基于排列码加密解密算法实现安全路由的研究
|
摘要
随着计算机网络、各种电子化服务行业的飞速发展,人们对网络通信、数据
安全的要求越来越高。如何保证信息和网络自身安全性的问题,尤其是在开放互
联环境中进行商务等机密信息的交换中,如何保证信息在存取和传输中不被窃
取、篡改,已成为企业和大众非常关注的问题。
曾经一只376字节大小的Slammer蠕虫仅在一天之内便横扫韩国骨干网上的
路由器和交换机,使韩国互联网陷入瘫痪。有人计算过,如果Slammer能在15
分钟内传播全球,全球骨干路由器将陷入瘫痪,无药可救。事实证明,人们忽略
了对路由器等网络设备的安全保护,使之成为安全防护体系中的薄弱环节,从而
成为各种安全事件的攻击目标。路由器作为数据转发的中继站,牵一发而制全身,
其安全性直接影响到与之相连的网络。如何能够更快、更安全的在网络上传递信
息,是路由器方面的一个热门课题。为了使路由器将合法信息完整、及时、安全
地转发到目的地,许多路由器厂商开始考虑增强路由器的安全机制来确保网络的
安全。于是出现了各种安全路由器或实现安全路由功能的趋势。
本篇论文研究的重点就是利用一种加密解密速度更高,保密性更强的新的加
密算法---排列码加密解密算法,构建更具安全性的加密路由机制。课题的基本
设想是在模拟路由器上安装具有加密功能的通用网络驱动,通过驱动对拦截到的
IP数据包进行加密解密,从而实现多网段之间安全路由的目标。找寻到一种能
够将排列码加密解密算法和路由机制结合在一起的有效、合理的方式是课题的核
心问题,在通过多次试验之后,最终找到一种遵循Windows的网络统一接口规范
NDIS的底层驱动GNetDrivet(适用于网络的物理层和应用层之间),它具有拦截、
分筛IP数据包的功能。最重要的是,GNetDriver支持和排列码加密解密算法的
结合,最终将具有加密功能的驱动程序安装在模拟路由器上,来实现对在多网段
之间传递的IP数据包的加密解密功能。
本课题为目前安全路由的“效率不高”问题提出一种解决参照。同时该方案
的研发定位于网络核心产品,预测其将具有较高的实用价值和应用前景。
With the development of the computer network and all kinds of electronic service trade, people will need higher security of the data via net. How to guarantee the info and the security of network itself, especially the commerce info that is exchanged in a open and mutual join condition, how to assure the info not to be filched or juggled when depositing and transferring, is already a focus issue to enterprise and the people.Only one day, a Slammer worm, which its size is just 376 bytes, swept all the Routers and switches in Korea and paralyzed Korea's network. Someone ever accounted that if the Slammer could spread more quickly, you would find it all over the world and global backbone Routers would follow the Korea's backbone Routers and nothing could do it. The cases are not alarmism, in fact, if people lose sight of protecting the network devices, such as Router, so that it could become the most weakness node and it could be the attacked aim. The Router, as a relay station, plays an important role in the network, its security decide the whole network's security, therefore, it usually be attacked viciously. How to transfer info more quickly and securely via network is hot subject on Router. In order to make Router to transmit the data integrality, in good time and safely, many Router manufacturers begin to boost up Router's secure mechanism, and then all kinds of secure Router or carrying out secure Router function become appear.The stress of this paper is to make use of a kind of new encryption algorithm with higher speed and better keeping secret — Permutation Code to build a more secure encrypt Router mechanism. In this paper, I setup a net-driver with encrypt function in two servers (simulated Router), which play a Router's role in the LAN, the net-driver could hold up IP data and encrypt or decrypt the data, thus implement multi-net security Router. During study the dissertation, it is not easy for me to find a way to
combine the Permutation Code to the Router effective and reasonable. After many tests, I found a network driver named GNetDriver, which accord with Windows NDIS, and be the same with between the physics layer and the application layer. The most important is, GNetDriver can hold out the Permutation Code, in the end, the encapsulated driver will be installed in simulated Router. The simulated Router can implement transfer in multi-net and encrypt/decrypt IP data.This paper brings forward a solution to the problem of inefficient Safe modular. At the same time, this project purpose is the network core product and it would have better practicably value and applied future.
