高端路由器安全协议密钥管理技术的研究与实现
|
摘要
高端路由器是互联骨干网建设的核心设备,它的安全性、健壮性直接影响到网络的可用性。安全协议作为协议级的安全解决框架,始终是安全领域里的热点和难点。密钥管理技术作为安全协议的重要组件,关系整个安全协议的实施效率。
本文对安全协议及其密钥管理协议进行了系统研究,重点是安全协议IPSec及其密钥管理技术,在系统掌握Internet安全联盟和密钥管理协议ISAKMP基本框架的基础上,阐述了IPSec安全协议的整体设计,同时提出一个自动密钥交换协议IKE的设计方案。该方案包含ISAKMP架构、IKE两阶段协商、消息交换等主要组件的设计,基本涵盖了自动密钥交换协议的全部内容,实现了ISAKMP构架中提出的功能结构。整体设计方案有两个主要特点:一是针对高端路由器环境中高速大容量IKE协商处理的需求而提出的基于哈希表存储的保护套件封装模式:二是针对现行IKE规范存在的缺陷进行分析并给出了改进设计。文章最后对实现的IKE系统进行了同型的对等调试,同其他厂商的IKE子系统进行了互通测试,还对有关测试结果进行了分析。
Advanced router is the core equipment of the Internet struction. A security and robust advanced router directly guarantees good performance and application of the network. As a protocol level framework of the Security Problem Resolve, security protocol keeps on being the hot and difficult point in the security area. Acting as an important component of Security Protocol, the technology of Key Management effect the total efficiency of the Security Protocol's implementation.The paper addresses the implementation design of Internet Security protocol and design of Internet Key Exchange Protocol through the deep research into Security Protocol and Key management Protocol based on the grasp and analysis of ISAKMP mechanism and its framework. The design includes ISAKMP frameworks, two phases of security association negotiation, information exchange, etc. The total design has two key features:according to the reality needs in the advanced routers's work environment, put forwards an encapsulation mode of protection suites based on Hash table storation to deal with a large amount of IKE negotiation requests in high speed; after analysis and discussion of the bug existing in the running IKE criterion,proposes an improvement design. In the final section, the IKE system according to the design successfully passed the negotiation tests between different IKE clients. The analyzing of the test datas points out the direction of next research work.
本文对安全协议及其密钥管理协议进行了系统研究,重点是安全协议IPSec及其密钥管理技术,在系统掌握Internet安全联盟和密钥管理协议ISAKMP基本框架的基础上,阐述了IPSec安全协议的整体设计,同时提出一个自动密钥交换协议IKE的设计方案。该方案包含ISAKMP架构、IKE两阶段协商、消息交换等主要组件的设计,基本涵盖了自动密钥交换协议的全部内容,实现了ISAKMP构架中提出的功能结构。整体设计方案有两个主要特点:一是针对高端路由器环境中高速大容量IKE协商处理的需求而提出的基于哈希表存储的保护套件封装模式:二是针对现行IKE规范存在的缺陷进行分析并给出了改进设计。文章最后对实现的IKE系统进行了同型的对等调试,同其他厂商的IKE子系统进行了互通测试,还对有关测试结果进行了分析。
Advanced router is the core equipment of the Internet struction. A security and robust advanced router directly guarantees good performance and application of the network. As a protocol level framework of the Security Problem Resolve, security protocol keeps on being the hot and difficult point in the security area. Acting as an important component of Security Protocol, the technology of Key Management effect the total efficiency of the Security Protocol's implementation.The paper addresses the implementation design of Internet Security protocol and design of Internet Key Exchange Protocol through the deep research into Security Protocol and Key management Protocol based on the grasp and analysis of ISAKMP mechanism and its framework. The design includes ISAKMP frameworks, two phases of security association negotiation, information exchange, etc. The total design has two key features:according to the reality needs in the advanced routers's work environment, put forwards an encapsulation mode of protection suites based on Hash table storation to deal with a large amount of IKE negotiation requests in high speed; after analysis and discussion of the bug existing in the running IKE criterion,proposes an improvement design. In the final section, the IKE system according to the design successfully passed the negotiation tests between different IKE clients. The analyzing of the test datas points out the direction of next research work.
