 免费不卡黄色视频| 最新在线观看一区二区三区| 日本wwww免费看| 国产单亲对白刺激| 久久精品国产99精品国产亚洲性色 | 黄色 视频免费看| 男人舔女人的私密视频| 黑人巨大精品欧美一区二区mp4| 一区二区三区国产精品乱码| 国产成人av激情在线播放| 夜夜躁狠狠躁天天躁| 中文字幕av电影在线播放| 一本综合久久免费| 欧美 亚洲 国产 日韩一| 啦啦啦在线免费观看视频4| 制服人妻中文乱码| 人人妻人人添人人爽欧美一区卜| 国产精品电影一区二区三区| 一级毛片精品| 色婷婷久久久亚洲欧美| 亚洲av五月六月丁香网| 国产亚洲av高清不卡| 欧美日韩亚洲高清精品| 美女大奶头视频| 在线永久观看黄色视频| 日本精品一区二区三区蜜桃| 国产精品自产拍在线观看55亚洲| 一个人观看的视频www高清免费观看 | 一边摸一边抽搐一进一小说| 日本三级黄在线观看| 手机成人av网站| 精品一区二区三卡| 日韩av在线大香蕉| 国产人伦9x9x在线观看| 热re99久久精品国产66热6| 精品国产美女av久久久久小说| a级毛片在线看网站| √禁漫天堂资源中文www| 亚洲午夜精品一区,二区,三区| 天天影视国产精品| 免费女性裸体啪啪无遮挡网站| av片东京热男人的天堂| 美国免费a级毛片| 黄色 视频免费看| 12—13女人毛片做爰片一| 亚洲欧美一区二区三区黑人| 99国产综合亚洲精品| 成人手机av| 人人澡人人妻人| 国产99白浆流出| 日韩欧美一区二区三区在线观看| 成人黄色视频免费在线看| 在线av久久热| 高潮久久久久久久久久久不卡| 两性午夜刺激爽爽歪歪视频在线观看 | 一区福利在线观看| av网站免费在线观看视频| 校园春色视频在线观看| 精品一区二区三区视频在线观看免费 | 中国美女看黄片| 久久久久精品国产欧美久久久| 又紧又爽又黄一区二区| 国产91精品成人一区二区三区| 久久久久九九精品影院| 人妻丰满熟妇av一区二区三区| 超碰97精品在线观看| 亚洲片人在线观看| 国产精品1区2区在线观看.| bbb黄色大片| 久久久久久久精品吃奶| 丝袜人妻中文字幕| 男人操女人黄网站| 久9热在线精品视频| 97超级碰碰碰精品色视频在线观看| 人妻久久中文字幕网| 国产亚洲精品第一综合不卡| 国产精品一区二区三区四区久久 | 成年女人毛片免费观看观看9| 欧美久久黑人一区二区| 成人永久免费在线观看视频| 女同久久另类99精品国产91| 国产99白浆流出| 一区二区日韩欧美中文字幕| 国产午夜精品久久久久久| 性色av乱码一区二区三区2| 精品久久蜜臀av无| 亚洲中文字幕日韩| 露出奶头的视频| 97超级碰碰碰精品色视频在线观看| 日韩免费高清中文字幕av| 一级a爱片免费观看的视频| 高清黄色对白视频在线免费看| 国产激情久久老熟女| 亚洲专区国产一区二区| 亚洲熟妇熟女久久| 久久久久国产一级毛片高清牌| 欧美激情久久久久久爽电影 | 男女下面插进去视频免费观看| 国产激情久久老熟女| 精品少妇一区二区三区视频日本电影| 美女高潮喷水抽搐中文字幕| 18禁美女被吸乳视频| 国产精品国产av在线观看| 大型黄色视频在线免费观看| 美女午夜性视频免费| 午夜久久久在线观看| 精品国产一区二区久久| tocl精华| 精品久久久久久电影网| 黑丝袜美女国产一区| 久久香蕉精品热| 又大又爽又粗| 琪琪午夜伦伦电影理论片6080| 精品福利观看| 久久影院123| 久热这里只有精品99| 美女高潮喷水抽搐中文字幕| 亚洲欧美激情综合另类| 伦理电影免费视频| 