安全的要求越来越高。如何保证信息和网络自身安全性的问题,尤其是在开放互
联环境中进行商务等机密信息的交换中,如何保证信息在存取和传输中不被窃
取、篡改,已成为企业和大众非常关注的问题。
曾经一只376字节大小的Slammer蠕虫仅在一天之内便横扫韩国骨干网上的
路由器和交换机,使韩国互联网陷入瘫痪。有人计算过,如果Slammer能在15
分钟内传播全球,全球骨干路由器将陷入瘫痪,无药可救。事实证明,人们忽略
了对路由器等网络设备的安全保护,使之成为安全防护体系中的薄弱环节,从而
成为各种安全事件的攻击目标。路由器作为数据转发的中继站,牵一发而制全身,
其安全性直接影响到与之相连的网络。如何能够更快、更安全的在网络上传递信
息,是路由器方面的一个热门课题。为了使路由器将合法信息完整、及时、安全
地转发到目的地,许多路由器厂商开始考虑增强路由器的安全机制来确保网络的
安全。于是出现了各种安全路由器或实现安全路由功能的趋势。
本篇论文研究的重点就是利用一种加密解密速度更高,保密性更强的新的加
密算法---排列码加密解密算法,构建更具安全性的加密路由机制。课题的基本
设想是在模拟路由器上安装具有加密功能的通用网络驱动,通过驱动对拦截到的
IP数据包进行加密解密,从而实现多网段之间安全路由的目标。找寻到一种能
够将排列码加密解密算法和路由机制结合在一起的有效、合理的方式是课题的核
心问题,在通过多次试验之后,最终找到一种遵循Windows的网络统一接口规范
NDIS的底层驱动GNetDrivet(适用于网络的物理层和应用层之间),它具有拦截、
分筛IP数据包的功能。最重要的是,GNetDriver支持和排列码加密解密算法的
结合,最终将具有加密功能的驱动程序安装在模拟路由器上,来实现对在多网段
之间传递的IP数据包的加密解密功能。
本课题为目前安全路由的“效率不高”问题提出一种解决参照。同时该方案
的研发定位于网络核心产品,预测其将具有较高的实用价值和应用前景。
With the development of the computer network and all kinds of electronic service trade, people will need higher security of the data via net. How to guarantee the info and the security of network itself, especially the commerce info that is exchanged in a open and mutual join condition, how to assure the info not to be filched or juggled when depositing and transferring, is already a focus issue to enterprise and the people.Only one day, a Slammer worm, which its size is just 376 bytes, swept all the Routers and switches in Korea and paralyzed Korea's network. Someone ever accounted that if the Slammer could spread more quickly, you would find it all over the world and global backbone Routers would follow the Korea's backbone Routers and nothing could do it. The cases are not alarmism, in fact, if people lose sight of protecting the network devices, such as Router, so that it could become the most weakness node and it could be the attacked aim. The Router, as a relay station, plays an important role in the network, its security decide the whole network's security, therefore, it usually be attacked viciously. How to transfer info more quickly and securely via network is hot subject on Router. In order to make Router to transmit the data integrality, in good time and safely, many Router manufacturers begin to boost up Router's secure mechanism, and then all kinds of secure Router or carrying out secure Router function become appear.The stress of this paper is to make use of a kind of new encryption algorithm with higher speed and better keeping secret — Permutation Code to build a more secure encrypt Router mechanism. In this paper, I setup a net-driver with encrypt function in two servers (simulated Router), which play a Router's role in the LAN, the net-driver could hold up IP data and encrypt or decrypt the data, thus implement multi-net security Router. During study the dissertation, it is not easy for me to find a way to
combine the Permutation Code to the Router effective and reasonable. After many tests, I found a network driver named GNetDriver, which accord with Windows NDIS, and be the same with between the physics layer and the application layer. The most important is, GNetDriver can hold out the Permutation Code, in the end, the encapsulated driver will be installed in simulated Router. The simulated Router can implement transfer in multi-net and encrypt/decrypt IP data.This paper brings forward a solution to the problem of inefficient Safe modular. At the same time, this project purpose is the network core product and it would have better practicably value and applied future.
