基于IP的安全机制研究
摘要
Internet的日益普及给人们的生活和工作方式带来了巨大的变革,人们在享受网络技术带来的便利的同时,安全问题也提上了议事日程,网络安全也成为计算机领域的研究热点之一。
人们根据不同的需求设计了多种安全机制,常见的有信息包过滤器、SOCKS协议服务器、各种应用防火墙等。同时,也出现了一些与应用相关的安全机制,如安全电子邮件(S/MIME,PGP)、客户/服务器(Kerberos)、Web访问(SSL)等。这些安全机制在网络的不同协议层实现,都有其相应的特点。一般来讲,高层的安全服务用来保护某个应用,低层的安全服务用来保护某个传输媒介。而Internet传输往往是多种不同的应用组合在不同的媒介上传输,也就是说,当用户的安全需求跨越了协议层的时候,如何提供一种Internet上通用的安全机制成为了一个需要解决的问题。
Internet上的通信基于不可靠的数据包传输,运作的核心是TCP/IP协议族。在通信协议的分层模型中,IP层是可能实现端到端安全传输的最底层,在IP层提供的安全机制可以为所有的应用提供安全服务,是唯一可以提供通用的安全服务的安全机制。本文研究的就是基于IP的安全机制——IPSec协议。
IPSec协议是为了解决Internet上的安全需求而提出的基于IP层的安全机制。其目标是为IPv4和IPv6提供具有较强的互操作能力、高质量和基于加密的安全服务。IPSEC协议提供的安全服务集包括存取控制、无连接的完整性、数据源鉴别、反重放攻击、机密性和有限的通信量的机密性。这些服务在IP层提供,可以为IP层以上或者以下的协议提供安全保护。
本文对基于IP的安全机制——IPSec协议进行了研究,IPSec协议是基于加密机术的安全机制。本文首先研究了加密算法,重点研究了高级加密标准(AES)算法及其在IPSEC协议中的应用,并对IP环境下的加密模式做了一定的分析。最后在分析IPSEC协议的安全机理的前提下,提出了一个基于LINUX系统的IPSEC协议实现模型,并分析了主要的算法。
本文做的主要研究工作如下:
(1) 加密技术是实现数据机密性有效甚至是唯一的解决方案,本文首先对加密技术进行了探讨,介绍了相应的加密机制并进行了分析。重点对新型的分组加密算法AES及其在IP安全机制IPSec协议中的应用做了相关的研究工作。
(2) 加密技术的安全性不但和算法有关,而且和密码模式也有关,一种模式在这个环境中是安全的,在另外一个环境可能容易受到攻击。这和环境的特点有关。本文在分析密码模式的概念的基础上,对IP环境下的数据传输的特点及其对加密模式的影响进行了分析,并给出了一些设计规则。
基于P的安全机制研究
自)IPSec协议在网络安全中的应用越来越广泛,本文在分析 IPSec协议实现机制的
基础上,给出了一个基于Lffe’M-一系统的IPSec协议实现模型,并详细阐述了其
实现思想和部分算法。
The increasingly popularization of Internet brings great changes to the manners of people's living and working. As people enjoy the convenience bring by network technology, security issues also come into consideration. Network security also becomes one of the research hotspots in the computer domanial.
People have designed manifold security mechanism according to diverse requirements. For example, socks protocol server, manifold types firewalls. At the same time security mechanisms correlated to application also appeared, i.e. are security e-mail(S/MIME, PGP), kerberos, ssl. These security mechanisms are implemented on the diverse protocol layers and have corresponding characteristics. Commonly speaking, security services on the higher layer protect applications, security services on the lower level layer protect communication medium. But the Internet communication is manifold diverse application combinations communicating on diverse mediums. That is to say, when users security requirement spans protocol layers, how to offer a universal security mechanism on Internet becomes a problem to solve.
The core of the Internet is TCP/IP protocols and is based on unreliable datagram communication. In the layered model of communication protocols, IP layer is the lowest layer of likely realizing end-end security commnucation. The security mechanism based on the IP layer can offer security services to all applications and is the only security mechanism that can offer universal sercurity services. In this paper we research the security mechanism based on the IP layer-IPSec protocol.
IPsec is designed to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6. The set of security services offered includes access control, connectionless integrity, data origin authentication, protection against replays, confidentiality, and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and/or upper layer protocols.
