本文選題：IPsec + IKE　； 參考：《西安電子科技大學(xué)》2014年碩士論文

【摘要】：隨著網(wǎng)絡(luò)的快速發(fā)展和普及,現(xiàn)如今人們?cè)絹?lái)越重視網(wǎng)絡(luò)安全問(wèn)題。為了更好的解決網(wǎng)絡(luò)安全問(wèn)題,人們提出了各種解決方案來(lái)滿(mǎn)足網(wǎng)絡(luò)安全需求。而IPsec協(xié)議作為一種網(wǎng)絡(luò)安全協(xié)議,能夠保障網(wǎng)絡(luò)數(shù)據(jù)傳輸?shù)陌踩?主動(dòng)保護(hù)網(wǎng)絡(luò)端到端之間的傳輸數(shù)據(jù),防止VPN專(zhuān)用網(wǎng)絡(luò)[1]的各種攻擊(竊聽(tīng)、篡改、重放等攻擊),簡(jiǎn)化了IP上層的安全處理,并且通用性強(qiáng)。本文主要對(duì)IPsec-IKE協(xié)議族進(jìn)行了系統(tǒng)的研究與分析,并介紹了一階段主模式,二階段快速模式的IPsec-IKE的實(shí)現(xiàn)方法,以及IPsec-IKE測(cè)試方案的設(shè)計(jì)。IPsec不是一個(gè)單一的協(xié)議,而是由多個(gè)協(xié)議構(gòu)成,它提供的一套完整且系統(tǒng)的安全體系結(jié)構(gòu),能夠有效地保障數(shù)據(jù)在網(wǎng)絡(luò)上安全傳輸。而參與提供這一體系結(jié)構(gòu)的成員包括AH、ESP和IKE(其中AH和ESP提供安全保護(hù),IKE用于交換密鑰),同時(shí)還包括一系列認(rèn)證加密算法。IPsec為IP層的數(shù)據(jù)報(bào)文提供四種安全服務(wù),包括數(shù)據(jù)加密安全服務(wù)、數(shù)據(jù)完整性校驗(yàn)服務(wù)、數(shù)據(jù)的來(lái)源認(rèn)證以及防止數(shù)據(jù)的重放攻擊服務(wù)。在IPsec使用數(shù)據(jù)保護(hù)協(xié)議(AH或ESP)對(duì)一個(gè)IP數(shù)據(jù)報(bào)文進(jìn)行封裝保護(hù)前,必須先生成IPsec保護(hù)通道,即IPsec SA(IPsec安全關(guān)聯(lián))。IPsec SA的生成方式分為兩種,一種是使用手工配置生成,另一種是使用IKE協(xié)議協(xié)商生成。IKE不僅可以自動(dòng)生成IPsec SA,而且能夠提供更高的安全性,它在協(xié)商過(guò)程中不僅會(huì)對(duì)協(xié)商報(bào)文進(jìn)行加密、完整性驗(yàn)證、身份認(rèn)證和防止拒絕服務(wù)攻擊,更重要的是,它使用的DH算法,使報(bào)文在交互過(guò)程中只交換使用的密鑰材料,而不會(huì)交換密鑰本身,因此即使有人在中間截獲了報(bào)文,也無(wú)法獲取到加密的密鑰,進(jìn)而無(wú)法破解交互的報(bào)文。根據(jù)IKE自動(dòng)方式建立IPsec通道,進(jìn)行數(shù)據(jù)保護(hù)的實(shí)現(xiàn)方法,對(duì)其整個(gè)處理流程進(jìn)行詳細(xì)的分析論述。整個(gè)流程包括兩個(gè)階段,一階段協(xié)商建立IKE SA,該階段主要完成以下工作:對(duì)雙方所使用SA策略的確認(rèn),密鑰信息的交換,以及ID信息和驗(yàn)證信息的交換。一階段的協(xié)商模式有兩種,主模式和野蠻模式。二階段的交換稱(chēng)之為快速模式交換,該交換用來(lái)完成IPsec SA的生成。當(dāng)一階段IKE SA協(xié)商建立后,后續(xù)的交互報(bào)文都要由IKE SA進(jìn)行加密和認(rèn)證。若后續(xù)收到的協(xié)商交互報(bào)文沒(méi)有受到IKE SA的保護(hù),那么這些報(bào)文將被直接丟棄,不予處理。本文介紹的IPsec-IKE實(shí)現(xiàn)方法是針對(duì)一階段使用主模式交換方式,二階段使用快速模式交換方式的,詳細(xì)分析了該實(shí)現(xiàn)方法中通信雙方身份的協(xié)商確認(rèn)過(guò)程,協(xié)商報(bào)文的構(gòu)造方法以及對(duì)協(xié)商報(bào)文的處理過(guò)程,并結(jié)合其功能特性以及支持的測(cè)試組網(wǎng)進(jìn)行了測(cè)試方案的設(shè)計(jì),能夠有效的幫助測(cè)試執(zhí)行人員對(duì)IPsec-IKE有一個(gè)深入的了解。
[Abstract]:With the rapid development and popularization of network, people pay more and more attention to network security nowadays. In order to solve the problem of network security better, people put forward various solutions to meet the needs of network security. As a kind of network security protocol, IPsec protocol can guarantee the security of network data transmission, protect network end-to-end transmission data actively, and prevent all kinds of attacks (eavesdropping, tampering) of VPN private network. Replay and other attacks, simplify the IP upper layer of security processing, and strong versatility. This paper mainly studies and analyzes the IPsec-IKE protocol family, and introduces the IPsec-IKE implementation method of one stage main mode, two stage fast mode, and the design of IPsec-IKE test scheme. IPsec is not a single protocol. It provides a complete and systematic security architecture, which can effectively