中文字幕精品免费在线观看视频| 黑人操中国人逼视频| 老汉色∧v一级毛片| 日韩一卡2卡3卡4卡2021年| 国产高清视频在线播放一区| 长腿黑丝高跟| 老司机深夜福利视频在线观看| 巨乳人妻的诱惑在线观看| 高清欧美精品videossex| 夜夜躁狠狠躁天天躁| 后天国语完整版免费观看| 麻豆一二三区av精品| 成人国语在线视频| 人人澡人人妻人| 中文字幕人妻熟女乱码| 麻豆一二三区av精品| 欧美日韩中文字幕国产精品一区二区三区 | 欧美精品啪啪一区二区三区| 亚洲一区二区三区色噜噜 | 国产精品九九99| 夜夜躁狠狠躁天天躁| 精品国产亚洲在线| 国产区一区二久久| 欧美日韩精品网址| 国产一区二区在线av高清观看| 久久这里只有精品19| 女人被躁到高潮嗷嗷叫费观| 多毛熟女@视频| 不卡av一区二区三区| 亚洲精品久久午夜乱码| 亚洲在线自拍视频| 亚洲一区中文字幕在线| 婷婷精品国产亚洲av在线| 十八禁网站免费在线| 日日干狠狠操夜夜爽| 久久久精品国产亚洲av高清涩受| 国产精品一区二区免费欧美| 午夜日韩欧美国产| av免费在线观看网站| 亚洲全国av大片| 久久亚洲精品不卡| 18禁国产床啪视频网站| 亚洲av成人av| 又大又爽又粗| 天堂影院成人在线观看| 亚洲av成人一区二区三| 变态另类成人亚洲欧美熟女 | 亚洲欧美精品综合一区二区三区| 亚洲全国av大片| 免费av毛片视频| 婷婷六月久久综合丁香| 日韩高清综合在线| 欧美乱妇无乱码| 女性被躁到高潮视频| 露出奶头的视频| 一个人观看的视频www高清免费观看 | av超薄肉色丝袜交足视频| 午夜亚洲福利在线播放| 亚洲在线自拍视频| 精品人妻在线不人妻| 免费看十八禁软件| 两性午夜刺激爽爽歪歪视频在线观看 | 欧美精品一区二区免费开放| 精品人妻在线不人妻| 国产亚洲欧美在线一区二区| 91国产中文字幕| 纯流量卡能插随身wifi吗| 超色免费av| 国产精品免费视频内射| 国产成人精品无人区| 999精品在线视频| 一级片免费观看大全| 国产黄色免费在线视频| 啦啦啦免费观看视频1| 9色porny在线观看| 91在线观看av| 欧美色视频一区免费| 国产精品综合久久久久久久免费 | 欧美亚洲日本最大视频资源| 亚洲狠狠婷婷综合久久图片| 亚洲精品在线观看二区| 18禁美女被吸乳视频| 亚洲国产精品sss在线观看 | 黑人操中国人逼视频| 99香蕉大伊视频| 咕卡用的链子| 在线天堂中文资源库| 一边摸一边做爽爽视频免费| 久久人妻熟女aⅴ| 日韩免费av在线播放| 俄罗斯特黄特色一大片| 黄色a级毛片大全视频| 国产野战对白在线观看| 欧美不卡视频在线免费观看 | 国产激情欧美一区二区| 亚洲国产精品999在线| 午夜精品在线福利| 欧美日韩瑟瑟在线播放| 校园春色视频在线观看| 成人国产一区最新在线观看| 久久天躁狠狠躁夜夜2o2o| 91麻豆精品激情在线观看国产 | 美女福利国产在线| 19禁男女啪啪无遮挡网站| www.999成人在线观看| 中亚洲国语对白在线视频| 久久久久精品国产欧美久久久| 亚洲av片天天在线观看| 久久精品91蜜桃| 夜夜爽天天搞| e午夜精品久久久久久久| 久久中文字幕一级| 久久影院123| 国产精品久久视频播放| 国产99久久九九免费精品| 夜夜爽天天搞| 黑人操中国人逼视频| 自拍欧美九色日韩亚洲蝌蚪91| 亚洲中文字幕日韩| 黄色毛片三级朝国网站| 国产精品国产av在线观看| 亚洲欧美激情综合另类| 性色av乱码一区二区三区2| 国产高清国产精品国产三级| 