IKEv2协议对DoS攻击的防范

对IKEv2协议的交换过程和主要工作原理进行分析,得出其存在着内存耗尽型和基于分片的DoS攻击的安全缺陷,针对内存耗尽型DoS攻击通过改进初始交换过程,增加Cookie信息来认证发起方杜绝IP欺骗引起的耗尽型DoS攻击,针对基于分片的DoS攻击采用增加IP地址分片重组列表的方案来进行抵御,这些针对DoS攻击的防范进一步增强了IKEv2的安全性。     

Deploying Internet Protocol Security in satellite networks using Transmission Control Protocol Performance Enhancing Proxies

Applications that use the reliable Transmission Control Protocol (TCP) have a significant degradation over satellite links. This degradation is mainly a consequence of the congestion control algorithm used by standard TCP, which is not suitable for overcoming the impairments of satellite networks. To alleviate this problem, two TCP Performance Enhancing Proxies (PEPs) can be deployed at the edges of the satellite segment. Then these PEPs can use different mechanisms such as snooping, spoofing and splitting to achieve a better TCP performance. In general, these mechanisms require the manipulation of the Internet Protocol (IP) and TCP headers that generates a problem when deploying the standard IP security (IPsec) protocol. The security services that IPsec offers (encryption and/or authentication) are based on the cryptographic protection of IP datagrams, including the corresponding IP and TCP headers. As a consequence, these cryptographic protections of IPsec conflict with the mechanisms that PEPs use to enhance the TCP performance in the satellite link. In this article, we detail the reasons that cause this conflict, and we propose three different approaches to deploy IPsec in a scenario with TCP PEPs. Our proposals provide different trade‐offs between security and TCP performance in some typical scenarios that use satellite networks. Copyright © 2012 John Wiley & Sons, Ltd.     

Improved IPSec tunnel establishment for 3GPP–WLAN interworking

Interworking between wireless local area network (WLAN) and the 3rd Generation Partnership Project (3GPP) such as Long Term Evolution (LTE) is facing more and more problems linked to security threats. Securing this interworking is a major challenge because of the vastly different architectures used within each network. Therefore, security is one of the major technical concerns in wireless networks that include measures such as authentication and encryption. Among the major challenges in the interworking security is the securing of the network layer. The goal of this article is twofold. First, we propose a new scheme to secure 3GPP LTE–WLAN interworking by the establishment of an improved IP Security tunnel between them. The proposed solution combines the Internet Key Exchange (IKEv2) with the Host Identity Protocol (HIP) to set up a security association based on two parameters, which are location and identity. Our novel scheme, which is called HIP_IKEv2, guarantees better security properties than each protocol used alone. Second, we benefit from Mobile Internet Key Exchange protocol (MOBIKE) in case of mobility events (handover). And we extend HIP_IKEv2 to HIP_MOBIKEv2 protocol in order to reduce the authentication signaling traffic. The proposed solution reinforces authentication, eliminates man‐in‐the‐middle attack, reduces denial‐of‐service attack, assures the integrity of messages, and secures against reply attack. Finally, our proposed solution has been modeled and verified using the Automated Validation of Internet Security Protocols and Applications and the Security Protocol Animator, which has proved its security when an intruder is present. Copyright © 2014 John Wiley & Sons, Ltd.     

Efficient authenticated key agreement protocols resistant to a denial‐of‐service attack

Malicious intruders may launch as many invalid requests as possible without establishing a server connection to bring server service to a standstill. This is called a denial‐of‐service (DoS) or distributed DoS (DDoS) attack. Until now, there has been no complete solution to resisting a DoS/DDoS attack. Therefore, it is an important network security issue to reduce the impact of a DoS/DDoS attack. A resource‐exhaustion attack on a server is one kind of denial‐of‐service attack. In this article we address the resource‐exhaustion problem in authentication and key agreement protocols. The resource‐exhaustion attack consists of both the CPU‐exhaustion attack and the storage‐exhaustion attack. In 2001, Hirose and Matsuura proposed an authenticated key agreement protocol (AKAP) that was the first protocol simultaneously resistant to both the CPU‐exhaustion attack and the storage‐exhaustion attack. However, their protocol is time‐consuming for legal users in order to withstand the DoS attack. Therefore, in this paper, we propose a slight modification to the Hirose–Matsuura protocol to reduce the computation cost. Both the Hirose–Matsuura and the modified protocols provide implicit key confirmation. Also, we propose another authenticated key agreement protocol with explicit key confirmation. The new protocol requires less computation cost. Because DoS/DDoS attacks come in a variety of forms, the proposed protocols cannot fully disallow a DoS/DDoS attack. However, they reduce the effect of such an attack and thus make it more difficult for the attack to succeed. Copyright © 2005 John Wiley & Sons, Ltd.     

