SIP协议安全性研究及评估工具的实现
摘要
下一代网络(NGN)成为当前业界广泛讨沦的热点与焦点,主要讨论的问题有网络安全和协议安全、服务质量、商业模式等。其中网络安全和协议安全是NGN必须要解决的基础性问题,也是NGN承载网须解决的最关键的问题。
本文的工作围绕协议安全问题展开,主要是针对NGN的关键协议SIP协议进行安全性研究和安全测试,并在总结测试理论和方法的基础上,完成协议测试标准规范草案的拟定,然后在此基础上设计并实现安全测试评估工具。安全测试评估工具用于测试下一代网络中使用SIP协议的设备是否满足安全性。论文主要包括以下几方面内容:
1)介绍了SIP协议规范,深入研究了SIP协议安全问题,从SIP协议安全威胁和解析类安全问题两方面进行分析,并介绍了SIP协议安全机制,提出了新的解决安全问题的思路与方法;
2)设计了一种新的测试例描述语言TSD,并根据TSD实现了测试例解析。该测试例描述语言的提出极大降低了解析实现的复杂度,具有简洁、高效、通用的特点;
3)借鉴渗透测试的思想,设计SIP协议安全测试例,进行SIP协议安全测试,并结合SIP协议安全问题研究结果与所设计的安全测试例,制定SIP协议安全标准草案;
4)详细设计并实现了评估工具。评估工具分为控制平台和控制观察点两部分。控制平台分为用户界面、脚本解析、报文生成、测试例执行、判断和通信六大模块。控制观察点实现了TCP/UDP/IPV4小型协议栈,为各个层次的协议提供了接口。
NGN(Next Generation Network) has become a hot topic recently. The problems of network security and protocol security, quality of service, business model .etc. have been extensively discussed. Among all these problems, network security and protocol security are the basic ones that are needed to be solved.
This thesis mainly describes the theme of protocol security. The main tasks are to research and test the security of SIP protocol. After investigating the theories and methods for protocol test, the drafts of security test standard for SIP protocol is presented, and then the design and implementation of the evaluation tool are described. The tool is used for testing the security of the devices
Furthermore, a new test case description language TSD is designed and implemented. The language is simple and the implementation if very efficient. The thought of penetration test is used to design the test cases.
The tool is divided into two modules: the control flat and PCO (Point of Control and Observation). The control flat contains six models: users' interface, test script analyzing, the packet generating, test cases executing, judging and communicating, while the PCO achieves a lightweight TCP/UDP/IPv4 stack due to different layers of target protocols.
本文的工作围绕协议安全问题展开,主要是针对NGN的关键协议SIP协议进行安全性研究和安全测试,并在总结测试理论和方法的基础上,完成协议测试标准规范草案的拟定,然后在此基础上设计并实现安全测试评估工具。安全测试评估工具用于测试下一代网络中使用SIP协议的设备是否满足安全性。论文主要包括以下几方面内容:
1)介绍了SIP协议规范,深入研究了SIP协议安全问题,从SIP协议安全威胁和解析类安全问题两方面进行分析,并介绍了SIP协议安全机制,提出了新的解决安全问题的思路与方法;
2)设计了一种新的测试例描述语言TSD,并根据TSD实现了测试例解析。该测试例描述语言的提出极大降低了解析实现的复杂度,具有简洁、高效、通用的特点;
3)借鉴渗透测试的思想,设计SIP协议安全测试例,进行SIP协议安全测试,并结合SIP协议安全问题研究结果与所设计的安全测试例,制定SIP协议安全标准草案;
4)详细设计并实现了评估工具。评估工具分为控制平台和控制观察点两部分。控制平台分为用户界面、脚本解析、报文生成、测试例执行、判断和通信六大模块。控制观察点实现了TCP/UDP/IPV4小型协议栈,为各个层次的协议提供了接口。
NGN(Next Generation Network) has become a hot topic recently. The problems of network security and protocol security, quality of service, business model .etc. have been extensively discussed. Among all these problems, network security and protocol security are the basic ones that are needed to be solved.
