摘要
跨域认证,特别是不同类型之间的跨域认证是认证研究的重要课题。主动网的授权用户拥有比传统网络授权用户更多的访问能力,对他们的认证关系到主动网的安全,在主动网上进行跨类型信任域的认证具有十分重要的意义。
作为主动网络安全研究项目的重要组成部分,本文围绕主动网的跨域认证需求展开了较系统的研究工作。首先在充分研究主动网安全体系和实现方式的基础上,于Windows环境下建立了主动网的仿真原型;然后从跨域认证的角度,系统地分析了基于证书和身份的两种认证方式各自的实现原理、密码机制和以它们为基础建立的PKI系统,并由此提出主动网在这两种认证方式之间实现交互的模型;此外进一步实现了该模型的原型系统,并对该原型系统的安全性和稳定性进行了分析和测试。
本文的主要研究内容及创新之处:
1.在对主动网的体系结构和实现方式进行了较为深入的研究之后,认真剖析了主动网的ANTS原型系统,针对主动网的可编程性,在Windows环境下对其基本功能进行了仿真实现。
2.将基于证书的认证方式和基于身份的认证方式应用到主动网的仿真模型中,建立了主动网的认证实验平台。特别是基于身份的认证方式,本文首次把它应用到主动网上,丰富了主动网关于认证研究的内容。
3.对基于证书的认证方式和基于身份的认证方式的交互问题进行了深入的探讨,提出了通过在信任中心层面上颁发交叉证书建立初始信任,采用“功能兼容”的方案实现这两种认证方式之间的相互认证的思路,设计并实现了主动网跨类型信任域的认证模型。分析和测试表明,该模型具有良好的安全性和稳定性,为后续的主动网多信任域之间的交互研究打下了良好的基础。
The research of authentication for multi-domains especially the multi-type domains is very popular nowadays. With much secure influence placed on the authentication for authorized users of active networks who have more access capability than the ones of traditional networks, the authentication of multi-type domains is of great significance.
As an important part of Active Network’s Security, this paper makes a systematical research on the requirement of authentication of multi-type domains in active networks. A simulation system under windows is proposed in this paper after sufficiently exploring the active network’s security architecture and implement method. And then we also analyze the realization, cryptosystem and the PKI system of both certificate-based and id-based authentications, and then presenting an authentication model that can accomplish authentication between them. Furthermore, we establish the simulation system of the model and make some analysis and tests on its security and stability.
The main contents and contributions of this dissertation are as follows:
1.Carefully analyze the ANTS system with a relatively deep acknowledgment of active network’s architecture and realization. According to the programmability of active network, a simulation system is implemented to accomplish its basic functions under windows.
2.Apply the certificate-based and id-based authentications to the active network’s simulation system, thus establishing an experimental platform of authentication in active networks. What is more, this paper first introduces the id-based authentication to the active network and enriches the research of active network’s authentication.
3.Propose a method called“function redundancy”that can implement mutual authentication between certificate-based and id-based authentications by issuing cross certificates on the layer of trusted authorities to build their relationships of trust. And then an authentication model for multi-type domains in active networks is accomplished which proved to be secure and stable. It provides a fundament for the further studies of mutual authentication of multi-domains in active networks.
引文
[1] 陈宝莲, 温蜀山, 孙海荣等. 主动网技术在网络管理中的应用[J]. 电子科技大学学报, 2000, 29(4): 391- 395.
[2] David L. Tennenhouse. A survey of active network research[J]. IEEE Communications Magazine, 1997, 35(1): 80-86.
[3] 王子义, 刘咏荷. 主动节点代码动态下载机制的设计和实现[J]. 通信网络技术, 2003, 29(6) : 12- 36.
[4] David L. Tennenhouse and David J. Wetherall. Towards and Active Network Architecture[J]. Computer Communication Review, 1996, 26(2): 464- 472.
[5] Prashant Chandra, Allan Fisher et al. Customizable Resource Management for Value-Added Network Services[C]. In Sixth International Conference on Network Protocols, Austin, 1998, 10: 177– 188.
[6] 吴英华, 徐 恪, 徐明伟, 吴建平. 主动网络安全体系结构与主动节点安全机制研究[J]. 小型微型计算机系统, 2004, 25(4): 497- 502.
[7] MURPHY S, LEWIS E, PUGA R, et al. Strong Security for Active Networks [J/OL]. IEEE OPENARCH.http://comet.etr.Columbia.edu/activities/openarch2001/papem2001/ OA_06.PDF, 2001.
[8] Xia ZhengYou, Zhong YiPing, Zhang ShiYong. Analysis for active network security abased on pi-calculus model[C]. Proceedings of the 2003 International Conference on Computer Network and Mobile Computing (ICCNMC’03): 366-371.
[9] Sandra L. MURPHY, Edward T. LEWIS, Robert N. M. WATSON. Secure Active Network Prototypes. Proceedings of the DARPA Active Networks Conference and Exposition (DANCE.02), 2002, 31: 1-16.