A multilayer IP security protocol for TCP performance enhancement in wireless networks

Transmission control protocol (TCP) performance enhancement proxy (PEP) mechanisms have been proposed, and in some cases widely deployed, to improve TCP performance in all-Internet protocol (IP) wireless networks. However, this technique is conflicted with IP-security (IPsec)-a standard IP security protocol that will make inroad into wireless networks. This paper analyzes the fundamental problem behind this conflict and develops a solution called multilayer IP-security (ML-IPsec). The basic principle is to use a multilayer protection model and a fine grain access control to make IP security protocols compatible with TCP PEP. It allows wireless network operators or service providers to grant base stations or wireless routers limited and controllable access to the TCP headers for performance enhancement purposes. Through careful design, implementation, and evaluation, we show that we can easily add ML-IPsec to existing IPsec software and the overhead is low. We conclude that ML-IPsec can help wireless networks provide both security and performance.     

IKEv2在基于IP的无线自组网中的应用研究

无线自组网络没有专门的密钥管理协议,其安全性一直备受关注.IKEv2是目前IP网络中使用最广泛的密钥管理协议,但它不是专门为无线网络环境设计的.文章根据IKEv2使用的认证方法的不同提出了两个改进协议.这两个协议都使用无线自组网络认证方法-MANA证书来认证响应者,从而减少密码算法计算量,让IKEv2为无线自组网提供密钥管理服务.     

基于FPGA的万兆网的IPsec ESP协议设计与实现

“Internet协议安全性(IPsec)”为IP层及其上层协议提供加解密和认证等安全服务。但对IPsec协议的处理已经成为高速网络实现的瓶颈。随着FPGA向着更大容量和更高速度方向发展,基于FPGA硬件实现的IPsec协议栈可以提供更高的网络性能。文中介绍了一种基于FPGA的万兆以太网IPsec ESP协议栈的设计,支持隧道模式和传输模式,具有抗重放能力。通过采用多级流水操作、多缓存乒乓操作、多进程并行处理等技术实现了万兆线速。     

AAA architecture for mobile IPv6 based on WLAN

Mobility support for Internet devices is quite important for consumer electronics. The number of the hand‐held devices is growing quickly. However, there are not enough IP addresses for the number of the rapidly growing devices in the All‐IP generation. Internet Protocol version 6 (IPv6) was therefore adopted to solve these problems. Our purposed structure is based on IEEE 802.11. However, IEEE 802.11 has a serious security drawback. Further, from the Internet Service Providers' point of view, accounting is a potential problem. A mechanism combining Mobile IPv6 and AAA based on IEEE 802.11 to overcome these problems is essential. Both Internet Protocol version 4 (IPv4) and IPv6 support IP security (IPsec) when data packets are exchanged across the IP network. IPsec operates at the IP layer. It can support system authentication and authorization, However, it lacks a system accounting function. Therefore ISPs cannot establish correct billing for their services. This is the reason why we chose to combine the wireless network and AAA functions. In this paper, the AAA mechanism is used to protect security, with the architecture having authentication, authorization, and accounting functions. We will discuss the benefits of AAA and state the reason why we choose to combine AAA with the mobility architecture. Copyright © 2004 John Wiley & Sons, Ltd.     

对Telex互联网反监管系统的攻击

Telex作为典型的路由器重定向型反监管系统给互联网监管者带来了新的挑战.为帮助用户逃避监管,Telex利用路由器而非终端主机将用户的网络通信重定向到被屏蔽的目标站点.从审查者角度分析了Telex系统的安全性,提出了2类利用主动攻击破坏用户隐私的新方法.第一类为DoS攻击,利用了Telex握手协议的安全漏洞,在破坏系统可用性的同时还可能检出用户是否在使用Telex代理.同时给出了弥补该漏洞的改进协议.第二类称为TCP分组旁路攻击,利用非对称路由或IP隧道技术令客户端的部分TCP分组绕过路由器直达掩护站点,然后通过观察上行数据流的重传反应判断用户是否在使用Telex代理.通过一系列原型系统实验验证了旁路攻击的可行性.TCP分组旁路攻击也适用于其他路由器重定向型反监管系统.     