guarantee the secure transmission of data over the network. The members involved in providing this architecture include AH ESP and Ike (where AH and ESP provide security protection and Ike for key exchange, and a series of authentication encryption algorithms. IPsec provides four kinds of security services for IP layer data packets. Data encryption security services, data integrity verification services, data source authentication and protection against data playback attack services. Before IPsec uses data protection protocol (AH or ESP) to encapsulate an IP data packet, it is necessary to generate a IPsec protection channel, that is, IPsec SA(IPsec security association. IPsec SA can be generated in two ways, one is to use manual configuration to generate it. The other is that using IKE protocol negotiation generation. Ike can not only automatically generate IPsec SAs, but also provide higher security. In the negotiation process, it not only encrypts negotiation packets, integrity authentication, authentication and prevent denial of service attacks, More importantly, the DH algorithm it uses makes the message exchange only the key material used in the process of interaction, not the key itself, so that even if someone intercepts the message in the middle, they cannot obtain the encrypted key. Then the interactive message can not be deciphered. According to the IKE automatic way to establish the IPsec channel, to carry on the data protection realization method, to its entire processing flow carries on the detailed analysis and discussion. The whole process consists of two stages, one stage is to negotiate the establishment of IKE, and the main tasks are as follows: the confirmation of SA strategy used by both parties, the exchange of key information, and the exchange of ID information and verification information. There are two modes of negotiation in one stage, the main model and the barbaric model. Two-stage switching is called fast mode switching, which is used to complete the generation of IPsec SA. After one stage of IKE SA negotiation is established, the subsequent interactive packets must be encrypted and authenticated by IKE SA. If the subsequent negotiation interaction messages are not protected by IKE SA, these packets will be discarded directly and not processed. The IPsec-IKE implementation method introduced in this paper is aimed at the main mode switching mode in one stage and the fast mode exchange mode in the second stage. The negotiation and confirmation process of the identity of the communication parties in this implementation method is analyzed in detail. The construction method of negotiation packets and the process of processing negotiation packets, and the design of test scheme combined with its functional characteristics and supported test networking, can effectively help test executors to have a deep understanding of IPsec-IKE.
【學(xué)位授予單位】：西安電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類(lèi)號(hào)】：TP393.08

