| 因特网密钥交换协议的研究与实现 |
| 其他题名 | Research and Implementation of Internet Key Exchange
|
| 王斌
|
| 专业 | 计算机应用
|
| 2000
|
| 学位授予单位 | 中国科学院软件研究所
|
| 学位 | 博士
|
| 学位授予地点 | 中国科学院软件研究所
|
| 关键词 | Ipsec协议
Ike协议
安全关联(Sa)
|
| 摘要 | 该论文从介绍IPSec协议开始,重点论述了其中的解决密钥协商问题的IKE协议.并且结合具体的科研工作,描述了在Linux操作系统上如何实现IKE协议.全文共有六个章节.第一章介绍了Internet的发展现状,存在的安全隐患和Internet上典型的攻击,阐述了在TCP/IP协议族的各层实现安全机制的优缺点,并介绍了虚拟私用网的概念,以及目前实现虚拟私用网的两种隧道协议.第二章描述了IPSec协议族所包含的协议、IPSec的工作模式、建立安全关联的方法.然后重点介绍了IPSec协议族中的IKE协议,包括IKE协议的两阶段协商,IKE协议定义的负载格式,以及IKE协议定义的交换模式.第三章结合我们的科研工作,阐述了如何在Linux操作系统中设计和实现IKE协议.包括如何在内核中创建和管理安全关联数据库,如何实现PF_KEY套接字接口和PF_KEY消息,如何设计IKE协议的主模式和快速模式的状态机等等.第四章描述了安全路由器的实现,安全路由器的外部接口,以及硬件加密设备的实现,并对安全路由器进行了测试.第五章对全文进行了简单的总结,并给出了一些可用于提高虚拟私用网效率的技术. |
| 其他摘要 | Originally IP packets defined by IPv4 don't contain any security characteristic. Attackers can easily forge the address of the IP packets, revise their content, replay them in a later time, and eavesdrop data during transmission. In order to make up the innate deficiency of the IPv4, IPSec protocol provides a kind of standard and robust security mechanism, and can be used to provide security protection for IP and higher layer protocols. But before IPSec protocol can be used widely, a problem must be resolved. The problem is how to negotiate keys automatically through Internet. And it is what this paper mainly deals with. First, this paper introduces the concept of IPSec protocol and discusses emphatically the IKE protocol which resolves the problem of key negotiation. Then, according to our current research work, I describe in detail the procedure on how to realize IKE protocol in Linux. There are totally five chapters in this paper. The first chapter shows the current development status of Internet , some network security problems and some classic Internet attacks, discusses the advantages and disadvantages to realize network security on different TCP/IP layers, and gives a simple introduce about Virtual Private Network and two kinds of VPN tunneling pro to coals. The second chapter introduces the protocols contained in IPSec protocol stack, the work modes and the methods to build Security Associations. Then the detail of IKE protocol is described, including the two negotiating phases, the format of all IKE payloads, and the exchange mode defined by IKE. In the third chapter, combined with our current research, I describe how to design and realize IKE in Linux OS. The realization includes establishing and managing security association database in Linux kernel, developing PF_KEY socket interface and PF_KEY message, and designing the state machines of IKE main mode and IKE quick mode. In the fourth chapter, I depict the realization of the VPN router, the out interface of the VPN router, and the realization of hardware encryption. In the end, I describe the test to the VPN router. Chapter 5 draws the conclusion and indicts the future direction of the system. |
| 页数 | 65
|
| 语种 | 中文
|
| 内容类型 | 学位论文
|
| URI标识 | http://ir.iscas.ac.cn/handle/311060/6554
|
| 专题 | 中科院软件所_中科院软件所
|
推荐引用方式
GB/T 7714 |
王斌. 因特网密钥交换协议的研究与实现[D]. 中国科学院软件研究所. 中国科学院软件研究所,2000.
|
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。
修改评论