This thesis mainly describes the theme of protocol security. The main tasks are to research and test the security of SIP protocol. After investigating the theories and methods for protocol test, the drafts of security test standard for SIP protocol is presented, and then the design and implementation of the evaluation tool are described. The tool is used for testing the security of the devices
Furthermore, a new test case description language TSD is designed and implemented. The language is simple and the implementation if very efficient. The thought of penetration test is used to design the test cases.
The tool is divided into two modules: the control flat and PCO (Point of Control and Observation). The control flat contains six models: users' interface, test script analyzing, the packet generating, test cases executing, judging and communicating, while the PCO achieves a lightweight TCP/UDP/IPv4 stack due to different layers of target protocols.
引文
[1]ITU-T Draft Recommendation YNGN-overview,General Overview of NGN Functions and Characteristics[S].2001
[2]Internet RFC 3261,SIP:Session initiation protocol[S].Rosenberg J,Schulzrinne H,Camanilo G,2002
[3]Tabrizipoor A.I.,Pirhadi M.,Mirzabaghi M.,etal.A Testbed for Next Generation Network Interoperability Basic Call Assessment[A].The 9th International Conference on Advanced Communication Technology[C].February 2007,vol.3,pp.1597-1601
[4]赵阳.电信网安全评估方法及实施探讨[J].电信网技术,2006,5(5):11-14
[5]黄元飞,金丽萍.网络与信息安全标准化现状及下一步研究重点[J].电信科学,2006,2:23-26
[6]Avresky,D.R.Formal verification and testing of protocol[J].Computer Communications 22,1999,p681-690
[7]Tretmans J.,Kars P.,Brinksma E.Protocol conformance testing:a formal perspective on ISO IS-9646[A].Proceedings of IFIP the 4~(th) International Workshop on Protocol Test System[C].North-Holland:Chapman&Hall,1991.131-142
[8]G Myers.The art of software testing[M].John Wiley&Sons,1979
[9]宫云站.软件测试.国防工业出版社,2005
[10]李匀 网络渗透测试 电子工业出版社,2007
[11]Sarikaya B.Principles of Protocol Engineering and Conformance Testing[M].Ellis Horwood,1993
[12]Sidhu D.,Leung T.Formal method for protocol testing:A detailed study[J].IEEE Trans.On software Engineering,Vol.15,No.4,April 1989
[13]ISO/IEC 9646-1,IT-OSI-Conformance testing methodology and framework:Part 1:General concepts.[S].1996
[14]ISO/IEC 9646-5,IT-OSI-Conformanee testing methodology and framework:Part 5:Requirements on test laboratories and clients for the conformance assessment process.[S].1996
[15]ISO/IEC 9646-4,IT-OSI-Conformanee testing methodology and framework:Part 4:Test realization[S].1996
[16].ROSENBERG J,SCHULZRINNE H.SIP:Session Initiation Protocol.RFC3261,2002
[17]陈昌鹏,晋磊,陈凯等.SIP协议的安全分析[J].计算机应用与软件,2007,24(8):172-174
[18].王宇飞,范明钰,王光卫.一种基于HTTP摘要认证的SIP安全机制.重庆邮电学报(自然科学版),2005,(5):40
[19]Brinksma E.A framework for test selection[A].Proceedings of IFIP the 11~(th)International Workshop on Protocol Specification,Testing and Verification[C].North-holland:Chapman&Hall,1991.67-80