引文
[1] 戴宗坤等编著.VPN与网络安全.电子工业出版社,2002
[2] 美国思科网络技术学院著,黄海译.思科网络技术学院教程(第一、二学期)(第三版).人民邮电出版社
[3] 武金木,武优西.排列码加密解密方法及其排列加密解密器.中华人民共和国知识产权专利局.发明专利公开说明书,CN1246007A,2000. 3. 1
[4] 武金木,武优西.建立分组密码技术的新概念.河北工业大学学报,2001. 2,Vol.30,No.1:28-31
[5] [美]布兰顿著王军等译.Cisco路由器从入门到精通(第二版).电子工业出版社,2003
[6] 石鹏,田海博,王育民.路由协议的安全研究.网络安全技术与应用
[7] 张宏科,张思东,刘文红,编著.路由器原理与技术.国防工业出版社
[8] [美]Microsoft Co..Networking Services Routing.北京大学出版社
[9] 徐恪等.高等计算机网络--体系结构、协议机制、算法设计与路由器技术.机械工业出版社2003
[10] 黎连业,张维,向东明编.路由器及其应用技术.清华大学出版社,2004
[11] 冯登国.计算机通信网络安全.清华大学出版社,2001
[12] 陈爱民,于康友.计算机的安全与保密.北京电子工业出版社,1998
[13] 张焕国.计算机安全保密技术.机械工业出版社,1995
[14] 冯登国.密码分析学.清华大学出版社,2000
[15] 李克洪,王大玲等.实用密码学与计算机数据安全.东北大学出版社,1997. 10
[16] 郑宏云.Internet的加密与认证技术.中国数据通讯网络,2002. 7
[17] 胡英伟等.网络安全技术-数据加密.计算机与通信,1998. 10
[18] 贾晶.信息系统的安全与保密.北京清华大学出版社,1999
[19] 卢开澄.计算机密码学.北京清华大学出版社,1998
[20] Bruce Schneier.应用密码学--协议、算法与C源程序(Applied Cryptography--Protocols, algorithms,and source code in C).北京机械工业出版社,2000
[21] Simmons G J.The subliminal channels in the US digital signature algorithm(DSA) .In:3rd Symposium of State and Progress of Research in Cryptography. Rome, Italy, Fondazione Ugo Bordoni, 1993
[22] D.W.Davies.Some Regular Properties of the DES. Advances in Cryptology: Proceedings of Crypto 82. Plenum Press
[23] M.E.Hellman.DES Will Be Totally Insecure within Ten Years.IEEE Spectrum
[24] D.E.Denning. Digital Signature with RSA and Other Public-key Cryptosystems.Communications of the ACM
[25] R.L.Rivest. The MD5 Message Digest Algorithm.RFC 1320, Apr 1992
[26] [美]Douglas E.Comer著.用进行网际互联(第一卷:原理、协议与结构(第四版)).电子 工业出版社
[27] 周明天,汪文勇.TCP/IP网络原理与技术.北京清华大学出版社,1998
[28] [美]Bruce Schneier著.应用密码学协议、算法与C源程序.机械工业出版社Wayne Patterson. Mathematical Cryptology for Computer Scientists and Mathematicians. Rowman & Dittlefield, 2000
[29] ANSI X9. 62-1998. Public key cryptography for the financial services industry: the elliptic curve digital signature algorithm. American Banders Association, 1999
[30] E.Biham and A.Shamir.Differential Cryptanalysis of the Data Encryption Standard. Springer-VerL-Ag, 1993
[31] 杨明.密码编码学与网络安全.电子工业出版社,2001
[32] 楚狂.网络安全与防火墙技术.人民邮电出版社,2000
[33] 徐恪.计算机网络前沿研究.机械工业出版社,1995
[34] D.R斯廷森.密码学理论和实践.国防科学技术保密通信重点实验室,1997
[35] [美]斯托林斯著,刘玉珍等译.密码编程学与网络安全-原理与实践(第三版).电子工业出 版社,2004
[36] 陈向群,马洪兵等编.Windows内核实验教程.机械工业出版社,2002
[37] Time创作室编.Microsoft Windows XP注册表详解.人民邮电出版社,2002
[38] 美.扎克尔,王建华等.现代网络技术.机械工业出版社,2002
[39] [美]Tom Sheldon.网络与通信技术百科全书.人民邮电出版社,2004
[40] Abraham Silberschatz & Peter Baer Galvin & Greg Gagne, Operating System Concepts(Sixth Edition), 2002
[41] 张建忠,徐敬东编.计算机网络实验指导书-21世纪大学本科计算机专业系列教材.清华大学 出版社,2005
[42] Bruce Schneier, Applied Cryptography:Protocols, Algorithms, and Source Code in, John Wiley & Sons. 2000
[43] Francis Glassborow ,You Can Do It! : A Beginners Introduction to Computer Programming. 2005
[44] 宋雁辉编.Windows防火墙与网络封包截获技术.电子工业出版社,2002
[45] Cameron Hughes,Tracey Hughes.Object-Oriented Multithreading Using C++.人民邮电出版社,2003
