论文标题:IPSEC中IKE协议的安全性分析及其实现
The Security Analysis and Implementation of Internet Key Exchange Protocol in IPSEC
论文作者 余密林
论文导师 陈光,论文学位 硕士,论文专业 信号与信息处理
论文单位 汕头大学,点击次数 106,论文页数 71页File Size4666k
2005-04-25论文网 http://www.lw23.com/lunwen_300556542/ 因特网密钥交换;IP安全;验证头;封装安全载荷;拒绝服务攻击;变换荷载攻击;反射攻击
IKE; IPSEC; AH; ESP; DOS attack; transform payload attack; reflect attack
IPSEC(IP Security)是Internet工程任务组(IETF)于1998年提出并不断完善的IP层安全标准。其目标是为IPv4和IPv6提供较强的互操作能力、高质量和基于密码的安全,在IP层提供访问控制、面向无连接的完整性、数据源认证、抗重播攻击、机密性和有限的流量机密性安全服务。IKE(Internet Key Exchange)协议是IPSEC协议族中的一个关键组成部分,实现通过验证的密钥交换,为IPSEC AH和ESP提供了安全服务,是目前因特网上最具应用前景的密钥交换协议。 本论文详细地分析了IKE交换的基本原理和过程,深入地研究了IKE协议面临的拒绝服务攻击,变换荷载攻击和反射攻击,并对协议和算法提出了可行的修改建议。在前面讨论的基础上,讨论了IKE协议在Vxworks嵌入式操作系统下的预共享认证方式的实现,并提出了一个可行的IKE实现方案,给出了一种全新的模块架构,并描述了各个模块的设计思想和功能模块划分,给出了主要数据结构和运行流程。最后通过在路由器上实施得出了相关测试数据。
IPSEC (IP Security) is a new security standard for the Internet, which is developed by Internet Engineering Task Force in 1998.It is designed to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6. The set of security services offered includes access control, connectionless integrity, data origin authentication, protection against replays, confidentiality (encryption), and limited traffic flow confidentiality. IKE (Internet Key Exchange) protocol is a key component of IPSEC protocol family, it realizes an authenticated key exchange, and provides security services for IPSEC AH and ESP. It is the most promising key exchange protocol on the Internet.In this paper, the basic principle and process of the Internet Key Exchange Protocol are discussed in detail, and some kinds of attacks which the IKE protocol is often faced with are deeply researched such as the denial of service attack, transforming payload attack and reflecting attack. Furthermore, in order to prevent these attacks, I put forward some improving algorithms. On the basis of discussing above, the implementation of pre-shared key authentication of IKE on Vxworks embedded operating system platform is discussed especially, brought forward a brand-new architecture and a feasible implementation scheme of IKE, described the design approach and function partition, and displayed the main data structures and flow charts. Finally, I acquired the relevant test data by way of putting into effect on the router.
|
