基于AES-CCM模式的IPSec应用及其性能研究
摘要
随着计算机网络的发展,网络中的安全问题也日益严重。与其它安全机制相比,网络层安全机制主要的优点是它的透明性,即提供安全服务时不要求对应用层做任何改变。对于保护IP数据报的安全而言,IPSec是目前主流的网络层安全机制。它为IP层及其上层协议提供了数据机密性、完整性、数据源身份认证、抗流量分析和反重放保护等安全服务。
本文首先介绍了IPSec的体系结构和实现机制以及目前它的研究现状与进展,并对其应用进行了详细的分析研究。在基于IPSec的具体应用中,加密算法的选择直接影响系统的安全性。传统的DES等加密算法安全强度不足,主要表现在密钥长度过短、不能抵御差分分析和线性分析攻击,因而存在相当大的安全隐患。其次,本文通过AES加密算法与DES的性能对比分析,可看出AES算法的安全优势十分明显:有良好的数学理论作为基础,没有明显的缺点和安全漏洞,加密、解密相似但不对称,因而具有更高的安全性,分组和密钥长度的多重选择也体现了该算法的灵活性。最后,本文阐述了AES算法最新的CCM操作模式在IPSec中的具体实现,并且从安全和效率两方面对其进行了性能评估。结论是AES-CCM模式在安全和效率两方面取得了良好的平衡,具有良好的应用前景。
CCM模式是一种同时提供加密和认证服务的全新操作模式,这正是它相比其他操作模式在IPSec中应用的优势所在。在基于IPSec的具体应用中,安全与效率是项目实施成败的关键。AES-CCM模式使用的计数器方式应用简单,系统开销小,可以提高加密方的效率。而AES算法是针对差分分析和线性分析提出的,它的最大优点是可以给出算法的最佳差分特征的概率及最佳线性逼近的偏差界,具有抵抗差分密码分析及线性密码分析的能力,因此AES算法的安全性在现阶段是有足够保障的。因为安全性依赖于加密算法而不依赖操作模式,加密算法的操作模式并不会损害算法的安全性,所以AES-CCM模式的安全性也是有保障的。因此在基于IPSec应用中,AES-CCM模式必将得到广泛的使用。但是,在使用AES算法时,要根据IPSec协议的定义和实际的应用情况对加密算法进行一些必要的协调,本文在这方面也做了一些探讨。
当然,在实际应用中,IPSec也会产生一些不足。如它可能对其他的协议产生影响:由于数据包经过加密,所以传统的链路层压缩技术将不会收到任何效果;另外,由于IPSec是一个端到端的协议,所以在多播环境中使用IPSec需要一定的技巧,也存在着一些目前尚不能妥善解决的问题,这主要表现在多播源验证和密钥管理上。这些都是在安全领域中值得研究和进一步解决的实际问题。
With the development of computer network, the safe problem in network increase serious. Comparing with other safe mechanism, the major advantage of the network layer's safe mechanism is transparency. When it offer safety service , it don't ask for the application layer do any change. For protecting the safety of IP datagram , IPSec is present the mainstream network layer's safe mechanism. It offer data confidentiality, integrity , data source identity certification and anti-replay protective etc. safe service for network layer and its upper protocol.
Firstly, this paper introduces the architecture, realization and application analysis of IPSec, as well as introduces it's present research situation and progress. Application based on IPSec, the encryption algorithm' selecting directly effect systematic security. The traditional encryption algorithm's security intensity is scarcity, its key' length is too short to resist the attack of the differential cryptanalysis and linear analysis, and exist considerable serious safe trouble. Secondly, this paper analyse AES algorithm and the contrast performance of DES and think AES algorithm's advantage is very obvious. Finally, this paper also elaborates the CCM mode of AES algorithm in IPSec, and from security and efficiency carry out performance evaluation for it. Conclusion is AES-CCM mode in security and efficiency gets good balance and have good application prospect
CCM mode is a kind of simultaneous offer encryption and certification service's mode, this is it's advantage comparing with other operating mode applying in IPSec. On the specific application of IPSec, security and efficiency is the key of project's success or failure. AES-CCM mode use counter mode application simple, systematic expense little, may raise the efficiency of encryption. AES algorithm is presented in allusion to differential cryptanalysis and linear analysis. Therefore, the security of AES algorithm in current stage have enough guarantee. Because security relies on encryption algorithm and don't rely on the operating mode of encryption algorithm, the operating mode of encryption algorithm don't harm the security of algorithm , the security of AES-CCM mode also have guarantee. So AES-CCM mode in IPSec must get extensive application. However, AES algorithm will coordinate according to actual application condition and the definition of IPSec, this paper also discusses the problem.
