| 密钥交换协议IKEv2的分析与改进 |
| |
| 引用本文: | 张朝东,徐明伟.密钥交换协议IKEv2的分析与改进[J].清华大学学报(自然科学版),2006,46(7):1274-1277. |
| |
| 作者姓名: | 张朝东 徐明伟 |
| |
| 作者单位: | 清华大学,计算机科学与技术系,北京,100084 |
| |
| 摘 要: | In ternet密钥交换协议第二版本(IKEv2)即将成为标准,分析该协议有助于更好地理解和实现该协议,针对协议存在的安全隐患提出改进措施。通过对协议的安全性分析,发现协议面临基于分片的拒绝服务攻击和退化消息类型的中间人攻击。针对前一种攻击提出了一种基于地址偏好列表的防御措施。针对后一种攻击提出了一种基于共享密钥的密钥生成方案。分析表明,使用这两种改进措施可以有效地提高协议抵抗拒绝服务攻击和退化消息攻击的能力。基于地址偏好列表的防御措施可以直接用于协议实现,改进的密钥生成方案可以为协议的下一个版本提供借鉴。
|
| 关 键 词: | 密钥交换 安全隐患 拒绝服务攻击 退化消息攻击 |
| 文章编号: | 1000-0054(2006)07-1274-04 |
| 修稿时间: | 2005年4月5日 |
Analysis and improvements of the IKEv2 protocol |
| |
| ZHANG Chaodong,XU Mingwei.Analysis and improvements of the IKEv2 protocol[J].Journal of Tsinghua University(Science and Technology),2006,46(7):1274-1277. |
| |
| Authors: | ZHANG Chaodong XU Mingwei |
| |
| Abstract: | The version 2 of the Internet Key Exchange Protocol(IKEv2) will become a request for comments.Analyses of IKEv2 have shown that IKEv2 is susceptible to denial of service(DoS) attacks based on IP fragment and degenerate message attacks.DoS attacks can be handled by using an IP address preferred list.An improved way to generate keying materials to protect against degenerate message attacks is based on shared secrets.Analysis results indicate that these two measures improve IKEv2's ability to resist DoS attacks and degenerate message attacks.Measures based on the IP address preferred list can be used directly when implementing IKEv2.The improved methods to generate keying material can be used as a reference for the next version of IKEv2. |
| |
| Keywords: | key exchange security fault deny of service attack degenerate message attack |
| 本文献已被 CNKI 万方数据 等数据库收录! |
|