引文
[1] S.Kent, Security Architecture for the Intemet Protocol,RFC 2401, November 1998.
[2] (美)W.Richard Stevens著,TCP/IP详解 卷1:协议,机械工业出版社.
[3] (美)W.Richard Stevens著,TCP/IP详解 卷2:实现,机械工业出版社.
[4] 韦卫,王德杰,王行刚,Intemet网络层安全协议理论研究与实现,计算机学报,1999,22(7)
[5] S. Kent, IP Authentication Header, RFC 2402, November 1998.
[6] S. Kent, IP Encapsulating Security Payload (ESP), RFC 2406, November 1998.
[7] 蒋东兴等编著.Windows Sockets网络程序设计大全,清华大学出版社,1999.4.
[8] B. Kaliski, Privacy Enhancement for Intemet Electronic Mail: Part IV: Key Certification and Related Services, RFC 1424, February 1993.
[9] http://www.base.com/gordoni/web/microsoft-visa.html.
[10] http://www.chinaitlab.com/www/special/ssh.asp.
[11] R. Thayer, IP Security Document Roadmap, RFC 2411, November 1998.
[12] D.Maughan, Internet Security Association and Key Management Protocol, RFC 2408, November 1998.
[13] D. Piper, The Internet IP Security Domain of Interpretation for ISAKMP, RFC 2407,November 1998.
[14] D. Harkins,The Internet Key Exchange (IKE) , RFC 2409, November 1998.
[15] 戴宗坤,唐三平编著,VPN与网络安全,电子工业出版社.
[16] H. Orman,The OAKLEY Key Determination Protocol,RFC 2412, November 1998.
[17] R. Glenn,HMAC: Keyed-Hashing for Message Authentication, RFC 2104, November 1998.
[18] C.Madson,The Use of HMAC-MD5-96 within ESP and AH,RFC 2403, November 1998.
[19] C.Madson,The Use of HMAC-SHA-1-96 within ESP and AH,RFC 2404, November 1998.
[20] (美)Naganand Doraswamy, Dan Harkins, IPSec: 新一代因特网安全标准,机械工业出版社,2000.1.
[21] http://www, freeswan.org.
[22] Federal Information Processing Standards Publication 180-1, SECURE HASH STANDARD, http://wwww.itl.nist.gov/fipspubs/fip 180-1. htm.
[23] Cisco Systems公司著,Cisco IOS 12.0 参考库一接口配置技术,希望图书创作室译.
[24] Cisco Systems公司著,Cisco IOS 12.0 网络安全解决方案,希望图书创作室译.
[25] Dan Harkins, Charlie Kaufman, draft-ietf-ipsec-ikev2-01.txt, Proposal for the IKEv2 Protocol, February 2002.
[26] W.Aiello, S.M. Bellovin, draft-ietf-ipsec-jfk-03.txt, Just Fast Keying (JFK), March 2002.
[27] Charlie Kaufman, Editor, draft-ietf-ipsec-ikev2-11.txt, Internet Key Exchange (IKEv2) Protocol, October 9 2003.
[28] Jeffrey I. Schiller, drafi-ietf-ipsec-ikev2-algorithms-04.txt, Cryptographic Algorithms for use in the Internet Key Exchange Version 2, September 2003.
[29] 计算机网络应用基础,苏金树编著,国防科技大学出版社,2000.6.
[30] M.Blaze, J.Ioannidis, and A.Keromytis. Trust Management for IPSec. In: Proceedings of the Internet Society Symposium on Network and Distributed Systems Security (SNDSS 2001). San Deigo, CA, Feb 2001.
[31] (美)Bruce Schneier著,吴世忠祝世雄等译,应用密码学,机械工业出版社.
[32] Sandra Loosemore,GNU C 库技术手册,机械工业出版社,2000.8.
[33] 李善平,刘文峰,Linux内核2.4 版源代码分析大全,机械工业出版社,2002.1.