[2] 美国思科网络技术学院著,黄海译.思科网络技术学院教程(第一、二学期)(第三版).人民邮电出版社
[3] 武金木,武优西.排列码加密解密方法及其排列加密解密器.中华人民共和国知识产权专利局.发明专利公开说明书,CN1246007A,2000. 3. 1
[4] 武金木,武优西.建立分组密码技术的新概念.河北工业大学学报,2001. 2,Vol.30,No.1:28-31
[5] [美]布兰顿著王军等译.Cisco路由器从入门到精通(第二版).电子工业出版社,2003
[6] 石鹏,田海博,王育民.路由协议的安全研究.网络安全技术与应用
[7] 张宏科,张思东,刘文红,编著.路由器原理与技术.国防工业出版社
[8] [美]Microsoft Co..Networking Services Routing.北京大学出版社
[9] 徐恪等.高等计算机网络--体系结构、协议机制、算法设计与路由器技术.机械工业出版社2003
[10] 黎连业,张维,向东明编.路由器及其应用技术.清华大学出版社,2004
[11] 冯登国.计算机通信网络安全.清华大学出版社,2001
[12] 陈爱民,于康友.计算机的安全与保密.北京电子工业出版社,1998
[13] 张焕国.计算机安全保密技术.机械工业出版社,1995
[14] 冯登国.密码分析学.清华大学出版社,2000
[15] 李克洪,王大玲等.实用密码学与计算机数据安全.东北大学出版社,1997. 10
[16] 郑宏云.Internet的加密与认证技术.中国数据通讯网络,2002. 7
[17] 胡英伟等.网络安全技术-数据加密.计算机与通信,1998. 10
[18] 贾晶.信息系统的安全与保密.北京清华大学出版社,1999
[19] 卢开澄.计算机密码学.北京清华大学出版社,1998
[20] Bruce Schneier.应用密码学--协议、算法与C源程序(Applied Cryptography--Protocols, algorithms,and source code in C).北京机械工业出版社,2000
[21] Simmons G J.The subliminal channels in the US digital signature algorithm(DSA) .In:3rd Symposium of State and Progress of Research in Cryptography. Rome, Italy, Fondazione Ugo Bordoni, 1993
[22] D.W.Davies.Some Regular Properties of the DES. Advances in Cryptology: Proceedings of Crypto 82. Plenum Press
[23] M.E.Hellman.DES Will Be Totally Insecure within Ten Years.IEEE Spectrum
[24] D.E.Denning. Digital Signature with RSA and Other Public-key Cryptosystems.Communications of the ACM
[25] R.L.Rivest. The MD5 Message Digest Algorithm.RFC 1320, Apr 1992
[26] [美]Douglas E.Comer著.用进行网际互联(第一卷:原理、协议与结构(第四版)).电子 工业出版社
[27] 周明天,汪文勇.TCP/IP网络原理与技术.北京清华大学出版社,1998
[28] [美]Bruce Schneier著.应用密码学协议、算法与C源程序.机械工业出版社Wayne Patterson. Mathematical Cryptology for Computer Scientists and Mathematicians. Rowman & Dittlefield, 2000
[29] ANSI X9. 62-1998. Public key cryptography for the financial services industry: the elliptic curve digital signature algorithm. American Banders Association, 1999
[30] E.Biham and A.Shamir.Differential Cryptanalysis of the Data Encryption Standard. Springer-VerL-Ag, 1993
[31] 杨明.密码编码学与网络安全.电子工业出版社,2001
[32] 楚狂.网络安全与防火墙技术.人民邮电出版社,2000
[33] 徐恪.计算机网络前沿研究.机械工业出版社,1995
[34] D.R斯廷森.密码学理论和实践.国防科学技术保密通信重点实验室,1997
[35] [美]斯托林斯著,刘玉珍等译.密码编程学与网络安全-原理与实践(第三版).电子工业出 版社,2004
[36] 陈向群,马洪兵等编.Windows内核实验教程.机械工业出版社,2002
[37] Time创作室编.Microsoft Windows XP注册表详解.人民邮电出版社,2002
[38] 美.扎克尔,王建华等.现代网络技术.机械工业出版社,2002
[39] [美]Tom Sheldon.网络与通信技术百科全书.人民邮电出版社,2004
[40] Abraham Silberschatz & Peter Baer Galvin & Greg Gagne, Operating System Concepts(Sixth Edition), 2002
[41] 张建忠,徐敬东编.计算机网络实验指导书-21世纪大学本科计算机专业系列教材.清华大学 出版社,2005
[42] Bruce Schneier, Applied Cryptography:Protocols, Algorithms, and Source Code in, John Wiley & Sons. 2000
[43] Francis Glassborow ,You Can Do It! : A Beginners Introduction to Computer Programming. 2005
[44] 宋雁辉编.Windows防火墙与网络封包截获技术.电子工业出版社,2002
[45] Cameron Hughes,Tracey Hughes.Object-Oriented Multithreading Using C++.人民邮电出版社,2003