[20]Hao R.,Wu J.Test execution based on TTCN's operational semantics[J].Journal of Communications,1995,20(2),89-124
[21]单琳伟,山秀明,任勇.基于SIP的域间网络会议系统[J].计算机应用,2006,32(14):127-129
[22]Ozren Kopajtic,Riko LuSa.H.248-implementation and interoperability issues[A].7th International Conference on Telecommunications[C].Croatia,2003:677-680
[23]刘伟明,鲜继清,陈伟凌.VoIP安全——基于SIP协议的深入剖析和解决策略[J].计算机应用,2006-S1-065:167-170
[24]ISO/IEC 9646-3,IT-OSI-Conformance testing methodology and framework:Part 3:The tree and combined notation(TTCN)[S].1996
[25]RFC 793,Transmission Control Protocol[S],September 1981
[2]Internet RFC 3261,SIP:Session initiation protocol[S].Rosenberg J,Schulzrinne H,Camanilo G,2002
[3]Tabrizipoor A.I.,Pirhadi M.,Mirzabaghi M.,etal.A Testbed for Next Generation Network Interoperability Basic Call Assessment[A].The 9th International Conference on Advanced Communication Technology[C].February 2007,vol.3,pp.1597-1601
[4]赵阳.电信网安全评估方法及实施探讨[J].电信网技术,2006,5(5):11-14
[5]黄元飞,金丽萍.网络与信息安全标准化现状及下一步研究重点[J].电信科学,2006,2:23-26
[6]Avresky,D.R.Formal verification and testing of protocol[J].Computer Communications 22,1999,p681-690
[7]Tretmans J.,Kars P.,Brinksma E.Protocol conformance testing:a formal perspective on ISO IS-9646[A].Proceedings of IFIP the 4~(th) International Workshop on Protocol Test System[C].North-Holland:Chapman&Hall,1991.131-142
[8]G Myers.The art of software testing[M].John Wiley&Sons,1979
[9]宫云站.软件测试.国防工业出版社,2005
[10]李匀 网络渗透测试 电子工业出版社,2007
[11]Sarikaya B.Principles of Protocol Engineering and Conformance Testing[M].Ellis Horwood,1993
[12]Sidhu D.,Leung T.Formal method for protocol testing:A detailed study[J].IEEE Trans.On software Engineering,Vol.15,No.4,April 1989
[13]ISO/IEC 9646-1,IT-OSI-Conformance testing methodology and framework:Part 1:General concepts.[S].1996
[14]ISO/IEC 9646-5,IT-OSI-Conformanee testing methodology and framework:Part 5:Requirements on test laboratories and clients for the conformance assessment process.[S].1996
[15]ISO/IEC 9646-4,IT-OSI-Conformanee testing methodology and framework:Part 4:Test realization[S].1996
[16].ROSENBERG J,SCHULZRINNE H.SIP:Session Initiation Protocol.RFC3261,2002
[17]陈昌鹏,晋磊,陈凯等.SIP协议的安全分析[J].计算机应用与软件,2007,24(8):172-174
[18].王宇飞,范明钰,王光卫.一种基于HTTP摘要认证的SIP安全机制.重庆邮电学报(自然科学版),2005,(5):40
[19]Brinksma E.A framework for test selection[A].Proceedings of IFIP the 11~(th)International Workshop on Protocol Specification,Testing and Verification[C].North-holland:Chapman&Hall,1991.67-80
[20]Hao R.,Wu J.Test execution based on TTCN's operational semantics[J].Journal of Communications,1995,20(2),89-124
[21]单琳伟,山秀明,任勇.基于SIP的域间网络会议系统[J].计算机应用,2006,32(14):127-129
[22]Ozren Kopajtic,Riko LuSa.H.248-implementation and interoperability issues[A].7th International Conference on Telecommunications[C].Croatia,2003:677-680
[23]刘伟明,鲜继清,陈伟凌.VoIP安全——基于SIP协议的深入剖析和解决策略[J].计算机应用,2006-S1-065:167-170
[24]ISO/IEC 9646-3,IT-OSI-Conformance testing methodology and framework:Part 3:The tree and combined notation(TTCN)[S].1996
[25]RFC 793,Transmission Control Protocol[S],September 1981