基于扩展串空间模型的新型安全协议拒绝服务分析形式化理论

Denial of Service (DoS) attack, especially Distributed Denial of Service (DDoS) attack, is one of the greatest threats to Internet. Much research has been done for it by now, however, it is always concentrated in the behaviors of the network and can not deal with the problem exactly. In this paper, we start from the security of the protocol, then we propose a novel theory for security protocol analysis of Denial of Service in order to deal with the DoS attack. We first introduce the conception of weighted graph to extend the strand space model, then we extend the penetrator model and define the goal of anti-DoS attack through the conception of the DoS-stop protocol, finally we propose two kinds of DoS test model and erect the novel formal theory for security protocol analysis of Denial of Service. Our new formal theory is applied in two example protocols. It is proved that the Internet key exchange (IKE) easily suffers from the DoS attacks, and the efficient DoSresistant secure key exchange protocol (JFK) is resistant against DoS attack for the server, respectively.     

Building an Application-Aware IPsec Policy System

As a security mechanism at the network-layer, the IP security protocol (IPsec) has been available for years, but its usage is limited to virtual private networks (VPNs). The end-to-end security services provided by IPsec have not been widely used. To bring the IPsec services into wide usage, a standard IPsec API is a potential solution. However, the realization of a user-friendly IPsec API involves many modifications on the current IPsec and Internet key exchange (IKE) implementations. An alternative approach is to configure application-specific IPsec policies, but the current IPsec policy system lacks the knowledge of the context of applications running at upper layers, making it infeasible to configure application-specific policies in practice. In this paper, we propose an application-aware IPsec policy system on the existing IPsec/IKE infrastructure, in which a socket monitor running in the application context reports the socket activities to the application policy engine. In turn, the engine translates the application policies into the underlying security policies, and then writes them into the IPsec security policy database (SPD) via the existing IPsec policy management interface. We implement a prototype in Linux (Kernel 2.6) and evaluate it in our testbed. The experimental results show that the overhead of policy translation is insignificant, and the overall system performance of the enhanced IPsec is comparable to those of security mechanisms at upper layers. Configured with the application-aware IPsec policies, both secured applications at upper layers and legacy applications can transparently obtain IP security enhancements.     

基于移动IP认证缺陷的DoS攻击及其防范

移动IP在全球范围内的应用引入了许多安全问题,其中以认证问题最为关键,特别是当移动节点在外地链路上漫游时这种问题尤为明显。论文介绍了移动IP的认证机制以及针对其缺陷进行的DoS攻击,提出了一系列防范措施。理论分析表明,这些防范措施可以在一定程度上对DoS攻击进行防范,并维护移动IP网络的系统安全。     

A lightweight anonymous two‐factor authentication protocol for wireless sensor networks in Internet of Vehicles

Internet of Vehicles (IoV), as the next generation of transportation systems, tries to make highway and public transportation more secure than used to be. In this system, users use public channels for their communication so they can be the victims of passive or active attacks. Therefore, a secure authentication protocol is essential for IoV; consequently, many protocols are presented to provide secure authentication for IoV. In 2018, Yu et al proposed a secure authentication protocol for WSNs in vehicular communications and claimed that their protocol could satisfy all crucial security features of a secure authentication protocol. Unfortunately, we found that their protocol is susceptible to sensor capture attack, user traceability attack, user impersonation attack, and offline sink node's secret key guessing attack. In this paper, we propose a new authentication protocol for IoV which can solve the weaknesses of Yu et al's protocol. Our protocol not only provides anonymous user registration phase and revocation smart card phase but also uses the biometric template in place of the password. We use both Burrow‐Abadi‐Needham (BAN) logic and real‐or‐random (ROR) model to present the formal analysis of our protocol. Finally, we compare our protocol with other existing related protocols in terms of security features and computation overhead. The results prove that our protocol can provide more security features and it is usable for IoV system.     

DICOM image secure communications with Internet protocols IPv6 and IPv4.