Certainly, in actual application, IPSec can also bring some bad effects. For example, it can influence the other protocol. Because of data's encryption, so the traditional data link layer's compress technology will not receive any effect In addition because of IPSec is a end-to-end protocol, useing IPSec in broadcast's environment needs some skills, at the same time also have some problem that at present can not be solved properly, this show mainly broadcast source verification and key management. These problem are worthy of research and solution in security field.
本文首先介绍了IPSec的体系结构和实现机制以及目前它的研究现状与进展,并对其应用进行了详细的分析研究。在基于IPSec的具体应用中,加密算法的选择直接影响系统的安全性。传统的DES等加密算法安全强度不足,主要表现在密钥长度过短、不能抵御差分分析和线性分析攻击,因而存在相当大的安全隐患。其次,本文通过AES加密算法与DES的性能对比分析,可看出AES算法的安全优势十分明显:有良好的数学理论作为基础,没有明显的缺点和安全漏洞,加密、解密相似但不对称,因而具有更高的安全性,分组和密钥长度的多重选择也体现了该算法的灵活性。最后,本文阐述了AES算法最新的CCM操作模式在IPSec中的具体实现,并且从安全和效率两方面对其进行了性能评估。结论是AES-CCM模式在安全和效率两方面取得了良好的平衡,具有良好的应用前景。
CCM模式是一种同时提供加密和认证服务的全新操作模式,这正是它相比其他操作模式在IPSec中应用的优势所在。在基于IPSec的具体应用中,安全与效率是项目实施成败的关键。AES-CCM模式使用的计数器方式应用简单,系统开销小,可以提高加密方的效率。而AES算法是针对差分分析和线性分析提出的,它的最大优点是可以给出算法的最佳差分特征的概率及最佳线性逼近的偏差界,具有抵抗差分密码分析及线性密码分析的能力,因此AES算法的安全性在现阶段是有足够保障的。因为安全性依赖于加密算法而不依赖操作模式,加密算法的操作模式并不会损害算法的安全性,所以AES-CCM模式的安全性也是有保障的。因此在基于IPSec应用中,AES-CCM模式必将得到广泛的使用。但是,在使用AES算法时,要根据IPSec协议的定义和实际的应用情况对加密算法进行一些必要的协调,本文在这方面也做了一些探讨。
当然,在实际应用中,IPSec也会产生一些不足。如它可能对其他的协议产生影响:由于数据包经过加密,所以传统的链路层压缩技术将不会收到任何效果;另外,由于IPSec是一个端到端的协议,所以在多播环境中使用IPSec需要一定的技巧,也存在着一些目前尚不能妥善解决的问题,这主要表现在多播源验证和密钥管理上。这些都是在安全领域中值得研究和进一步解决的实际问题。
With the development of computer network, the safe problem in network increase serious. Comparing with other safe mechanism, the major advantage of the network layer's safe mechanism is transparency. When it offer safety service , it don't ask for the application layer do any change. For protecting the safety of IP datagram , IPSec is present the mainstream network layer's safe mechanism. It offer data confidentiality, integrity , data source identity certification and anti-replay protective etc. safe service for network layer and its upper protocol.
Firstly, this paper introduces the architecture, realization and application analysis of IPSec, as well as introduces it's present research situation and progress. Application based on IPSec, the encryption algorithm' selecting directly effect systematic security. The traditional encryption algorithm's security intensity is scarcity, its key' length is too short to resist the attack of the differential cryptanalysis and linear analysis, and exist considerable serious safe trouble. Secondly, this paper analyse AES algorithm and the contrast performance of DES and think AES algorithm's advantage is very obvious. Finally, this paper also elaborates the CCM mode of AES algorithm in IPSec, and from security and efficiency carry out performance evaluation for it. Conclusion is AES-CCM mode in security and efficiency gets good balance and have good application prospect
CCM mode is a kind of simultaneous offer encryption and certification service's mode, this is it's advantage comparing with other operating mode applying in IPSec. On the specific application of IPSec, security and efficiency is the key of project's success or failure. AES-CCM mode use counter mode application simple, systematic expense little, may raise the efficiency of encryption. AES algorithm is presented in allusion to differential cryptanalysis and linear analysis. Therefore, the security of AES algorithm in current stage have enough guarantee. Because security relies on encryption algorithm and don't rely on the operating mode of encryption algorithm, the operating mode of encryption algorithm don't harm the security of algorithm , the security of AES-CCM mode also have guarantee. So AES-CCM mode in IPSec must get extensive application. However, AES algorithm will coordinate according to actual application condition and the definition of IPSec, this paper also discusses the problem.
