基于密码杂凑函数的安全规则匹配优化算法
|
摘要
随着防火墙、入侵防御系统等网络安全规则数目的快速增长,规则匹配效率成为影响网络安全设备性能的一个瓶颈。基于密码杂凑算法的随机性、低碰撞性等良好特性,设计了一种用于防火墙等网络安全设备的安全规则匹配算法。通过调整密码杂凑算法轮数、存储空间大小等参数,达到存储空间资源占用与实现效率的平衡。分析了规则数目、存储空间大小和发生碰撞概率之间的关系,以及软硬件实现的速度。该方案比以前的简单哈希算法碰撞概率低,适用于高性能防火墙等网络安全设备的性能优化和效率提升。
With the rapid progress of firewalls,intrusion protection systems and other network security systems,the efficiency of security rules matching has been a crucial bottleneck of network security devices' performance. Based on the randomness and collision resistance property of cryptographic hash algorithms,we propose an optimized security rules matching algorithm for network security devices such as firewalls. By adjusting the parameters such as the number of rounds in SM3 hash algorithm and the size of storage space,we can achieve a balance of storage space and computational efficiency. The relation of the number of security rules,the size of storage space and the probability of collisions are analyzed. This algorithm has a lower collision probability and better randomness than the previous simple hash algorithms. This algorithm can be used to improve the performance and implementation efficiency of network security devices such as firewalls.
With the rapid progress of firewalls,intrusion protection systems and other network security systems,the efficiency of security rules matching has been a crucial bottleneck of network security devices' performance. Based on the randomness and collision resistance property of cryptographic hash algorithms,we propose an optimized security rules matching algorithm for network security devices such as firewalls. By adjusting the parameters such as the number of rounds in SM3 hash algorithm and the size of storage space,we can achieve a balance of storage space and computational efficiency. The relation of the number of security rules,the size of storage space and the probability of collisions are analyzed. This algorithm has a lower collision probability and better randomness than the previous simple hash algorithms. This algorithm can be used to improve the performance and implementation efficiency of network security devices such as firewalls.
引文
[1]TAYLOR D E.Survey and taxonomy of packet classification techniques[J].ACM Computing Surveys,2005,37(3):238-275.
[2]亓亚烜,李军.高性能网包分类理论与算法综述[J].计算机学报,2013,36(2):408-421.
[3]李林.防火墙规则集关键技术研究[D].成都:电子科技大学,2009.
[4]单超.防火墙配置规则集优化关键技术研究[D].哈尔滨:哈尔滨工程大学,2014.
[5]韩国龙,王伟,盛红雷.防火墙策略梳理与优化方法研究[J].电力信息与通信技术,2018,16(6):31-35.
[6]丁麟轩,黄昆,张大方.基于TCAM的低能耗正则表达式匹配算法[J].通信学报,2014,35(8):162-168.
[7]边力,王炜,姬瑞龙,等.基于后序遍历请求树的访问控制策略匹配算法[J].软件导刊,2015,14(12):58-62.
[8]程玉柱,王伟平,王建新.一种基于单元空间划分的快速防火墙包分类算法[J].工程科学与技术,2018,50(4):144-152.
[9]孙莹,温巧燕.一种基于Hash表的防火墙匹配算法[C].2006北京地区高校研究生学术交流会,2006:2035-2040.
[10]DONGRE S A,SHIKALPURE S G.Hashing based packet matching algorithm for firewall[J].International Research Journal of Engineering and Technology(IRJET),2015,2(7):553-557.
[11]KHUMMANEE S,TIENTANOPAJAI K.High-speed firewall rule verication with o(1)worst-case access time[J].International Journal of Network Security,2017,19(1):72-84.
[12]LEE P J,GUO H B,VEERAVALLI.Enhancing cii firewall performance through hash based rule lookup[C].TENCON 2017-2017IEEE Region 10 Conference,IEEE,2017:2285-2290.
[13]RAMAKRISHNA M V,FU E,BAHCEKAPILI E.Efficient hardware hashing functions for high performance computers[J].IEEE Transaction Computer,1997,46(12):1378-1381.