Image-data transmission from one site to another through public network is usually characterized in term of privacy, authenticity, and integrity. In this paper, we first describe a general scenario about how image is delivered from one site to another through a wide-area network (WAN) with security features of data privacy, integrity, and authenticity. Second, we give the common implementation method of the digital imaging and communication in medicine (DICOM) image communication software library with IPv6/IPv4 for high-speed broadband Internet by using open-source software. Third, we discuss two major security-transmission methods, the IP security (IPSec) and the secure-socket layer (SSL) or transport-layer security (TLS), being used currently in medical-image-data communication with privacy support. Fourth, we describe a test schema of multiple-modality DICOM-image communications through TCP/IPv4 and TCP/IPv6 with different security methods, different security algorithms, and operating systems, and evaluate the test results. We found that there are tradeoff factors between choosing the IPsec and the SSL/TLS-based security implementation of IPv6/IPv4 protocols. If the WAN networks only use IPv6 such as in high-speed broadband Internet, the choice is IPsec-based security. If the networks are IPv4 or the combination of IPv6 and IPv4, it is better to use SSL/TLS security. The Linux platform has more security algorithms implemented than the Windows (XP) platform, and can achieve better performance in most experiments of IPv6 and IPv4-based DICOM-image communications. In teleradiology or enterprise-PACS applications, the Linux operating system may be the better choice as peer security gateways for both the IPsec and the SSL/TLS-based secure DICOM communications cross public networks.     

An authenticated re‐encryption scheme for secure file transfer in named data networks

With the fast progress of the Internet and communication technologies, the digital communication is increasingly based on the architecture of TCP/IP. Nevertheless, in TCP/IP's architecture, there are limitations such as data uncertainty and flow overloading. In response to this, a novel architecture has been proposed, which is known as the named data network (NDN). Named data network is an alternative network architecture based on the data each user accesses. Users gain accesses to the data by using an adjacent router (node) that verifies the correctness of the data. In NDN, the router has the capability to store and search for the data. Hence, this architecture largely improves the disadvantages in TCP/IP's architecture. Named data network is a new proposal and relatively under‐researched now. Thus far, an adequate secure file transfer protocol is still unavailable for NDN. In some cases, files are broken or the source fails to authenticate, which results in the need to discover the owner of the file. Furthermore, we believe that NDN should involve an authentication mechanism in the secure file transfer protocol. In view of the above, this paper presents an authenticated re‐encryption scheme for NDN, which offers sender authentication, data confidentiality, and support for potential receivers. Finally, we also propose a security model for sender authentication and prove that the proposed scheme is secure.     

一种改进的基于PKI/ECC的IKE协议设计

IKE协议是IPsec协议簇的重要组成部分,用来动态地建立和维护安全关联SA,是IPsec VPN安全传输的先决条件和保证.文章在研究现有IKE协议的基础上,将公钥基础设施PKI体系引入其中,提出将ECC技术、X 509数字证书、访问控制技术同IKE协议相结合,设计了一个基于PKI身份认证和访问控制的增强型IKE协议,从而提高了IPsec VPN网关的安全性和可扩展性,有效保护了VPN网络资源的安全.最后给出了基于最新Linux2.6内核的实现方案,并对由此构建的IPsec VPN安全网关原型系统的工作过程作了说明.     

一种存在于IKE协议中的DoS攻击安全漏洞

文章分析了IETF的因特网密钥交换(IKE)标准,指出对于IKE阶段1的野蛮模式存在一个容易导致拒绝服务(DoS)攻击的安全漏洞.文章认为这是由于响应方的安全联盟载荷没有加入到认证数据的计算中,使安全联盟载荷容易被篡改,从而导致双方可能协商出一个参数不相同的阶段1安全联盟载荷.     

TCP/IP协议的网络安全

论文介绍了TCP/IP协议的总体概况、结构功能;TCP/IP协议的安全隐患;然后从SYN的攻击代码来分析TCP/IP协议,并且实现了防御SYN的方法.     

非接入层拒绝服务攻击分析与设计

随着移动通信网络的迅猛发展,其安全漏洞产生的影响更为广泛,使得安全性研究尤为重要.根据长期演进(Long Term Evolution,LTE)非接入层协议的漏洞,构建了针对网络端和终端的两种拒绝服务攻击模型,通过获取不同终端的国际移动用户标识并分别伪造鉴权拒绝消息和附着请求消息对目标发起不同危害程度的拒绝服务攻击.实...     

基于ARP检测IP与MAC地址克隆的技术

同时克隆合法用户IP与MAC地址的行为已严重威胁部分校园网的认证、计费与安全，因此能够快速地检测出这种非法行为十分的必要。从TCP／IP协议分析IP和MAC地址克隆的工作原理及其存在的可行性，提出一种利用无为ARP工作原理来检测IP和MAC地址克隆的方法，并给出基于VC＋＋6．0和WinPcap实现该检测功能模块的一些关键性代码，最后给出如何禁止克隆用户访问互联网的思路。