In this paper we study the security mechanism based on IP, Because IPSec protocol is a
security mechanism based on cryptograph, we discussed cyptograhical algorithm firstly, then we analyze the cryptographical modes in the enviroment of IP communications. We also research AES algorithm and it's application in IPSec protocol. Finally we bring forward a implement model of IPSec protocol base on the Linux system and analyze the main algorithms. The main reseach works we do as follows:
(1) Cryptograph is the effective and the only technicle to ensure data confidentiality. In this paper we expended the basic concept and class of encrpytion techniques.. Finally we analized the AES algorithm and its application in IPSec protocol.
(2) Because the communication of IP datagram has charaisteristics of itself, we analized the influence that IP datagram communication does on encryption modes,and put forward some design rules.
(3) We analized the implement mechanism of IPSec protocol in the fourth chapter, then we put forward a implement model of IPSec protocol and made a detailed description of implement algorithm.
人们根据不同的需求设计了多种安全机制,常见的有信息包过滤器、SOCKS协议服务器、各种应用防火墙等。同时,也出现了一些与应用相关的安全机制,如安全电子邮件(S/MIME,PGP)、客户/服务器(Kerberos)、Web访问(SSL)等。这些安全机制在网络的不同协议层实现,都有其相应的特点。一般来讲,高层的安全服务用来保护某个应用,低层的安全服务用来保护某个传输媒介。而Internet传输往往是多种不同的应用组合在不同的媒介上传输,也就是说,当用户的安全需求跨越了协议层的时候,如何提供一种Internet上通用的安全机制成为了一个需要解决的问题。
Internet上的通信基于不可靠的数据包传输,运作的核心是TCP/IP协议族。在通信协议的分层模型中,IP层是可能实现端到端安全传输的最底层,在IP层提供的安全机制可以为所有的应用提供安全服务,是唯一可以提供通用的安全服务的安全机制。本文研究的就是基于IP的安全机制——IPSec协议。
IPSec协议是为了解决Internet上的安全需求而提出的基于IP层的安全机制。其目标是为IPv4和IPv6提供具有较强的互操作能力、高质量和基于加密的安全服务。IPSEC协议提供的安全服务集包括存取控制、无连接的完整性、数据源鉴别、反重放攻击、机密性和有限的通信量的机密性。这些服务在IP层提供,可以为IP层以上或者以下的协议提供安全保护。
本文对基于IP的安全机制——IPSec协议进行了研究,IPSec协议是基于加密机术的安全机制。本文首先研究了加密算法,重点研究了高级加密标准(AES)算法及其在IPSEC协议中的应用,并对IP环境下的加密模式做了一定的分析。最后在分析IPSEC协议的安全机理的前提下,提出了一个基于LINUX系统的IPSEC协议实现模型,并分析了主要的算法。
本文做的主要研究工作如下:
(1) 加密技术是实现数据机密性有效甚至是唯一的解决方案,本文首先对加密技术进行了探讨,介绍了相应的加密机制并进行了分析。重点对新型的分组加密算法AES及其在IP安全机制IPSec协议中的应用做了相关的研究工作。
(2) 加密技术的安全性不但和算法有关,而且和密码模式也有关,一种模式在这个环境中是安全的,在另外一个环境可能容易受到攻击。这和环境的特点有关。本文在分析密码模式的概念的基础上,对IP环境下的数据传输的特点及其对加密模式的影响进行了分析,并给出了一些设计规则。
基于P的安全机制研究
自)IPSec协议在网络安全中的应用越来越广泛,本文在分析 IPSec协议实现机制的
基础上,给出了一个基于Lffe’M-一系统的IPSec协议实现模型,并详细阐述了其
实现思想和部分算法。
The increasingly popularization of Internet brings great changes to the manners of people's living and working. As people enjoy the convenience bring by network technology, security issues also come into consideration. Network security also becomes one of the research hotspots in the computer domanial.
People have designed manifold security mechanism according to diverse requirements. For example, socks protocol server, manifold types firewalls. At the same time security mechanisms correlated to application also appeared, i.e. are security e-mail(S/MIME, PGP), kerberos, ssl. These security mechanisms are implemented on the diverse protocol layers and have corresponding characteristics. Commonly speaking, security services on the higher layer protect applications, security services on the lower level layer protect communication medium. But the Internet communication is manifold diverse application combinations communicating on diverse mediums. That is to say, when users security requirement spans protocol layers, how to offer a universal security mechanism on Internet becomes a problem to solve.
The core of the Internet is TCP/IP protocols and is based on unreliable datagram communication. In the layered model of communication protocols, IP layer is the lowest layer of likely realizing end-end security commnucation. The security mechanism based on the IP layer can offer security services to all applications and is the only security mechanism that can offer universal sercurity services. In this paper we research the security mechanism based on the IP layer-IPSec protocol.
