IP协议数据报文分组安全传输的研究
摘要
目前,广大网络用户通过Internet互连网进行信息的交流,相互传送双方需要的数据资料。随着网络用户的增加,网络用户传输的数据信息在网络上被窃取的事件越来越多,研究在公开的网络环境如何保护用户的信息越发显得重要。
网络用户终端大多使用TCP/IP通信协议完成信息的传输任务,TCP/IP协议是层次结构的通信协议,用户数据信息被划分成一个个的数据分段,经过各层协议时,添加上各层协议的控制信息,作为数据分段的头部信息,这个头部信息说明了各相应层通信的规则,数据分段经各层封装后最终形成物理数据帧通过物理链路送到通信网络上传输。物理数据帧经过各路由结点时还原成IP数据分组的形式进行路由转发,这时的IP数据分组以明文方式存在,信息内容极易泄露。
广泛使用的TCP/IP协议的网络层协议(IPV4)由于缺少安全机制,可以在IP协议层对IP数据报文分组采取一些安全保护措施,如:对IP数据报文分组不再以有意义的明文方式进行传输,对IP数据报文分组加密,以密文的方式在通信网络中传送;采用生成报文文摘码与报文分组一同传送的方式,防止数据报文分组在通信网络中被篡改;对文摘码用通信用户的私有密钥进行加密,可以确保数据报文分组是从可靠的通信用户发送来的,即对每个数据报文分组实行数字签名。本论文中对于一组远程分布的用户,通过Internet传输数据,对他们系统中的IP协议增加上述三种功能,并在系统中增加一个密钥信息数据库,保存这组用户相互公布的公钥,论文中还设计了一种会话密钥交换算法完成用户的密钥交换任务,为这组远程分布用户提供一个完全透明的安全通信信道。
Ten thousands of the network users communicate and exchange their data materials on the Internet at present. As the network user increases very quickly, more and more criminal events by network take place frequently. It is very important to study how to protect the network user's data materials that were placed on the network.
Many network users use TCP/IP protocols that were composed of a series of protocol layers to finish their communication tasks. The user's data information is divided into a great many of data blocks. When the data blocks are transported through the layers of the protocols, they are added the controlled information in their headers. These controlled information express the regularity of each protocol layers. After the data blocks were packeted, they formed the physical data frames that were transported in the network. The physical data frames will be transformed into the forms of IP packets when they arrive at every router nodes. The IP data packets are stolen easily because they are plaintext in every router nodes.
According to the principles of the network, this thesis proposes a practical method to improve the secure function of the TCP/IP protocols. For example, the user's data materials were encrypted before they were transmitted. The data materials existed on the network in the forms of ciphertext, so this information was useless to the stealers. To prevent the data materials from being modified illegally we may add data message digest into the data packets. The digital signature helps us to recognize the data blocks that are transmitted from the reliable communication users. These secure methods provide the network users with a transparent and secure communication channels.
网络用户终端大多使用TCP/IP通信协议完成信息的传输任务,TCP/IP协议是层次结构的通信协议,用户数据信息被划分成一个个的数据分段,经过各层协议时,添加上各层协议的控制信息,作为数据分段的头部信息,这个头部信息说明了各相应层通信的规则,数据分段经各层封装后最终形成物理数据帧通过物理链路送到通信网络上传输。物理数据帧经过各路由结点时还原成IP数据分组的形式进行路由转发,这时的IP数据分组以明文方式存在,信息内容极易泄露。
广泛使用的TCP/IP协议的网络层协议(IPV4)由于缺少安全机制,可以在IP协议层对IP数据报文分组采取一些安全保护措施,如:对IP数据报文分组不再以有意义的明文方式进行传输,对IP数据报文分组加密,以密文的方式在通信网络中传送;采用生成报文文摘码与报文分组一同传送的方式,防止数据报文分组在通信网络中被篡改;对文摘码用通信用户的私有密钥进行加密,可以确保数据报文分组是从可靠的通信用户发送来的,即对每个数据报文分组实行数字签名。本论文中对于一组远程分布的用户,通过Internet传输数据,对他们系统中的IP协议增加上述三种功能,并在系统中增加一个密钥信息数据库,保存这组用户相互公布的公钥,论文中还设计了一种会话密钥交换算法完成用户的密钥交换任务,为这组远程分布用户提供一个完全透明的安全通信信道。
Ten thousands of the network users communicate and exchange their data materials on the Internet at present. As the network user increases very quickly, more and more criminal events by network take place frequently. It is very important to study how to protect the network user's data materials that were placed on the network.
Many network users use TCP/IP protocols that were composed of a series of protocol layers to finish their communication tasks. The user's data information is divided into a great many of data blocks. When the data blocks are transported through the layers of the protocols, they are added the controlled information in their headers. These controlled information express the regularity of each protocol layers. After the data blocks were packeted, they formed the physical data frames that were transported in the network. The physical data frames will be transformed into the forms of IP packets when they arrive at every router nodes. The IP data packets are stolen easily because they are plaintext in every router nodes.
According to the principles of the network, this thesis proposes a practical method to improve the secure function of the TCP/IP protocols. For example, the user's data materials were encrypted before they were transmitted. The data materials existed on the network in the forms of ciphertext, so this information was useless to the stealers. To prevent the data materials from being modified illegally we may add data message digest into the data packets. The digital signature helps us to recognize the data blocks that are transmitted from the reliable communication users. These secure methods provide the network users with a transparent and secure communication channels.