【共引文獻(xiàn)】

相關(guān)期刊論文 前10條

1 孫龍;;一款即時(shí)通信軟件的設(shè)計(jì)與實(shí)現(xiàn)[J];電腦編程技巧與維護(hù);2011年08期

2 宋文啟;黃東;;基于CDlinux和PXE技術(shù)的網(wǎng)絡(luò)克隆研究[J];電腦知識(shí)與技術(shù);2006年36期

3 王彥超;葉琳琳;;VLAN技術(shù)在校園網(wǎng)中的應(yīng)用研究[J];電腦知識(shí)與技術(shù);2010年26期

4 田榮林;;ARP欺騙攻擊原理及防御策略[J];計(jì)算機(jī)安全;2010年12期

5 饒建輝;;ARP欺騙原理與防范[J];大眾科技;2008年10期

6 黃家兵;方衛(wèi)龍;;基于GPRS的短信控制系統(tǒng)軟件設(shè)計(jì)[J];電子技術(shù);2008年05期

7 常丹華;賀樹(shù)猛;;基于DSP的嵌入式視頻監(jiān)測(cè)系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[J];電子技術(shù);2009年03期

8 馬睿;;基于Qt的TCP網(wǎng)絡(luò)編程研究與應(yīng)用[J];福建電腦;2010年11期

9 吳亦鋒;劉彪;許巧玲;;大型公共建筑能耗監(jiān)控系統(tǒng)研究[J];福州大學(xué)學(xué)報(bào)(自然科學(xué)版);2011年01期

10 周偉才;譚衛(wèi)成;;高壓架空輸電線路視頻在線監(jiān)測(cè)系統(tǒng)研究[J];廣東電力;2011年07期

相關(guān)博士學(xué)位論文 前1條

1 董永吉;面向資源優(yōu)化的分層式高速報(bào)文解析技術(shù)研究[D];解放軍信息工程大學(xué);2013年

相關(guān)碩士學(xué)位論文 前10條

1 田戰(zhàn)玲;基于VxWorks的網(wǎng)絡(luò)文件傳輸安全技術(shù)研究[D];哈爾濱工程大學(xué);2010年

2 包琳;大連海洋大學(xué)網(wǎng)絡(luò)型多媒體教室的設(shè)計(jì)及相關(guān)通信協(xié)議的研究[D];大連海事大學(xué);2010年

3 江衛(wèi);基于網(wǎng)絡(luò)的Linux內(nèi)核崩潰轉(zhuǎn)儲(chǔ)機(jī)制[D];華南理工大學(xué);2010年

4 喬麗;TCP/IP協(xié)議棧在嵌入式系統(tǒng)中的定制與實(shí)現(xiàn)[D];昆明理工大學(xué);2009年

5 杜瑞濤;無(wú)縫鋼管在線超聲無(wú)損檢測(cè)系統(tǒng)的研制[D];浙江大學(xué);2011年

6 張敬敬;面向智能電網(wǎng)的PMU測(cè)量數(shù)據(jù)傳輸?shù)难芯縖D];華北電力大學(xué);2011年

7 蔣辰;嵌入式ARM在基于以太網(wǎng)的AUV運(yùn)動(dòng)控制單元中的應(yīng)用研究[D];天津大學(xué);2010年

8 唐亞鵬;基于LabVIEW的網(wǎng)絡(luò)虛擬實(shí)踐教學(xué)平臺(tái)的研究[D];西安科技大學(xué);2011年

9 段文浩;IEEE1451.2智能變送器接口模塊的研究與設(shè)計(jì)[D];燕山大學(xué);2012年

10 沈新;基于DPI和DFI的P2P流量檢測(cè)技術(shù)研究[D];汕頭大學(xué);2011年

，

本文編號(hào)：1953356