[14]王小云,于红波.SM3密码杂凑算法[J].信息安全研究,2016,2(11):983-994.
[15]STINSON D R.密码学原理与实践[M].第2版.冯登国,译.北京:电子工业出版社,2003.
[16]MENDEL F,NAD T.Finding collisions for round-reduced sm3[C].International Conference on Topics in Cryptology,2013:174-188.
[17]KIRCANSKI A,SHEN Y,WANG G,et al.Boomerang and slide-rotational analysis of the SM3 hash function[C].Selected Areas in Cryptography,2012:305-321.
[18]ROGAWAY P,SHRIMPTON T.Cryptographic hash-function basics:definitions,implications,and separations for preimage resistance,second-preimage resistance,and collision resistance[C].Fast Software Encryption,Springer-Verlag,2004:371-388.
[19]STINSON D R.Some observations on the theory of cryptographic hash functions[J].Design,Codes and Cryptography,2006,38(2):259-277.
[20]ZOU J,WU W,WU S,et al.Preimage attacks on step-reduced SM3hash function[C].International Conference on Information Security and Cryptology,2011:375-390.
[2]亓亚烜,李军.高性能网包分类理论与算法综述[J].计算机学报,2013,36(2):408-421.
[3]李林.防火墙规则集关键技术研究[D].成都:电子科技大学,2009.
[4]单超.防火墙配置规则集优化关键技术研究[D].哈尔滨:哈尔滨工程大学,2014.
[5]韩国龙,王伟,盛红雷.防火墙策略梳理与优化方法研究[J].电力信息与通信技术,2018,16(6):31-35.
[6]丁麟轩,黄昆,张大方.基于TCAM的低能耗正则表达式匹配算法[J].通信学报,2014,35(8):162-168.
[7]边力,王炜,姬瑞龙,等.基于后序遍历请求树的访问控制策略匹配算法[J].软件导刊,2015,14(12):58-62.
[8]程玉柱,王伟平,王建新.一种基于单元空间划分的快速防火墙包分类算法[J].工程科学与技术,2018,50(4):144-152.
[9]孙莹,温巧燕.一种基于Hash表的防火墙匹配算法[C].2006北京地区高校研究生学术交流会,2006:2035-2040.
[10]DONGRE S A,SHIKALPURE S G.Hashing based packet matching algorithm for firewall[J].International Research Journal of Engineering and Technology(IRJET),2015,2(7):553-557.
[11]KHUMMANEE S,TIENTANOPAJAI K.High-speed firewall rule verication with o(1)worst-case access time[J].International Journal of Network Security,2017,19(1):72-84.
[12]LEE P J,GUO H B,VEERAVALLI.Enhancing cii firewall performance through hash based rule lookup[C].TENCON 2017-2017IEEE Region 10 Conference,IEEE,2017:2285-2290.
[13]RAMAKRISHNA M V,FU E,BAHCEKAPILI E.Efficient hardware hashing functions for high performance computers[J].IEEE Transaction Computer,1997,46(12):1378-1381.
[14]王小云,于红波.SM3密码杂凑算法[J].信息安全研究,2016,2(11):983-994.
[15]STINSON D R.密码学原理与实践[M].第2版.冯登国,译.北京:电子工业出版社,2003.
[16]MENDEL F,NAD T.Finding collisions for round-reduced sm3[C].International Conference on Topics in Cryptology,2013:174-188.
[17]KIRCANSKI A,SHEN Y,WANG G,et al.Boomerang and slide-rotational analysis of the SM3 hash function[C].Selected Areas in Cryptography,2012:305-321.
[18]ROGAWAY P,SHRIMPTON T.Cryptographic hash-function basics:definitions,implications,and separations for preimage resistance,second-preimage resistance,and collision resistance[C].Fast Software Encryption,Springer-Verlag,2004:371-388.
[19]STINSON D R.Some observations on the theory of cryptographic hash functions[J].Design,Codes and Cryptography,2006,38(2):259-277.
[20]ZOU J,WU W,WU S,et al.Preimage attacks on step-reduced SM3hash function[C].International Conference on Information Security and Cryptology,2011:375-390.