引文
[1] Neuhaus, S. Statistical properties of IDEA session Keys in POP. 13 June 1993.
[2] Mitchell, C.; piper, E; and Wild, P. Digital Signatures. 1992
[3] Menezes, A. Elliptic Curve Public Key Cryptosystems. Boston: Klawer Academic Publishers, 1993
[4] Huitema, C. IPV6: The New Internet Protocol. Upper Saddle, River, NJ: Prentice Hall,1998
[5] Kalisk, B., and Robshaw, M. The secure use of RSA. CryptoBytes, Autumn 1995
[6] Dobbertin, H. The status of MD5 After a Recent Attack. CryptoBytes, Summer 1996
[7] Naganand Doraswamy. Dan Harkins. Ipsec: the new security standard for the Internet.Intranet and virtual private networks. Prentice Hall PTR. 1999
[8] RobShow, M. Block Ciphers. RSA Laboratories Technical Report TR-601, August 1995
[9] Andrew S. Tanenbaum. Computer Networks, version 3. Prentice Hall International,Inc.,1995.(《计算机网络》第三版,清华大学出版社影印版,1996)
[10] Douglas, L.Comer. Internetworking with TCP/IP(vol.1, vol.2, vol.3).Prentice Hall International, Inc., 1995. (《TCP/IP网络互连技术》卷Ⅰ、卷Ⅱ、卷Ⅲ,清华大学出版社 影印版 1998)
[11] William Stallings. Cryptography and Network Security:principles and practice. Version 2. Prentice Hall International, Inc. 2000 (《密码编码学与网络安全:原理和实践》第二版,清华大学出版社影印版,2001)
[12] Steve Burnett. Stephen Paine. RSA Security's Official Guide to Cryptography. The McGraw-Hill Companies. 2001. (《密码工程实践指南》) 清华大学出版社 2001)
[13]卿斯汉,密码学与计算机网络安全,清华大学出版社,第一版,2001
[14]胡予濮 张玉清等,对称密码学,机械工业出版社,第一版,2002
[15]龚俭 陆晟 王倩,计算机安全导论,东南大学出版社,2000
[16]吴国新 吉逸,计算机网络,东南大学出版社,2000
[17]张尧学 王晓春等,计算机网络与Internet教程,清华大学出版社,1999
[18]卿斯汉 冯登国 信息和通信安全——CCICS 99.科学出版社 1999
[19]劳诚信 计算机安全指南 清华大学出版社 1993
[20]陈爱民 计算机的安全与保密 电子工业出版社 1992
[21]王锐等译 网络最高安全技术指南 机械工业出版社 1998
[2] Mitchell, C.; piper, E; and Wild, P. Digital Signatures. 1992
[3] Menezes, A. Elliptic Curve Public Key Cryptosystems. Boston: Klawer Academic Publishers, 1993
[4] Huitema, C. IPV6: The New Internet Protocol. Upper Saddle, River, NJ: Prentice Hall,1998
[5] Kalisk, B., and Robshaw, M. The secure use of RSA. CryptoBytes, Autumn 1995
[6] Dobbertin, H. The status of MD5 After a Recent Attack. CryptoBytes, Summer 1996
[7] Naganand Doraswamy. Dan Harkins. Ipsec: the new security standard for the Internet.Intranet and virtual private networks. Prentice Hall PTR. 1999
[8] RobShow, M. Block Ciphers. RSA Laboratories Technical Report TR-601, August 1995
[9] Andrew S. Tanenbaum. Computer Networks, version 3. Prentice Hall International,Inc.,1995.(《计算机网络》第三版,清华大学出版社影印版,1996)
[10] Douglas, L.Comer. Internetworking with TCP/IP(vol.1, vol.2, vol.3).Prentice Hall International, Inc., 1995. (《TCP/IP网络互连技术》卷Ⅰ、卷Ⅱ、卷Ⅲ,清华大学出版社 影印版 1998)
[11] William Stallings. Cryptography and Network Security:principles and practice. Version 2. Prentice Hall International, Inc. 2000 (《密码编码学与网络安全:原理和实践》第二版,清华大学出版社影印版,2001)
[12] Steve Burnett. Stephen Paine. RSA Security's Official Guide to Cryptography. The McGraw-Hill Companies. 2001. (《密码工程实践指南》) 清华大学出版社 2001)
[13]卿斯汉,密码学与计算机网络安全,清华大学出版社,第一版,2001
[14]胡予濮 张玉清等,对称密码学,机械工业出版社,第一版,2002
[15]龚俭 陆晟 王倩,计算机安全导论,东南大学出版社,2000
[16]吴国新 吉逸,计算机网络,东南大学出版社,2000
[17]张尧学 王晓春等,计算机网络与Internet教程,清华大学出版社,1999
[18]卿斯汉 冯登国 信息和通信安全——CCICS 99.科学出版社 1999
[19]劳诚信 计算机安全指南 清华大学出版社 1993
[20]陈爱民 计算机的安全与保密 电子工业出版社 1992
[21]王锐等译 网络最高安全技术指南 机械工业出版社 1998