[10] Haibo Yu, Chunzhao Jin, Haiyan Che. A Description Logic for PKI Trust Domain Modeling[C]. Proceedings of the Third International Conference on Information Technology and Applications (ICITA’05), 2005, 2(7): 524-528.
[11] Andrew Nash, William Duane, Celia Joseph, Derek Brink. 张玉清, 陈建奇, 杨波, 薛伟等译. 公钥基础设施(PKI)实现和管理电子安全,清华大学出版社,2002.12.
[12] Albert Levi, M. Ufuk Caglayan. An Efficient, Dynamic and Trust Preserving Public KeyInfrastructure[C]. Proceedings of 2000 IEEE Symposium on Security and Privacy, 2000, 3: 203-214.
[13] ZHANG Fan, FENG Deng-guo. Identity-based PKI Scheme for Machine Readable Travel Document[C]. Proceedings of the 20th International Conference on Advanced Information Networking and Applications (AINA’06), 2006, 4: 5-9.
[14] Xu Bin, Qian Depei, Lu Yueming, Wang Lei. An Active Network-Based Network management Framework[C]. Proceedings of International Conference on Communication Technology ( ICCT’00), 2000, 8: 95-100.
[15] 王晓宁, 顾国飞, 朱斌等. 主动网络授权和认证研究[J]. 计算机工程与应用, 2003,36(12): 166- 169.
[16] Denker G, Millen. J, Miyake. Y. Cross-domain access control via PKI[C]. Proceedings of Third International Workshop on Policies for Distributed Systems and Networks. 2002, 6: 202-205.
[17] 黎忠文, 李乐民, 李美蓉. 一种新的主动网络安全体系的设计[J]. 通信学报, 2004,25(1): 119- 125.
[18] Lavian T., Phil Yonghui Wang. Active networking on a programmable networking platform[C]. Open Architectures and Network Programming Proceedings, 2001, 4: 95-103.
[19] 陈茹, 朱小骏. 主动网络节点研究及完全实现[J]. 微机发展, 2003, 8(8): 108- 113.
[20] Ahmed Eddaoui, Abdellatif Mezrioui. An Active Network Approach for Security Management[J]. International Journal of Computer Science and Network Security (IJCSNS), 2006, 5(6) : 203- 210.
[21] 陈汉蓉, 钟国祥, 张为群. 主动网络中的主动包研究[J]. 西南师范大学学报, 2004, 4(2): 206- 208.
[22] XIA Zheng-you, ZHANG Shi-yong. Design of Secure System Architecture Model for Active Network[J]. Journal of software, 2003(8): 1352- 1355.
[23] Adam, C.M., Lazar, A.A., Lim, K.S., and Macroncini, F., The Binding Interface Base Specification Revision 2.0 OPENSIG Workshop on Open Signalling for ATM[C], Internet and Mobile Networks, Cambridge, UK, April 1997.
[24] Wetherall D., Guttag J., Tennenhouse D.L. ANTS: A toolkit for building an dynamically deploying network protocols[C]. IEEE OPRNARCH’98, San-Francisco, 1998.
[25] 祁建军, 李增智. 主动网络实验床仿真环境 ANTB-Sim[J]. 小型微型计算机系统, 2005,9(26): 1450- 1453.
[26] 刘刚, 李建勇, 黄道颖等. 主动网络工具集 ANTS 的主动包格式分析. 计算机应用与软件, 2005, 22(1): 17- 19.
[27] Steven Berson, Bob Braden, Livio Reccilliulli. Introduction to the Abone[Z], URL: http://www.isi.edu/abone/DOCUMENT/AboneIntro.ps, 2000,6.
[28] AN Security Working Group, Security architecture for active nets[Z]. URL: http://www.dcs.uky.edu/~calvert/seclatest.ps, 2001,3.
[29] Steven Berson, Steven Dawson, Robert Braden. Evolution of an Active Networks Testbed[C]. Proceedings of the DARPA Active Networks Conference and Exposition (DANCE.02), 2002,3: 446-465.
[30] 胡道元, 闽京华. 网络安全[M]. 北京: 清华大学出版社, 2005,6.
[31] 孙旭, 李雪梅, 鲁长江. 分组密码算法的研究与实现. 成都理工大学学报, 2006, 33 (6): 640- 644.
[32] 曹珍富, 薛庆水. 密码学的发展方向与最新进展. 计算机教育, 2005.1: 19- 21.
[33] William Stallings. Cryptography and Networks Security[M]. 北京: 电子工业出版社, 2006,7.
[34] 冯国柱, 李超, 吴翊. RSA公钥密码的信息论分析[J]. 计算机工程与科学, 2007, 29(2): 4-6.
[35] 张丽媛. RSA 密码算法的研究与实现[D]. 山东科技大学,2005,5.
[36] 杨君, 戴宗泽, 杨栋毅, 刘宏伟. 一种椭圆曲线签名方案与基于身份的签名协议[J]. 软件学报, 2000,11(10): 1303- 1306.
[37] 印润远. 计算机信息安全[M]. 北京: 中国铁道出版社, 2006,8.