Certainly, in actual application, IPSec can also bring some bad effects. For example, it can influence the other protocol. Because of data's encryption, so the traditional data link layer's compress technology will not receive any effect In addition because of IPSec is a end-to-end protocol, useing IPSec in broadcast's environment needs some skills, at the same time also have some problem that at present can not be solved properly, this show mainly broadcast source verification and key management. These problem are worthy of research and solution in security field.
引文
[1]谢希仁.计算机网络[M].第四版.北京:电子工业出版社,2003
[2]William Stallings.密码编码学与网络安全:原理与实践[M].第二版.北京:电子工业出版社,2001
[3]Bruce Schneier.应用密码学:协议、算法与C源程序[M]。第二版.北京:机械工业出版社,2000
[4]卿斯汉. 密码学与计算机网络安全[M].北京:清华大学出版社,广西科学技术出版社,2001
[5]卢开澄.计算机密码学-计算机网路中的数据保密与安全[M].第二版.北京:清华大学出版社,1998
[6]Steve Bumett,Stephen Paine。密码工程实践指南[M].清华大学出版社,麦格劳-希尔教育出版集团,2001
[7]Naganand Doraswamy,Dan Harkins.IPSec新一代因特网安全标准[M].机械工业出版社,2001
[8]William Stallings.网络安全要素——应用与标准[M].北京:人民邮电出版社。2000
[9]Kerike Kaeo.网络安全性设计[M].北京:人民邮电出版杜,2000
[10]许进,马殿富,怀进鹏,等.IPSec设计及实现[J].北京航空航天大学学报.2001,27 (4)
[11]张焕明,宋振锋.SSH协议分析[J].暨南大学学报(自然科学与医学版),2003,24 (3)
[12]IETF Homepage, http://www.ietf.org/
[13]A. Frier, P. Kariton, P. Kocher. The SSL 3.0 Protocol. Netscape Communications Corp. 1996
[14]T. Dierks, C. Allen. The TLS Protocol (Version 1.0) (RFC 2246). 1999
[15]K. Hamzeh, G. Pall, W. Verthein, et al. Point-to-Point Tunneling Protocol (PPTP) (RFC 2637). 1999
[16]D Whiting, R Housley, N Ferguson. Counter with CBC-MAC (CCM), 2002
[17]FIPS Publication 197, Advanced Encryption Standard (AES). U.S. DoC/NIST, 2001
[18]D Maughan, M Schertler, M Schneider. lntemet Security Association and Key Management Protocol (ISAKMP) (RFC2408), 1998
[19]Jakob Jonsson. On the Security ofCTR + CBC-MAC. 2002
[20]D Harkins, D Carrel. The lntemet Key Exchange (IKE) (RFC 2409). 1998
[21]S Kent, R Atkinson. IP Encapsulating Security Payload (ESP) (RFC 2406). 1998
[22]R. Housley. Using AES CCM Mode With IPsec ESP. Internet-Draft. Work in progress. 2003
[23] J.Kohl, C. Neuman. The Kerberos Network Authentication Service ( V5 ) (RFC 1510). 1993
[24] H. Krawczyk, M. Bellare, R. Canetti. HMAC: Keyed-Hashing for Message Authentication (RFC 2104). 1997
[25] M. Oehler, R. Glenn. HMAC-MD5 IP Authentication with Replay Prevention (RFC 2085). 1997
[26] S Kent, R Atkinson. Security Architecture for the Intemet Protocol (RFC 2401 ). 1998
[27] S Kent, R Atkinson. IP Authentication Header (RFC 2402). 1998
[28] R. Pereira, RAdams. The ESP CBC-Mode Cipher Algorithms (RFC 2451 ). 1998
[29] C. Madson, R. Glenn. The Use of HMAC-MD5-96 within ESP and AH (RFC 2403). 1998
[30] C. Madson, R. Glenn. The Use of HMAC-SHA-I-96 within ESP and AH (RFC 2404). 1998:
[31] S Kent, R Atkinson. IP Encapsulating Security Payload (ESP) (RFC 2413). 1998
[32] D. Piper. The lnternet IP Security Domain oflnterpretation for ISAKMP (RFC 2407). 1998
[33] D. Maughan, M. Schertler, M. Schneider, et al. Internet Security Association and Key Management Protocol (ISAKMP) (RFC 2408). 1998
[34] D. Harkins,D. Carrel. The Interact Key Exchange (IKE) (RFC 2409). 1998
[35] A. Keromytis, N. Provos. The Use of HMAC-RIPEMD-160-96 within ESP and AH (RFC 2857). 2000