IPsec is designed to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6. The set of security services offered includes access control, connectionless integrity, data origin authentication, protection against replays, confidentiality, and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and/or upper layer protocols.
In this paper we study the security mechanism based on IP, Because IPSec protocol is a
security mechanism based on cryptograph, we discussed cyptograhical algorithm firstly, then we analyze the cryptographical modes in the enviroment of IP communications. We also research AES algorithm and it's application in IPSec protocol. Finally we bring forward a implement model of IPSec protocol base on the Linux system and analyze the main algorithms. The main reseach works we do as follows:
(1) Cryptograph is the effective and the only technicle to ensure data confidentiality. In this paper we expended the basic concept and class of encrpytion techniques.. Finally we analized the AES algorithm and its application in IPSec protocol.
(2) Because the communication of IP datagram has charaisteristics of itself, we analized the influence that IP datagram communication does on encryption modes,and put forward some design rules.
(3) We analized the implement mechanism of IPSec protocol in the fourth chapter, then we put forward a implement model of IPSec protocol and made a detailed description of implement algorithm.
引文
1、贾广雷,刘培玉,耿长欣。多线程技术及其在串口通信中的应用。计算机科学,2002,29(8):148~149。
1. William Stallings. Cryptography and Network Security Principles and Practice. 1999.
2. Bruce Schneier. Applied Cryptography Second Edition:protocols, algorithms, and sourse code in C. 1996.
3. R. Atkinson. Security Architecture for IP. rfc2401,1998
4.吴文玲,冯登国,卿斯汉。简评美国公布的15个AES候选算法。软件学报,10(3):225~230
5. AES home page:http://www.nist.gov/aes
6. R. Atkinson. IP Authentication Header. rfc2402,1998
7. R. Atkinson. IP Encapsulating Security Payload (ESP). rfc2406,1998
8.周立峰,周昕,金志权。基于IPSec的VPN在 Linux 下的实现。计算机应用研究,5:61~63
9. freeswan home page:http://www.freeswan.org
10. S. Frankel, NIST. The AES Cipher Algorithm and Its Use With Ipsec. 2001
11. netfilter home page:http://www.netfilter.org
12.洪帆,陈卓,王瑞民。IPSec安全机制的体系结构与应用研究。小型微型计算机系统,2002,23(8):946~949。
13. D. Carrel. The Internet Key Exchange (IKE).rfc2409,1998
14.冯登国,吴文玲。分组密码的设计与分析。清华大学出版社。2000,98~99
15.R. Pereira. The ESP CBC-Mode Cipher Algorithms. RFC2451, 1998
16.黄志清。网络安全中的数据加密技术研究。计算机系统应用。2000:50~53
17.甘元驹,施荣华.基于IPSec的虚拟专用网防火墙设计。2000:30~32
1. William Stallings. Cryptography and Network Security Principles and Practice. 1999.
2. Bruce Schneier. Applied Cryptography Second Edition:protocols, algorithms, and sourse code in C. 1996.
3. R. Atkinson. Security Architecture for IP. rfc2401,1998
4.吴文玲,冯登国,卿斯汉。简评美国公布的15个AES候选算法。软件学报,10(3):225~230
5. AES home page:http://www.nist.gov/aes
6. R. Atkinson. IP Authentication Header. rfc2402,1998
7. R. Atkinson. IP Encapsulating Security Payload (ESP). rfc2406,1998
8.周立峰,周昕,金志权。基于IPSec的VPN在 Linux 下的实现。计算机应用研究,5:61~63
9. freeswan home page:http://www.freeswan.org
10. S. Frankel, NIST. The AES Cipher Algorithm and Its Use With Ipsec. 2001
11. netfilter home page:http://www.netfilter.org
12.洪帆,陈卓,王瑞民。IPSec安全机制的体系结构与应用研究。小型微型计算机系统,2002,23(8):946~949。
13. D. Carrel. The Internet Key Exchange (IKE).rfc2409,1998
14.冯登国,吴文玲。分组密码的设计与分析。清华大学出版社。2000,98~99
15.R. Pereira. The ESP CBC-Mode Cipher Algorithms. RFC2451, 1998
16.黄志清。网络安全中的数据加密技术研究。计算机系统应用。2000:50~53
17.甘元驹,施荣华.基于IPSec的虚拟专用网防火墙设计。2000:30~32