[38] Andrew S.Tanenbaum. 潘爱民译. 计算机网络[M]. 北京: 清华大学出版社, 2004.5.
[39] 唐寅. 基于授权的主动网络安全防护技术研究[D]. 成都: 电子科技大学, 2003.6.
[40] Suresh Krishnaswamy, Joseph B.Evans, Gary J.Minden. A Prototype Framework for providing Hop-by-hop Security in an Experimentally deployed Active Network[C]. Proceedings of the DARPA Active Network Conference and Exposition (DANCE’02), 2002 ,3: 216- 222.
[41] Maughan, D., Schertler, M., Scheneider, M., J.Turner. Inetnet Security Association and KeyManagement Protocol (ISIKMP)[S], RFC 2408, Nov. 1998.
[42] Tilman Wolf, Dan Decasper, Christian Tschudin. Tags for High Performance Active Networks [C]. Proceeding of Third Conference on Open Architectures and Network Programming, 2000, 3: 37- 44.
[43] L., Dang, CANSA. Certicate Active Network Security Architecture[D], University of Sydney, Australia, 1998.
[44] 廖志刚, 李增智, 詹涛, 陈妍. 安全主动网络中的证书研究[J]. 小型微型计算机系统, 2006, 27(2): 207- 210.
[45] Ren-Junn Hwang, Feng-Fu Su. An Efficient Decryption Method for RSA Cryptosystem [C]. Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05), 2005, 3: 585-590.
[46] 何朝辉, 李琦, 卿斯汉. 基于 LDAP 的 PKI 证书的存储与备份[J]. 计算机科学, 2005, 32(2): 66-68.
[47] 路晓明,冯登国. 一种基于身份的多信任域网格认证模型[J]. 电子学报, 2006.4(4), 577- 582.
[48] 范文江, 王砚. 混合信任模型中证书路径构造的研究与实现[J]. 微机发展, 2005, 15(3): 38- 41.
[49] 刘英娜, 徐向阳, 孟洋. PKI 信任模型研究[J]. 电子商务技术, 2006,10: 25-27.
[50] Eunjin Jung, Ehab S. Elmallah, Mohamed G. Gouda. Optimal Dispersal of Certificate Chains[J]. IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, 2007, 18(4): 474-484.
[51] 程引春. Windows 安全应用策略和实施方案手册[M]. 北京: 人民邮电出版社, 2005,5.
[52] 颜松远. 数论密码[Z], URL: http://www.kexuemag.com/artdetail.asp?name = 621, 2006,7.
[53] 陈炜, 龙翔, 高小鹏. 一种用于移动 IPv6 的混合认证方法[J]. 软件学报, 2005(16):1617- 1624.
[54] A. Shamir. Identity-based cryptosystems and signature schemes[J]. In Advances in Cryptology (CRYPTO'84), Lecture Notes in Computer Science, Springer-Verlag 1984, 196: 47-53.
[55] 彭华熹. 一种基于身份的多信任域认证模型[J]. 计算机学报. 2006,29 (8): 1271-1281.
[56] Geraint Price, Chris J.Mitchell. Interoperatin between a Conventional PKI and an ID-based Infrastructure[C]. D. W. Chadwick and G. Zhao (eds.) Public Key Infrastructure, Second European PKI Workshop: Research and Applications, EuroPKI 2005, Canterbury, UK. 2005,6. Revised Selected Papers, LNCS 3545, Berlin: Springer-Verlag, 2005:73-85.
[57] L. Chen, K. Harrison, A. Moss, D. Soldera, N.P. Smart. Certification of public keys within an identity based system[C]. In A. H. Chan and V. D. Gligor, editors, Information Security, 5th International Conference, ISC, LNCS, 2002, 2433: 322-333.
[58] D. K. Smetters, G. Durfee. Domain-Based Administration of Identity-Based Cryptosystems for Secure Email and IPSEC[C]. In Proceedings 12th USENIX Security Symposium, 2003, 215-229.
[59] Hua Ning. IPv6 Test-bed Networks and R&D in China[C]. Proceedings of the 2004 International Symposium on Applications and the Internet Workshops (SAINTW’04), 2004, 1: 105-111.
[60] Bruce Eckel, 陈昊朋, 饶若楠译. Java 编程思想[M]. 北京机械工业出版社, 2005,5.
[61] 张怡婷, 李鲸, 陶军. 基于 ANTS 的主动路由支撑框架的设计与实现[J]. 计算机工程, 2006,4(2): 150- 152.
[62] Identity Based Encryption JCE Provider[Z]. http://crypto.cs.nuim.ie/software/eyebee/, 2006,10.
[63] Lawrence Cheng, Alex Galis.Simple Key Exchange for Active Networks[C]. IEEE 7th Malaysia International Conference on Communication, 2005, 11: 346-351.
[64] IPSec 基础-密钥交换和密钥保护 [Z]. http://comm.ccidnet.com/art/1522/20050318/ 225207_1.html, 2006, 9.
[65] 王张宜, 张焕国. 椭圆曲线密码的安全性分析[J]. 计算机工程, 2002, 28(5): 161- 163.