(美)Stephen T.Satchell,H.B.J. Clifford, Linux IP协议栈源代码分析,机械工业出版社,2000.11.
[2] (美)W.Richard Stevens著,TCP/IP详解 卷1:协议,机械工业出版社.
[3] (美)W.Richard Stevens著,TCP/IP详解 卷2:实现,机械工业出版社.
[4] 韦卫,王德杰,王行刚,Intemet网络层安全协议理论研究与实现,计算机学报,1999,22(7)
[5] S. Kent, IP Authentication Header, RFC 2402, November 1998.
[6] S. Kent, IP Encapsulating Security Payload (ESP), RFC 2406, November 1998.
[7] 蒋东兴等编著.Windows Sockets网络程序设计大全,清华大学出版社,1999.4.
[8] B. Kaliski, Privacy Enhancement for Intemet Electronic Mail: Part IV: Key Certification and Related Services, RFC 1424, February 1993.
[9] http://www.base.com/gordoni/web/microsoft-visa.html.
[10] http://www.chinaitlab.com/www/special/ssh.asp.
[11] R. Thayer, IP Security Document Roadmap, RFC 2411, November 1998.
[12] D.Maughan, Internet Security Association and Key Management Protocol, RFC 2408, November 1998.
[13] D. Piper, The Internet IP Security Domain of Interpretation for ISAKMP, RFC 2407,November 1998.
[14] D. Harkins,The Internet Key Exchange (IKE) , RFC 2409, November 1998.
[15] 戴宗坤,唐三平编著,VPN与网络安全,电子工业出版社.
[16] H. Orman,The OAKLEY Key Determination Protocol,RFC 2412, November 1998.
[17] R. Glenn,HMAC: Keyed-Hashing for Message Authentication, RFC 2104, November 1998.
[18] C.Madson,The Use of HMAC-MD5-96 within ESP and AH,RFC 2403, November 1998.
[19] C.Madson,The Use of HMAC-SHA-1-96 within ESP and AH,RFC 2404, November 1998.
[20] (美)Naganand Doraswamy, Dan Harkins, IPSec: 新一代因特网安全标准,机械工业出版社,2000.1.
[21] http://www, freeswan.org.
[22] Federal Information Processing Standards Publication 180-1, SECURE HASH STANDARD, http://wwww.itl.nist.gov/fipspubs/fip 180-1. htm.
[23] Cisco Systems公司著,Cisco IOS 12.0 参考库一接口配置技术,希望图书创作室译.
[24] Cisco Systems公司著,Cisco IOS 12.0 网络安全解决方案,希望图书创作室译.
[25] Dan Harkins, Charlie Kaufman, draft-ietf-ipsec-ikev2-01.txt, Proposal for the IKEv2 Protocol, February 2002.
[26] W.Aiello, S.M. Bellovin, draft-ietf-ipsec-jfk-03.txt, Just Fast Keying (JFK), March 2002.
[27] Charlie Kaufman, Editor, draft-ietf-ipsec-ikev2-11.txt, Internet Key Exchange (IKEv2) Protocol, October 9 2003.
[28] Jeffrey I. Schiller, drafi-ietf-ipsec-ikev2-algorithms-04.txt, Cryptographic Algorithms for use in the Internet Key Exchange Version 2, September 2003.
[29] 计算机网络应用基础,苏金树编著,国防科技大学出版社,2000.6.
[30] M.Blaze, J.Ioannidis, and A.Keromytis. Trust Management for IPSec. In: Proceedings of the Internet Society Symposium on Network and Distributed Systems Security (SNDSS 2001). San Deigo, CA, Feb 2001.
[31] (美)Bruce Schneier著,吴世忠祝世雄等译,应用密码学,机械工业出版社.
[32] Sandra Loosemore,GNU C 库技术手册,机械工业出版社,2000.8.
[33] 李善平,刘文峰,Linux内核2.4 版源代码分析大全,机械工业出版社,2002.1.
(美)Stephen T.Satchell,H.B.J. Clifford, Linux IP协议栈源代码分析,机械工业出版社,2000.11.