[36] S. Frankel, H. Herbert. The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec (RFC 3566). 2003
[37] S. Frankel, R. Glenn, S. Kelly. The AES-CBC Cipher Algorithm and Its Use with IPsec (RFC 3602) . 2003
[38] P. Hoffman. The AES-XCBC-PRF-128 algorithm for IKE (RFC 3664) . 2004
[39] R. Housley, Vigil Security. Using AES Counter Mode With IPsec ESP (RFC 3686). 2004:
[40] Abrams. M, Podell. H. Computer and Network Security[M]. Los Alamitos, CA. IEEE Computer Society Press, 1997
[41] Abrams. M, Jajodia. S. Podell. H. Information Security: An integrated Collection of Essays[M]. Los Alamitos, CA. IEEE Computer Society Pross, 1995
[42] Man Young Rhce. Cryptography and Secure Communication[M]. McGraw-Hill Book Co, 1994
[43] Wayne Patterson. Mathematical Cryptology for Scientists and Mathematicians[M]. Rowman &Dittlefield, 1998
[44] P.R. Zimmermann. PGP Source Code and Internals[M]. MIT Press. 1995:
[45] Niels Ferguson, Bruce Schneier. A Cryptographic Evaluation oflPsec. 2002:
[46] Steven M. Bellovin, Matt Blaze. Cryptographic Modes of Operation for the internet. 2001:
[47] Stefan Miltchev, Sotiris Ioannidis, Angeios D. Keromytis. A Study of the Relative Costs of
Network Security Protocols. 2002
[48] X..Lai, J.Massey, S.Murphy. Markov Ciphers and Differential Cryptanalysis. Advances in Cryptolopy-EUROCRYPT'91 Proceedings, Springer-Verlag, 1991
[49] K.Nyberg, L.R.Knudsen. Provable Security against Differential Cryptanalysis. Advances in Cryptolopy-CRYPT'93 Proceedings, Springer-Verlag, 1993
[50] B.Preneei, V.Rijmen. On Using Maximum Likelihood to Optimize Recent Cryptanalytie Techniques. Presented at the rump session of EUROCRYPT'94, 1994
[51] Doug Whiting, Bruce Schneier, Steve Bellovin. AES Key Agility Issues in High-Speed IPsec Implementations. 2000
[52] S. Abbott. Architectures for Support-ing Hardware Cryptographie Engines. 1999 RSA Conference. 1999
[53] Marcus Masekowsky. IPSee - Performance Analyse. 2003
[2]William Stallings.密码编码学与网络安全:原理与实践[M].第二版.北京:电子工业出版社,2001
[3]Bruce Schneier.应用密码学:协议、算法与C源程序[M]。第二版.北京:机械工业出版社,2000
[4]卿斯汉. 密码学与计算机网络安全[M].北京:清华大学出版社,广西科学技术出版社,2001
[5]卢开澄.计算机密码学-计算机网路中的数据保密与安全[M].第二版.北京:清华大学出版社,1998
[6]Steve Bumett,Stephen Paine。密码工程实践指南[M].清华大学出版社,麦格劳-希尔教育出版集团,2001
[7]Naganand Doraswamy,Dan Harkins.IPSec新一代因特网安全标准[M].机械工业出版社,2001
[8]William Stallings.网络安全要素——应用与标准[M].北京:人民邮电出版社。2000
[9]Kerike Kaeo.网络安全性设计[M].北京:人民邮电出版杜,2000
[10]许进,马殿富,怀进鹏,等.IPSec设计及实现[J].北京航空航天大学学报.2001,27 (4)
[11]张焕明,宋振锋.SSH协议分析[J].暨南大学学报(自然科学与医学版),2003,24 (3)
[12]IETF Homepage, http://www.ietf.org/
[13]A. Frier, P. Kariton, P. Kocher. The SSL 3.0 Protocol. Netscape Communications Corp. 1996
[14]T. Dierks, C. Allen. The TLS Protocol (Version 1.0) (RFC 2246). 1999
[15]K. Hamzeh, G. Pall, W. Verthein, et al. Point-to-Point Tunneling Protocol (PPTP) (RFC 2637). 1999
[16]D Whiting, R Housley, N Ferguson. Counter with CBC-MAC (CCM), 2002
[17]FIPS Publication 197, Advanced Encryption Standard (AES). U.S. DoC/NIST, 2001
[18]D Maughan, M Schertler, M Schneider. lntemet Security Association and Key Management Protocol (ISAKMP) (RFC2408), 1998
[19]Jakob Jonsson. On the Security ofCTR + CBC-MAC. 2002
[20]D Harkins, D Carrel. The lntemet Key Exchange (IKE) (RFC 2409). 1998
[21]S Kent, R Atkinson. IP Encapsulating Security Payload (ESP) (RFC 2406). 1998