日本欧美视频一区| 别揉我奶头~嗯~啊~动态视频| 精品福利观看| 淫妇啪啪啪对白视频| 99久久人妻综合| 黄频高清免费视频| 久久 成人 亚洲| 在线永久观看黄色视频| 老汉色∧v一级毛片| 亚洲狠狠婷婷综合久久图片| 免费一级毛片在线播放高清视频 | 中出人妻视频一区二区| 久久精品91蜜桃| 亚洲精品久久午夜乱码| 欧美在线黄色| 狂野欧美激情性xxxx| 性色av乱码一区二区三区2| 啦啦啦在线免费观看视频4| 日本撒尿小便嘘嘘汇集6| 老司机在亚洲福利影院| 男女之事视频高清在线观看| 一区二区日韩欧美中文字幕| 久9热在线精品视频| 国产精品二区激情视频| ponron亚洲| 亚洲午夜理论影院| 在线观看日韩欧美| 成年人免费黄色播放视频| ponron亚洲| 夜夜躁狠狠躁天天躁| 成人手机av| 美女午夜性视频免费| 不卡av一区二区三区| 男人舔女人的私密视频| 精品高清国产在线一区| 国产区一区二久久| 51午夜福利影视在线观看| 乱人伦中国视频| 久久精品影院6| 一边摸一边做爽爽视频免费| 国产精品野战在线观看 | 久久天躁狠狠躁夜夜2o2o| av福利片在线| 久久香蕉国产精品| 亚洲专区中文字幕在线| 两个人看的免费小视频| 大型黄色视频在线免费观看| 午夜免费激情av| 天堂俺去俺来也www色官网| 国产精品日韩av在线免费观看 | 国产精品久久久人人做人人爽| 亚洲欧美日韩另类电影网站| 亚洲九九香蕉| 成人三级黄色视频| tocl精华| 香蕉丝袜av| 国产欧美日韩一区二区三| 99久久精品国产亚洲精品| 免费在线观看影片大全网站| av电影中文网址| 欧美中文日本在线观看视频| 日韩高清综合在线| av有码第一页| 伦理电影免费视频| 1024香蕉在线观看| 久久人妻av系列| 高清毛片免费观看视频网站 | 午夜成年电影在线免费观看| 亚洲成人免费av在线播放| 人人妻人人澡人人看| 中文字幕另类日韩欧美亚洲嫩草| av国产精品久久久久影院| 亚洲激情在线av| 自线自在国产av| 这个男人来自地球电影免费观看| 精品少妇一区二区三区视频日本电影| 亚洲色图综合在线观看| 国产91精品成人一区二区三区| 精品日产1卡2卡| 色在线成人网| 色哟哟哟哟哟哟| 精品高清国产在线一区| 欧美日本中文国产一区发布| 巨乳人妻的诱惑在线观看| 一级黄色大片毛片| av网站在线播放免费| 亚洲一区二区三区欧美精品| 国产亚洲欧美在线一区二区| 成人三级黄色视频| 国产无遮挡羞羞视频在线观看| 窝窝影院91人妻| 久久久久久亚洲精品国产蜜桃av| 亚洲av熟女| 久久中文字幕一级| 亚洲欧美日韩无卡精品| 精品少妇一区二区三区视频日本电影| www.精华液| 国产主播在线观看一区二区| aaaaa片日本免费| 满18在线观看网站| 久久精品影院6| 在线视频色国产色| 免费不卡黄色视频| 亚洲av第一区精品v没综合| 波多野结衣高清无吗| 在线免费观看的www视频| 日韩免费av在线播放| 一本大道久久a久久精品| 中文字幕人妻熟女乱码| 香蕉丝袜av| 日韩 欧美 亚洲 中文字幕| 国产乱人伦免费视频| 天堂影院成人在线观看| 老司机午夜十八禁免费视频| 免费女性裸体啪啪无遮挡网站| 一区福利在线观看| 亚洲精品中文字幕在线视频| 午夜福利影视在线免费观看| 欧美另类亚洲清纯唯美| 色精品久久人妻99蜜桃| 十八禁网站免费在线| 在线播放国产精品三级| 69精品国产乱码久久久| 一级,二级,三级黄色视频| 亚洲第一青青草原| 