[22]R. Housley. Using AES CCM Mode With IPsec ESP. Internet-Draft. Work in progress. 2003
[23] J.Kohl, C. Neuman. The Kerberos Network Authentication Service ( V5 ) (RFC 1510). 1993
[24] H. Krawczyk, M. Bellare, R. Canetti. HMAC: Keyed-Hashing for Message Authentication (RFC 2104). 1997
[25] M. Oehler, R. Glenn. HMAC-MD5 IP Authentication with Replay Prevention (RFC 2085). 1997
[26] S Kent, R Atkinson. Security Architecture for the Intemet Protocol (RFC 2401 ). 1998
[27] S Kent, R Atkinson. IP Authentication Header (RFC 2402). 1998
[28] R. Pereira, RAdams. The ESP CBC-Mode Cipher Algorithms (RFC 2451 ). 1998
[29] C. Madson, R. Glenn. The Use of HMAC-MD5-96 within ESP and AH (RFC 2403). 1998
[30] C. Madson, R. Glenn. The Use of HMAC-SHA-I-96 within ESP and AH (RFC 2404). 1998:
[31] S Kent, R Atkinson. IP Encapsulating Security Payload (ESP) (RFC 2413). 1998
[32] D. Piper. The lnternet IP Security Domain oflnterpretation for ISAKMP (RFC 2407). 1998
[33] D. Maughan, M. Schertler, M. Schneider, et al. Internet Security Association and Key Management Protocol (ISAKMP) (RFC 2408). 1998
[34] D. Harkins,D. Carrel. The Interact Key Exchange (IKE) (RFC 2409). 1998
[35] A. Keromytis, N. Provos. The Use of HMAC-RIPEMD-160-96 within ESP and AH (RFC 2857). 2000
[36] S. Frankel, H. Herbert. The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec (RFC 3566). 2003
[37] S. Frankel, R. Glenn, S. Kelly. The AES-CBC Cipher Algorithm and Its Use with IPsec (RFC 3602) . 2003
[38] P. Hoffman. The AES-XCBC-PRF-128 algorithm for IKE (RFC 3664) . 2004
[39] R. Housley, Vigil Security. Using AES Counter Mode With IPsec ESP (RFC 3686). 2004:
[40] Abrams. M, Podell. H. Computer and Network Security[M]. Los Alamitos, CA. IEEE Computer Society Press, 1997
[41] Abrams. M, Jajodia. S. Podell. H. Information Security: An integrated Collection of Essays[M]. Los Alamitos, CA. IEEE Computer Society Pross, 1995
[42] Man Young Rhce. Cryptography and Secure Communication[M]. McGraw-Hill Book Co, 1994
[43] Wayne Patterson. Mathematical Cryptology for Scientists and Mathematicians[M]. Rowman &Dittlefield, 1998
[44] P.R. Zimmermann. PGP Source Code and Internals[M]. MIT Press. 1995:
[45] Niels Ferguson, Bruce Schneier. A Cryptographic Evaluation oflPsec. 2002:
[46] Steven M. Bellovin, Matt Blaze. Cryptographic Modes of Operation for the internet. 2001:
[47] Stefan Miltchev, Sotiris Ioannidis, Angeios D. Keromytis. A Study of the Relative Costs of
Network Security Protocols. 2002
[48] X..Lai, J.Massey, S.Murphy. Markov Ciphers and Differential Cryptanalysis. Advances in Cryptolopy-EUROCRYPT'91 Proceedings, Springer-Verlag, 1991
[49] K.Nyberg, L.R.Knudsen. Provable Security against Differential Cryptanalysis. Advances in Cryptolopy-CRYPT'93 Proceedings, Springer-Verlag, 1993
[50] B.Preneei, V.Rijmen. On Using Maximum Likelihood to Optimize Recent Cryptanalytie Techniques. Presented at the rump session of EUROCRYPT'94, 1994
[51] Doug Whiting, Bruce Schneier, Steve Bellovin. AES Key Agility Issues in High-Speed IPsec Implementations. 2000
[52] S. Abbott. Architectures for Support-ing Hardware Cryptographie Engines. 1999 RSA Conference. 1999
[53] Marcus Masekowsky. IPSee - Performance Analyse. 2003