精品一区二区三区视频在线观看免费 | 亚洲激情在线av| 国产无遮挡羞羞视频在线观看| 久久亚洲真实| 琪琪午夜伦伦电影理论片6080| 久久人人97超碰香蕉20202| 欧美日韩视频精品一区| 精品一区二区三区视频在线观看免费 | 欧美大码av| 精品无人区乱码1区二区| 一个人观看的视频www高清免费观看 | 精品一品国产午夜福利视频| 久久精品国产99精品国产亚洲性色 | 国产精品九九99| 真人做人爱边吃奶动态| 亚洲avbb在线观看| 国产精品久久久人人做人人爽| 日本五十路高清| 日韩有码中文字幕| 久久久久亚洲av毛片大全| 国产精品1区2区在线观看.| 亚洲国产精品一区二区三区在线| 欧美不卡视频在线免费观看 | 中出人妻视频一区二区| 亚洲精品久久成人aⅴ小说| 韩国精品一区二区三区| 久久香蕉激情| 成人国产一区最新在线观看| 在线观看66精品国产| 十八禁人妻一区二区| 亚洲人成网站在线播放欧美日韩| 99国产精品一区二区蜜桃av| 在线观看免费视频日本深夜| 欧洲精品卡2卡3卡4卡5卡区| 欧美成人性av电影在线观看| 一级a爱视频在线免费观看| 操出白浆在线播放| 9191精品国产免费久久| 男女下面插进去视频免费观看| 激情视频va一区二区三区| 欧美丝袜亚洲另类 | 亚洲av片天天在线观看| 久久青草综合色| 可以在线观看毛片的网站| 黄色视频,在线免费观看| 精品无人区乱码1区二区| 日本黄色视频三级网站网址| 视频区欧美日本亚洲| 脱女人内裤的视频| 巨乳人妻的诱惑在线观看| 欧美另类亚洲清纯唯美| 天天躁夜夜躁狠狠躁躁| 久久久久九九精品影院| 搡老乐熟女国产| 亚洲成人免费av在线播放| 69av精品久久久久久| xxx96com| 国产午夜精品久久久久久| 成人国语在线视频| 亚洲精品一卡2卡三卡4卡5卡| 如日韩欧美国产精品一区二区三区| 久久精品亚洲熟妇少妇任你| 大香蕉久久成人网| 麻豆一二三区av精品| 欧美乱妇无乱码| 国产精品98久久久久久宅男小说| √禁漫天堂资源中文www| 亚洲成人免费电影在线观看| 级片在线观看| 欧美性长视频在线观看| 精品福利观看| 男人舔女人下体高潮全视频| 国产伦人伦偷精品视频| 亚洲成a人片在线一区二区| 午夜福利影视在线免费观看| 亚洲第一av免费看| 久久婷婷成人综合色麻豆| 91麻豆精品激情在线观看国产 | 免费在线观看影片大全网站| 欧美亚洲日本最大视频资源| 国产免费现黄频在线看| 女人精品久久久久毛片| 不卡av一区二区三区| 午夜精品国产一区二区电影| 国产成人精品在线电影| 国产精品亚洲av一区麻豆| 欧美中文日本在线观看视频| 桃色一区二区三区在线观看| 亚洲欧美激情综合另类| 性少妇av在线| 97超级碰碰碰精品色视频在线观看| 亚洲一卡2卡3卡4卡5卡精品中文| 亚洲色图 男人天堂 中文字幕| 高清毛片免费观看视频网站 | 国产免费av片在线观看野外av| 亚洲片人在线观看| 国产主播在线观看一区二区| 丁香欧美五月| 国产真人三级小视频在线观看| 日韩成人在线观看一区二区三区| 涩涩av久久男人的天堂| 深夜精品福利| 中文字幕人妻丝袜制服| 色精品久久人妻99蜜桃| 男人的好看免费观看在线视频 | 亚洲五月天丁香| 高潮久久久久久久久久久不卡| 夜夜看夜夜爽夜夜摸 | 亚洲精品国产精品久久久不卡| 成年人免费黄色播放视频| 日本黄色日本黄色录像| 天堂√8在线中文| 99精国产麻豆久久婷婷| 精品久久久久久久久久免费视频 | 香蕉久久夜色| 麻豆久久精品国产亚洲av | 丝袜美足系列| 99国产精品免费福利视频| 精品日产1卡2卡| 夜夜躁狠狠躁天天躁| 成人特级黄色片久久久久久久| 欧美在线黄色| 精品国产乱码久久久久久男人| 脱女人内裤的视频| 亚洲第一av免费看| bbb黄色大片| 国产成人欧美| 欧美日韩亚洲综合一区二区三区_| 国产成人一区二区三区免费视频网站| 后天国语完整版免费观看| 日韩有码中文字幕| 桃色一区二区三区在线观看| 国产激情久久老熟女| 国产aⅴ精品一区二区三区波| 成人18禁高潮啪啪吃奶动态图| 精品国产乱子伦一区二区三区| 看片在线看免费视频| 又黄又粗又硬又大视频| 又黄又爽又免费观看的视频| 天堂俺去俺来也www色官网| 欧美+亚洲+日韩+国产| 美女大奶头视频| 午夜免费观看网址| 女性生殖器流出的白浆| 免费高清在线观看日韩| cao死你这个sao货| 制服诱惑二区| 少妇的丰满在线观看| 国产高清国产精品国产三级| 成人精品一区二区免费| 老司机亚洲免费影院| 亚洲人成网站在线播放欧美日韩| 成人av一区二区三区在线看| 日韩成人在线观看一区二区三区| 另类亚洲欧美激情| 女生性感内裤真人,穿戴方法视频| 久久中文字幕一级| 国产成人影院久久av| 波多野结衣一区麻豆| 国产单亲对白刺激| 91老司机精品| 一本大道久久a久久精品| 国产视频一区二区在线看| 国产精品影院久久| 他把我摸到了高潮在线观看| 亚洲中文av在线| 电影成人av| 老司机午夜十八禁免费视频| 夫妻午夜视频| 成人av一区二区三区在线看| 18美女黄网站色大片免费观看| 最新美女视频免费是黄的| 日本五十路高清| 亚洲性夜色夜夜综合| 亚洲一区二区三区欧美精品| 久久久精品国产亚洲av高清涩受| 日韩欧美在线二视频| 国产成人精品久久二区二区免费| 亚洲精品一卡2卡三卡4卡5卡| 亚洲av成人不卡在线观看播放网| 少妇被粗大的猛进出69影院| 天天添夜夜摸| 男人操女人黄网站| 午夜久久久在线观看| 亚洲中文日韩欧美视频| 欧美日韩瑟瑟在线播放| 嫩草影院精品99| 丁香六月欧美| 中文字幕人妻丝袜一区二区| 法律面前人人平等表现在哪些方面| 国产在线观看jvid| 十分钟在线观看高清视频www| 欧美日韩黄片免| 亚洲一区二区三区欧美精品| 看免费av毛片| 女同久久另类99精品国产91| 亚洲国产毛片av蜜桃av| 国产成人精品在线电影| 久久久国产成人免费| 正在播放国产对白刺激| 欧美性长视频在线观看| 国产av在哪里看| 亚洲av日韩精品久久久久久密| 亚洲人成电影观看| 亚洲avbb在线观看| 国产伦一二天堂av在线观看| 999久久久国产精品视频| 亚洲男人天堂网一区| 一级,二级,三级黄色视频| 99久久综合精品五月天人人| 中文字幕高清在线视频| 悠悠久久av| a级片在线免费高清观看视频| 免费人成视频x8x8入口观看| 欧美精品一区二区免费开放| 老司机午夜十八禁免费视频| 正在播放国产对白刺激| 日日夜夜操网爽| 免费在线观看影片大全网站| 亚洲成av片中文字幕在线观看| 99riav亚洲国产免费| 精品久久久久久久久久免费视频 | 亚洲精品中文字幕一二三四区| 超碰成人久久| 满18在线观看网站| 美女国产高潮福利片在线看| 日日干狠狠操夜夜爽| 757午夜福利合集在线观看| 国产伦人伦偷精品视频| 欧美性长视频在线观看| 欧美成人性av电影在线观看| 搡老熟女国产l中国老女人| 国产精品爽爽va在线观看网站 | 午夜精品国产一区二区电影| 视频区图区小说| 91字幕亚洲| 97超级碰碰碰精品色视频在线观看|